Manage private endpoints

You can use private endpoints to establish a secure connection between your cloud provider and your Astra DB Classic databases. With a private endpoint, all communication remains within the private network, ensuring that no information is transmitted over the public internet.

Each of your Astra DB databases can connect to one or more private endpoints:

  • Single endpoint: Create a private endpoint in your virtual private cloud (VPC) and use it for one database.

  • Multiple endpoints: Create multiple private endpoints in your VPC and use them for the same database.

Private endpoints have cost implications. For information about private endpoint pricing, see the plan details on the Astra DB pricing page.

Prerequisites

Enable private endpoints

To use a private endpoint with a database, you must enable private endpoint connectivity for that database.

This page explains how to configure private endpoints in the Astra Portal. You can also use the DevOps API.

  1. In the Astra Portal, go to Databases, and then select your database.

  2. Click Settings.

  3. In the Private Endpoints section, click Configure Region for the region where you want to use a private endpoint.

    • For AWS-based databases, enter your AWS account’s Amazon Resource Name (ARN) in the format arn:aws:iam::AWS-ACCOUNT-ID:root, where AWS-ACCOUNT-ID is your AWS account ID. This value is case-sensitive.

    • For Google Cloud-based databases, enter your Google Cloud Project ID.

  4. Click Configure Region.

This database can now use a private endpoint in the cloud provider and region that you enabled. For multi-region databases, you must enable private endpoints for each region where you want to use private endpoints.

Next, add the private endpoint.

Add a private endpoint

After enabling private endpoints for a database, create a private endpoint in your cloud provider, and then connect it to the database.

  • AWS

  • Google Cloud

For AWS-based databases, use an AWS PrivateLink private endpoint:

  1. In the Astra Portal, go to Databases, and then select the same database where you enabled private endpoints.

  2. Click Settings.

  3. In the Private Endpoints section, click Add Endpoint.

  4. In the Add Private Endpoint dialog, copy the generated Service Name.

    Keep this dialog open while you create the VPC endpoint in AWS.

  5. In a new tab or window, sign in to the AWS VPC dashboard, and then switch to your database’s region.

  6. Create an endpoint to connect to an endpoint service as the service consumer.

    Use the generated service name from the Astra Portal as the endpoint’s Service name.

  7. After creating the endpoint, copy the VPC Endpoint ID.

  8. Return to the Astra Portal, and then enter the VPC endpoint ID in the Endpoint ID field.

  9. Optional: Enter a description for the endpoint.

  10. Click Add Endpoint.

For Google Cloud-based databases, use a Google Cloud Private Service Connect private endpoint:

  1. In the Astra Portal, go to Databases, and then select the same database where you enabled private endpoints.

  2. Click Settings.

  3. In the Private Endpoints section, click Add Endpoint.

  4. In the Add Private Endpoint dialog, copy the generated Service Name.

    Keep this dialog open while you create the private endpoint in Google Cloud.

  5. In a new tab or window, sign in to the Google Cloud Network Services console.

  6. Create an endpoint to access published services.

    Use the generated service name from the Astra Portal as the endpoint’s Target service.

  7. After creating the endpoint, copy the PSC Connection ID from the endpoint details.

  8. Return to the Astra Portal, and then enter the PSC connection ID in the Endpoint ID field.

  9. Optional: Enter a description for the endpoint.

  10. Click Add Endpoint.

Your database is now connected to a private endpoint. Next, configure DNS mapping.

Create DNS entries for a private endpoint

To ensure proper name resolution for private endpoints, you must configure private DNS mapping for the *.astra.datastax.com domain and subdomains. This overrides the default resolution to the public IP address provided by Astra DB.

If you use a private endpoint for one database, then you must configure private DNS mapping for every database you create, whether it uses a private endpoint or not.

  • AWS

  • Google Cloud

  1. In Amazon Route 53, create a private hosted zone to route the astra.datastax.com domain traffic to your AWS PrivateLink VPC ID.

  2. Create alias records to route Astra DB subdomains to your Amazon VPC interface endpoint’s DNS name.

    DataStax recommends alias records for Astra DB Classic databases because they are compatible with DataStax drivers.

    For each database, you must create records for both the .db. and .apps. domains:

    • DATABASE_ID-REGION.db.astra.datastax.com

    • DATABASE_ID-REGION.apps.astra.datastax.com

      For multi-region databases, you must create these entries for every region where you use private endpoints.

  3. Recommended: In the Astra Portal, use the IP Access List to block all public internet traffic to the database. This makes the database available only through private endpoints and allowed IPs.

  1. In the Google Cloud console, create a private zone to route traffic to your Private Service Connect endpoint IP.

  2. Create Type A standard records for Astra DB subdomains.

    For each database, you must create records for both the .db. and .apps. domains:

    • DATABASE_ID-REGION.db.astra.datastax.com

    • DATABASE_ID-REGION.apps.astra.datastax.com

      For multi-region databases, you must create these entries for every region where you use private endpoints.

  3. Recommended: In the Astra Portal, use the IP Access List to block all public internet traffic to the database. This makes the database available only through private endpoints and allowed IPs.

After you configure private endpoints, you might need to update SCB connection details for any drivers, applications, scripts, or otherwise that use the SCB to connect to your database.

Connect to a database through multiple private endpoints

You can access one database from multiple private endpoints. The private endpoints must have the same region and cloud provider as the database. For multi-region databases, you must create private endpoints in each applicable region.

To connect to one database through multiple private endpoints, Enable private endpoints, Add all private endpoints, and Add a DNS entry for each VPC where you deployed a private endpoint.

Delete a private endpoint

To delete a private endpoint, you must delete the private endpoint from the Astra Portal and your cloud provider:

  1. In the Astra Portal, go to Databases, and then select your database.

  2. Click Settings.

  3. In the Private Endpoints section, click the endpoint that you want to delete.

  4. Click Delete, and then click Delete Endpoint to confirm deletion.

  5. Remove your private endpoint from your cloud provider:

  6. Remove or modify private DNS mappings as needed.

When you delete a private endpoint, make sure you delete the connection in both the Astra Portal and your cloud provider.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com