Explore the possibility of using AWS Privatelink for API connections

The current Istio configuration requires numerous CIDR ranges to be added that can be subject to change. This adds hundreds of lines to values.yaml and may require unexpected maintenance in the future to keep the list current.

In lieu of updating network policies with AWS IP Ranges manually, we would like to explore the possibilty of using AWS Privatelink to provide direct, predictable API endpoints within the VPC. Not only will this prevent these requests from going across the public internet, but it will reduce the amount of configuration necessary within the helm chart.

Additional Resources: https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html#private-dns-s3

https://aws.amazon.com/blogs/aws/subscribe-to-aws-public-ip-address-changes-via-amazon-sns/

https://karpenter.sh/docs/getting-started/getting-started-with-karpenter/#private-clusters

Edited Dec 05, 2025 by Christopher Nowicki

Admin message

Explore the possibility of using AWS Privatelink for API connections