Centralized third-party connectivity in AWS: Architecture patterns for highly regulated environments

This article provides architectural guidance for securely connecting third-party services in AWS for highly regulated environments, emphasizing centralized network architecture with mandatory traffic inspection.

• Centralized DMZ VPC separates third parties from workloads with mandatory inspection between them
• Traffic inspection options: in-line DMZ inspection or reuse existing east-west inspection infrastructure
• Authentication methods: mutual TLS (mTLS), OAuth 2.0, and OpenID Connect at load balancer or application layer
• DNS options: public hosted zone with private IPs, private hosted zone with VPC association, or Route 53 Global Resolver
• Ingress patterns: PrivateLink (scalable, unidirectional), Direct Connect/VPN (bidirectional), VPC Lattice (HTTP/HTTPS/gRPC only)
• Egress patterns: route workload traffic through DMZ inspection before reaching third-party services
• Transit patterns: Transit Gateway or Cloud WAN for full bidirectional connectivity with trusted partners
• Automate provisioning to scale beyond handful of third parties without manual ticket filing

Choose patterns based on scale requirements, protocol support, bidirectional needs, and inspection requirements. Start with centralized DMZ, add inspection, then automate provisioning for repeatable onboarding.