I'm trying to get a deeper understanding of traffic flows and routing in different scenarios when resources in a VPC are communicating with one another and with AWS Services. I recently came across this FAQ in the AWS docs and it threw a small wrench in my understanding:
Q. Does traffic go over the internet when two instances communicate using public IP addresses, or when instances communicate with a public AWS service endpoint?
No. When using public IP addresses, all communication between instances and services hosted in AWS use AWS's private network. Packets that originate from the AWS network with a destination on the AWS network stay on the AWS global network, except traffic to or from AWS China Regions.
Scenario 1: EC2 Instance <> EC2 Instance, Same VPC: Public IP Communication
It was my understanding that if two EC2 instances in the same VPC are communicating with one another via public IP addresses that the traffic will exit the VPC and traverse the "public internet", but maybe that doesn't mean outside of AWS's private network based on the FAQ above? Does anyone know at a deeper level what sort of exposure there is in this case, security wise? What does exiting the VPC really mean in terms of exposure and risks?
Scenario 2: EC2 Instance <> AWS Services Communication
I know AWS PrivateLink is used to "securely" connect to AWS Services from within a VPC. The following is taken from the docs regarding using PrivateLink and RDS:
Your instances also don't need public IP addresses to use any of the available RDS API operations. Traffic between your VPC and Amazon RDS doesn't leave the Amazon network.
Now, based on the first FAQ above it seems that when instances within a VPC are communicating with AWS Services via public endpoints/IPs (i.e. without PrivateLink interface endpoints) that traffic should never leave the Amazon network, but the PrivateLink docs make it seem like that the VPC traffic does possibly leave the Amazon network at some point if not using those interface endpoints?
--
I'm hoping someone can provide some clarity here as it seems like I need just a few more details to make everything click for me. I guess my concern/lens is focused on security and what sort of exposure there is / additional risk there is in each of the scenarios presented. What does traffic leaving the VPC really mean if it's all destined for the Amazon network at the end of the day? What are the risks of traffic leaving the VPC? Is it mostly a concern of denial of service or the possibility of people sniffing the traffic? Or something else? I know it probably depends on the threat model, but I'm curious what others are thinking about here in terms of risks/concerns.
Feel free to share any documentation/papers you found useful in understanding these things. The AWS docs seem a bit conflicting to me (or maybe they just don't go deep enough as it's getting into their secret sauce) so hoping there are some people that have done deeper dives in these areas and published something. I know there are lots of questions and concepts tied into this discussion so let me know if I can clarify/simplify my post above. Thanks in advance!
