• Developer guide
  • API reference

›Secure networking

Getting started

  • Introduction to Imply Polaris
  • Quickstart
  • Execute a POC
  • Create a dashboard
  • Navigate the console
  • Key concepts

Tables and data

  • Overview
  • Introduction to tables
  • Table schema
  • Create an ingestion job
  • Timestamp expressions
  • Data partitioning
  • Introduction to rollup
  • Approximation algorithms
  • Replace data

Ingestion sources

  • Ingestion sources overview
  • Supported data formats
  • Create a connection
  • Ingest from files
  • Ingest data from a table
  • Ingest from S3
  • Ingest from Kafka and MSK
  • Ingest from Kinesis
  • Ingest from Confluent Cloud
  • Kafka Connector for Imply Polaris
  • Push event data
  • Connect to Confluent Schema Registry

Analytics

  • Overview
  • Manage data cubes
  • Visualize data
  • Data cube dimensions
  • Data cube measures
  • Dashboards
  • Visualizations reference
  • Set up alerts
  • Set up reports
  • Embed visualizations
  • Query data

Monitoring

  • Overview

Management

  • Overview
  • Pause and resume a project

Billing

  • Overview
  • Polaris plans
  • Estimate project costs

Usage

  • Overview

Security

    Polaris access

    • Overview
    • Invite users to your organization
    • Manage users
    • Permissions reference
    • Manage user groups
    • Enable SSO
    • SSO settings reference
    • Map IdP groups

    Secure networking

    • Connect to AWS
    • Create AWS PrivateLink connection

Developer guide

  • Overview
  • Authentication

    • Overview
    • Authenticate with API keys
    • Authenticate with OAuth
  • Manage users and groups
  • Migrate deprecated resources
  • Create a table
  • Define a schema
  • Upload files
  • Create an ingestion job
  • Ingestion sources

    • Ingest from files
    • Ingest from a table
    • Get ARN for AWS access
    • Ingest from Amazon S3
    • Ingest from Kafka and MSK
    • Ingest from Amazon Kinesis
    • Ingest from Confluent Cloud
    • Push event data
    • Kafka Connector for Imply Polaris
    • Kafka Connector reference
  • Filter data to ingest
  • Ingest nested data
  • Ingest and query sketches
  • Specify data schema
  • Query data
  • Update a project
  • Link to BI tools
  • Connect over JDBC
  • Query parameters reference
  • API documentation

    • OpenAPI reference
    • Query API

Product info

  • Release notes
  • Known limitations
  • Druid extensions

Create an AWS PrivateLink connection

AWS PrivateLink enables you to establish a secure connection from your AWS virtual private cloud (VPC) to Imply Polaris using private IP addresses. When you query the Polaris endpoints through an AWS PrivateLink connection, the network traffic between your VPC and Polaris does not traverse the public internet.

To use AWS PrivateLink, create a VPC endpoint in your VPC that points to the Polaris endpoint service and enable private DNS resolution. The resulting PrivateLink connection is unidirectional with Polaris acting as the service provider and your VPC endpoint acting as the service consumer.

All traffic that flows through the AWS PrivateLink will incur interface endpoint expenses. For information on interface endpoint pricing, see AWS PrivateLink pricing.

Prerequisites

Before you begin, ensure that your AWS VPC has both enableDnsHostnames and enableDnsSupport attributes enabled. Refer to the official AWS documentation on DNS attributes for more information.

You must register your AWS account with Polaris. Contact your Polaris account representative to add the 12-digit AWS Account ID of the account containing the VPC to the list of allowed principals.

Create a VPC endpoint

Follow these steps to create a VPC endpoint that points to the Polaris VPC endpoint service:

  1. Follow the AWS PrivateLink documentation to create an interface endpoint. Select the following options:

    • Under Service category, select Other endpoint services.
    • Under Service name, enter one of the following options. Choose the option that corresponds to your Polaris region.
      • us-east-1: com.amazonaws.vpce.us-east-1.vpce-svc-039b4f94de23941a5
      • eu-central-1: com.amazonaws.vpce.eu-central-1.vpce-svc-065ca11246888c410

    This creates a VPC endpoint in the pendingAcceptance state.

  2. Contact your Polaris representative to approve the connection request. Polaris must accept your connection request to grant your VPC endpoint access to Polaris services. After Polaris accepts the request, the VPC endpoint enters the Available state.

Enable private DNS names

You must enable a private DNS name to access the Polaris endpoint service. Private DNS names are created in AWS-managed Route 53 private hosted zones and are not publicly resolvable.

Follow the AWS PrivateLink documentation to enable private DNS names for your VPC endpoint. Once the change completes, the status in the AWS console will change to Available.

At this point, you can access Polaris from your VPC.

Validate connectivity

To validate connectivity through AWS PrivateLink, run the following nslookup command from an instance within your VPC.

nslookup https://ORGANIZATION_NAME.REGION.CLOUD_PROVIDER.api.imply.io

Replace the following:

  • ORGANIZATION_NAME: The custom domain through which you access Polaris.
  • REGION: The cloud region of your Polaris project.
  • CLOUD_PROVIDER: The cloud service provider for your Polaris infrastructure.

To test network connectivity with curl, run the following command from an instance within your VPC:

curl -v https://ORGANIZATION_NAME.REGION.CLOUD_PROVIDER.api.imply.io

Connect from additional regions

You can use AWS PrivateLink to query Polaris from regions not supported by Polaris. The following steps show you how to access Polaris from a VPC in a different region.

  1. Create a VPC endpoint in a supported Polaris region (the requester VPC).

  2. Follow the AWS documentation to create an inter-Region VPC peering connection. The VPC peering connection request must originate from the Polaris supported region.

    • Ensure that the routing between the two VPCs is set up. Follow the AWS documentation to add a route to the route tables associated with the subnets for both VPCs.
    • Confirm that the hosts in the accepter VPC are allowed through the security group for the requester VPC endpoint in the supported Polaris region.
  3. Follow AWS documentation to enable DNS resolution for queries from the peer VPC.

  4. In the requester VPC, resolve the ORGANIZATION_NAME.REGION.CLOUD_PROVIDER.api.imply.io DNS name to its IP addresses. These should be the internal IP addresses of the requester VPC endpoint.

  5. Follow the AWS documentation to create a new Route 53 private hosted zone for the accepter VPC.

  6. Create a record mapping the ORGANIZATION_NAME.REGION.CLOUD_PROVIDER.api.imply.io DNS name to the internal IP addresses from Step 4.

You should now be able to query Polaris through AWS PrivateLink from the second VPC.

← Connect to AWSOverview →
  • Prerequisites
  • Create a VPC endpoint
  • Enable private DNS names
  • Validate connectivity
  • Connect from additional regions
Key links
Try ImplyApache Druid siteImply GitHub
Get help
Stack OverflowSupportContact us
Learn more
BlogApache Druid docs
Copyright © 2023 Imply Data, Inc