Use private endpoints

You can use private endpoints to establish a secure connection between your cloud provider and your Astra Managed Clusters databases. With a private endpoint, all communication remains within the private network, ensuring that no information is transmitted over the public internet.

Your Astra Managed Clusters databases can connect to one or more private endpoints:

Single endpoint: Create a private endpoint in your virtual private cloud (VPC) and use it for one database.
Multiple endpoints: Create multiple private endpoints in your VPC and use them for the same database.

Prerequisites

To configure and use private endpoints for Astra, you need the following:

A paid subscription plan.

Private endpoints are a premium feature that requires a paid subscription plan. Use of private endpoints incurs billed charges from both Astra and your cloud provider.

An active Astra Managed Clusters database.

Private endpoints must exist in the same region and cloud provider as the databases that use them. For example, a database in AWS us-west-2 can only use AWS PrivateLink private endpoints in us-west-2.

For multi-region databases, you must configure separate endpoints for each region where you want to use private endpoints.

The Organization Administrator or Database Administrator role.

To use the DevOps API, you need an application token with one of these roles.
Access to AWS PrivateLink or Google Cloud Private Service Connect.
Permission to create network resources in your cloud provider, such as VPCs, subnets, and private endpoints.
Apps or scripts that use supported Astra DB connection methods that are compatible with private links. Examples include DevOps API requests and Apache Cassandra® drivers.

Compatibility isn’t guaranteed, and support isn’t provided, for unsupported connection methods.

Enable private endpoints

To use a private endpoint with a database, you must enable private endpoint connectivity for that database.

For multi-region databases, you must configure separate endpoints for each region where you want to use private endpoints.

Astra Portal
DevOps API

In the Astra Portal, click Managed clusters, and then click the name of the database that you want to modify.
Click the Settings tab.
In the Private Endpoints section, click Configure Region for the region where you want to use a private endpoint.
Enter an allowed principal:
- For AWS-based databases, the allowed principal is your AWS account’s Amazon Resource Name (ARN) in the exact, case-sensitive format arn:aws:iam::AWS_ACCOUNT_ID:root where AWS_ACCOUNT_ID is your AWS account ID with no hyphens. For example, arn:aws:iam::123456789012:root. For more information, see Principals for gateway endpoints.
- For Google Cloud-based databases, the allowed principal is your Google Cloud project ID.
Click Configure Region.
For multi-region databases, repeat these steps for each region where you want to use private endpoints.

Next, create the private endpoint in your cloud provider.

Set an allowed principal for each database and region where you want to use private endpoints:
```
curl -sS -L -X POST "https://api.astra.datastax.com/v2/organizations/clusters/DATABASE_ID/datacenters/DATACENTER_ID/private-link" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json" \
--data '{
  "allowedPrincipals": [
    "ALLOWED_PRINCIPAL"
  ]
}'
```
The DATACENTER_ID is the region identifier. For a single-region database, the DATACENTER_ID is the DATABASE_ID suffixed by -1. For multi-region databases, each region has a separate ID. For more information, see List database regions. The region selected must correspond with the cloud provider you identify in the allowedPrincipals.

The ALLOWED_PRINCIPAL depends on the database’s cloud provider:
- For AWS-based databases, the allowed principal is your AWS account’s Amazon Resource Name (ARN) in the exact, case-sensitive format arn:aws:iam::AWS_ACCOUNT_ID:root where AWS_ACCOUNT_ID is your AWS account ID with no hyphens. For example, arn:aws:iam::123456789012:root. For more information, see Principals for gateway endpoints.
- For Google Cloud-based databases, the allowed principal is your Google Cloud project ID.

Get the serviceName from the response. You need it to create the private endpoint in your cloud provider.

AWS
Google Cloud

{
  "serviceName": "com.amazonaws.vpce.REGION.vpce-svc-SERVICE_ID",
  "allowedPrincipals": [
    "ARN"
  ]
}

{
  "serviceName": "projects/PROJECT_ID/regions/REGION_NAME/serviceAttachments/SERVICE_ATTACHMENT_NAME",
  "allowedPrincipals": [
    "GOOGLE_CLOUD_PROJECT_ID"
  ]
}

If you need to remove an allowed principal, use the Remove allowed principal DevOps API endpoint.

Add a private endpoint

After enabling private endpoints for a database, create a VPC endpoint in your cloud provider, and then use the Astra Portal or the DevOps API to connect it to your database.

Astra Portal
DevOps API

AWS
Google Cloud

For AWS-based databases, use an AWS PrivateLink private endpoint:

In the Astra Portal where you just enabled private endpoints, copy the generated Service Name.
In a new browser tab or window, sign in to the AWS VPC dashboard, and then switch to your database’s region.
Create an endpoint to connect to an endpoint service as the service consumer. Use the generated service name from the Astra Portal as the endpoint’s Service name.
After creating the endpoint, copy the VPC Endpoint ID.
Return to the Astra Portal, and then enter the PSC connection ID in the Endpoint ID field.
Optional: Enter a description for the endpoint.
Click Add Endpoint.

For Google Cloud-based databases, use a Google Cloud Private Service Connect private endpoint:

In the Astra Portal where you just enabled private endpoints, copy the generated Service Name.
In a new browser tab or window, sign in to the Google Cloud Network Services console.
Create an endpoint to access published services. Use the generated service name from the Astra Portal as the endpoint’s Target service.
After creating the endpoint, copy the PSC Connection ID from the endpoint details.
Return to the Astra Portal, and then enter the PSC connection ID in the Endpoint ID field.
Optional: Enter a description for the endpoint.
Click Add Endpoint.

Use the Accept endpoint to service DevOps API endpoint to connect your private endpoint to your database.

AWS
Google Cloud

For AWS-based databases, use an AWS PrivateLink private endpoint:

Sign in to the AWS VPC dashboard, and then switch to your database’s region.
Create an endpoint to connect to an endpoint service as the service consumer. The endpoint’s Service name is the serviceName that was generated when you enabled private endpoints.
After creating the endpoint, copy the VPC Endpoint ID.

Connect your private endpoint to your database (DATABASE_ID) and region (DATACENTER_ID):

curl -sS -L -X POST "https://api.astra.datastax.com/v2/organizations/clusters/DATABASE_ID/datacenters/DATACENTER_ID/endpoints" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json" \
--data '{
  "endpointID": "VPC_ENDPOINT_ID",
  "description": "OPTIONAL_STRING"
}'

A successful response contains the private endpoint configuration for the specified database and region. Make sure the status is Accepted.

Result

{
  "datacenters": [
    {
      "serviceName": "com.amazonaws.vpce.REGION.vpce-svc-SERVICE_ID",
      "allowedPrincipals": [
        "ARN"
      ],
      "datacenterID": "DB_REGION_ID",
      "endpoints": [
        {
          "endpointID": "VPC_ENDPOINT_ID",
          "description": "OPTIONAL_STRING",
          "status": "Accepted",
          "createdDateTime": "2021-04-10T23:00:00"
        }
      ]
    }
  ]
}

For Google Cloud-based databases, use a Google Cloud Private Service Connect private endpoint:

Sign in to the Google Cloud Network Services console.
Create an endpoint to access published services. The VPC endpoint’s Target service is the serviceName that was generated when you enabled private endpoints.
After creating the endpoint, copy the PSC Connection ID from the endpoint details.

Connect your private endpoint to your database (DATABASE_ID) and region (DATACENTER_ID):

curl -sS -L -X POST "https://api.astra.datastax.com/v2/organizations/clusters/DATABASE_ID/datacenters/DATACENTER_ID/endpoints" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json" \
--data '{
  "endpointID": "PSC_CONNECTION_ID",
  "description": "OPTIONAL_STRING"
}'

A successful response contains the private endpoint configuration for the specified database and region. Make sure the status is Accepted.

Result

{
  "datacenters": [
    {
      "serviceName": "projects/PROJECT_ID/regions/REGION_NAME/serviceAttachments/SERVICE_ATTACHMENT_NAME",
      "allowedPrincipals": [
        "GOOGLE_CLOUD_PROJECT_ID"
      ],
      "datacenterID": "DB_REGION_ID",
      "endpoints": [
        {
          "endpointID": "PSC_CONNECTION_ID",
          "description": "OPTIONAL_STRING",
          "status": "Accepted",
          "createdDateTime": "2021-04-10T23:00:00"
        }
      ]
    }
  ]
}

If you want to edit the description for a private endpoint, use the Update endpoint description DevOps API endpoint.

Your database is now connected to a private endpoint. Next, configure DNS mapping.

Create DNS entries for a private endpoint

To ensure proper name resolution for private endpoints, you must configure private DNS mapping for the *.astra.datastax.com domain and subdomains. This overrides the default resolution to the public IP address provided by Astra.

If you use a private endpoint for one database, then you must configure private DNS mapping for every database you create, whether it uses a private endpoint or not.

AWS
Google Cloud

In Amazon Route 53, create a private hosted zone to route the astra.datastax.com domain traffic to your AWS PrivateLink VPC ID.
Create alias or CNAME records that route Astra subdomains to your Amazon VPC interface endpoint’s DNS name.

Use alias records if you use Cassandra drivers. For more information, see Comparison of alias and CNAME records.

For each database, you must create records for both the .db. and .apps. domains. For multi-region databases, you must create records for every region where you use private endpoints.
- DATABASE_ID-REGION.db.astra.datastax.com
- DATABASE_ID-REGION.apps.astra.datastax.com
Recommended: In the Astra Portal, use the IP Access List to block all public internet traffic to the database. This makes the database available only through private endpoints and allowed IPs.

In the Google Cloud console, create a private zone to route traffic to your Private Service Connect endpoint IP.
Create Type A standard records for Astra subdomains.

For each database, you must create records for both the .db. and .apps. domains. For multi-region databases, you must create records for every region where you use private endpoints.
- DATABASE_ID-REGION.db.astra.datastax.com
- DATABASE_ID-REGION.apps.astra.datastax.com
Recommended: In the Astra Portal, use the IP Access List to block all public internet traffic to the database. This makes the database available only through private endpoints and allowed IPs.

Connect to a database through multiple private endpoints

If needed, you can access the same database through multiple private endpoints. For example, if you need to replace an endpoint, you can add the new endpoint to your database before you remove the previous endpoint.

For multi-region databases, you must configure separate endpoints for each region where you want to use private endpoints.

Enable private endpoints, if you haven’t done so already.
Create all endpoints, and then add them to your database.
Add DNS entries for each endpoint as needed.

If the additional endpoints are covered by the existing DNS entries, you might not need to add any entries. DataStax recommends that you test each endpoint separately to verify the configuration.
If you configured the IP Access List, make sure the additional endpoints are included in the allowed IPs.

If you need to replace an endpoint, it is critical that you add the new endpoint to the IP Access List before removing the previous endpoint to avoid losing connectivity to your database.

Get private endpoint configurations

In the Astra Portal, you can find a database’s private endpoints on the database’s Settings tab.

With the List private links for organization DevOps API endpoint, you can get information about private endpoints for all databases in your organization, a single database, or a single region of a multi-region database.

Get private endpoints for all databases
Get private endpoints for one database
Get private endpoints for one region
Get information about one endpoint

curl -sS -L -X GET "https://api.astra.datastax.com/v2/organizations/private-link" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"

A successful response includes information about private endpoint configurations for all databases in the organization. If there are any multi-region databases, the response includes all regions.

Result

{
  "clusters": [
    {
      "clusterID": "string",
      "datacenters": [
        {
          "serviceName": "com.amazonaws.vpce.us-east-2.vpce-svc-1148ea04af491da11",
          "allowedPrincipals": [
            "arn:aws:iam::123456789012:role/admin"
          ],
          "datacenterID": "string",
          "endpoints": [
            {
              "endpointID": "vpce-svc-1148ea04af491da11",
              "description": "ecomm-team-billing-app",
              "linkID": "126845687",
              "status": "Accepted",
              "createdDateTime": "2009-11-10T23:00:00"
            }
          ]
        }
      ]
    }
  ]
}

curl -sS -L -X GET "https://api.astra.datastax.com/v2/organizations/clusters/DATABASE_ID/private-link" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"

A successful response includes information about private endpoint configurations for one database. For a multi-region database, the response includes all regions.

Result

{
  "clusterID": "string",
  "datacenters": [
    {
      "serviceName": "com.amazonaws.vpce.us-east-2.vpce-svc-1148ea04af491da11",
      "allowedPrincipals": [
        "arn:aws:iam::123456789012:role/admin"
      ],
      "datacenterID": "string",
      "endpoints": [
        {
          "endpointID": "vpce-svc-1148ea04af491da11",
          "description": "ecomm-team-billing-app",
          "linkID": "126845687",
          "status": "Accepted",
          "createdDateTime": "2009-11-10T23:00:00"
        }
      ]
    }
  ]
}

curl -sS -L -X GET "https://api.astra.datastax.com/v2/organizations/clusters/DATABASE_ID/datacenters/DATACENTER_ID/private-link" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"

The DATACENTER_ID is the region identifier. For a single-region database, the DATACENTER_ID is the DATABASE_ID suffixed by -1. For multi-region databases, each region has a separate ID. For more information, see List database regions.

A successful response includes information about private endpoint configurations for one region of one database:

Result

{
  "serviceName": "com.amazonaws.vpce.us-east-2.vpce-svc-1148ea04af491da11",
  "allowedPrincipals": [
    "arn:aws:iam::123456789012:role/admin"
  ],
  "datacenterID": "string",
  "endpoints": [
    {
      "endpointID": "vpce-svc-1148ea04af491da11",
      "description": "ecomm-team-billing-app",
      "linkID": "126845687",
      "status": "Accepted",
      "createdDateTime": "2009-11-10T23:00:00"
    }
  ]
}

To get information about a specific endpoint by endpoint ID, use the Get endpoint information DevOps API endpoint.

Delete a private endpoint

To delete a private endpoint, you must delete the private endpoint from Astra and your cloud provider.

Astra cannot manage your cloud provider’s private endpoint configuration. You are responsible for removing unused private endpoint connections in your cloud provider.

In the Astra Portal, click Managed clusters, and then click the name of the database that you want to modify.
Click the Settings tab.
In the Private Endpoints section, click the endpoint that you want to delete, click Delete, and then click Delete Endpoint to confirm deletion.

Alternatively, you can use the Reject endpoint DevOps API endpoint to delete a private endpoint from Astra:
```
curl -sS -L -X DELETE "https://api.astra.datastax.com/v2/organizations/clusters/DATABASE_ID/datacenters/DATACENTER_ID/endpoints/ENDPOINT_ID" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"
```
The DELETE request removes one endpoint from one region of one database, so you must repeat the request for each applicable endpoint, region, and database.
Remove your private endpoint from your cloud provider:
- Delete an AWS PrivateLink endpoint service
- Delete a Google Cloud Private Service Connect endpoint
Remove or modify DNS entries as needed.

Use private endpoints

Prerequisites

Enable private endpoints

Add a private endpoint

Create DNS entries for a private endpoint

Connect to a database through multiple private endpoints

Get private endpoint configurations

Delete a private endpoint

Was this helpful?

Give Feedback