Skip to main content

AWS PrivateLink for querying and publishing data

AWS PrivateLink enables you to establish a secure connection from your AWS virtual private cloud (VPC) to Imply Polaris using private IP addresses. When you query the Polaris endpoints through an AWS PrivateLink connection, the network traffic between your VPC and Polaris does not traverse the public internet.

This topic describes how to set up an AWS PrivateLink connection to query and publish data from an event stream to Polaris. This approach is not suitable for consuming data directly from an event stream.

The following diagram shows the AWS PrivateLink connection between AWS accounts:

AWS PrivateLink diagram

To use AWS PrivateLink, create a VPC endpoint in your VPC that points to the Polaris endpoint service and enable private DNS resolution. The resulting PrivateLink connection is unidirectional with Polaris acting as the service provider and your VPC endpoint acting as the service consumer.

info

All traffic that flows through AWS PrivateLink will incur interface endpoint expenses. For information on interface endpoint pricing, see AWS PrivateLink pricing.

Prerequisites

Before you begin, ensure that your AWS VPC has both enableDnsHostnames and enableDnsSupport attributes enabled. Refer to the official AWS documentation on DNS attributes for more information.

You must register your AWS account with Polaris. Contact your Polaris account representative to add the 12-digit AWS Account ID of the account containing the VPC to the list of allowed principals.

Create a VPC endpoint

Follow these steps to create a VPC endpoint that points to the Polaris VPC endpoint service:

  1. Follow the AWS PrivateLink documentation to create an interface endpoint. Select the following options:

    • Under Service category, select Other endpoint services.
    • Under Service name, enter one of the following options. Choose the option that corresponds to your Polaris region.
      • us-east-1: com.amazonaws.vpce.us-east-1.vpce-svc-039b4f94de23941a5
      • us-west-2: com.amazonaws.vpce.us-west-2.vpce-svc-064092a822fcd1165
      • ap-south-1: com.amazonaws.vpce.ap-south-1.vpce-svc-0f24e4d0edee52ef0
      • eu-central-1: com.amazonaws.vpce.eu-central-1.vpce-svc-065ca11246888c410
      • eu-west-1: com.amazonaws.vpce.eu-west-1.vpce-svc-0296d091e44fb7eb2

    This creates a VPC endpoint in the pendingAcceptance state.

  2. Contact your Polaris representative to approve the connection request. Polaris must accept your connection request to grant your VPC endpoint access to Polaris services. After Polaris accepts the request, the VPC endpoint enters the Available state.

Enable private DNS names

You must enable a private DNS name to access the Polaris endpoint service. Private DNS names are created in AWS-managed Route 53 private hosted zones and are not publicly resolvable.

Follow the AWS PrivateLink documentation to enable private DNS names for your VPC endpoint. Once the change completes, the status in the AWS console will change to Available.

At this point, you can access Polaris from your VPC.

Validate connectivity

To validate connectivity through AWS PrivateLink, run the following nslookup command from an instance within your VPC.

nslookup https://ORGANIZATION_NAME.REGION.CLOUD_PROVIDER.api.imply.io

Replace the following:

  • ORGANIZATION_NAME: The custom domain through which you access Polaris.
  • REGION: The cloud region of your Polaris project.
  • CLOUD_PROVIDER: The cloud service provider for your Polaris infrastructure.

To test network connectivity with curl, run the following command from an instance within your VPC:

curl -v https://ORGANIZATION_NAME.REGION.CLOUD_PROVIDER.api.imply.io

Connect from additional regions

You can use AWS PrivateLink to query Polaris from regions not supported by Polaris. The following steps show you how to access Polaris from a VPC in a different region.

  1. Create a VPC endpoint in a supported Polaris region (the requester VPC).

  2. Follow the AWS documentation to create an inter-Region VPC peering connection. The VPC peering connection request must originate from the Polaris supported region.

    • Ensure that the routing between the two VPCs is set up. Follow the AWS documentation to add a route to the route tables associated with the subnets for both VPCs.
    • Confirm that the hosts in the accepter VPC are allowed through the security group for the requester VPC endpoint in the supported Polaris region.
  3. Follow AWS documentation to enable DNS resolution for queries from the peer VPC.

  4. In the requester VPC, resolve the ORGANIZATION_NAME.REGION.CLOUD_PROVIDER.api.imply.io DNS name to its IP addresses. These should be the internal IP addresses of the requester VPC endpoint.

  5. Follow the AWS documentation to create a new Route 53 private hosted zone for the accepter VPC.

  6. Create a record mapping the ORGANIZATION_NAME.REGION.CLOUD_PROVIDER.api.imply.io DNS name to the internal IP addresses from Step 4.

You should now be able to query Polaris through AWS PrivateLink from the second VPC.