Manage private endpoints

You can use private endpoints to create a secure connection between your cloud provider and your Astra DB databases. With a private endpoint, no information is sent over the public network.

Each of your Astra DB databases can connect to one or more private endpoints:

  • Single endpoint: Create a private endpoint in your virtual private cloud (VPC) and use it for one database.

  • Multiple endpoints: Create multiple private endpoints in your VPC and use them for the same database.

Private endpoints have cost implications. For information about private endpoint pricing, see the plan details on the Astra DB pricing page.

Prerequisites

  • You have an active Astra DB database.

  • You can access your cloud provider’s console and create network resources.

  • You can create a private endpoint in AWS PrivateLink or Google Cloud Private Service Connect in the same region as your database.

    A database must have the same region and cloud provider as the private endpoint that it uses. For example, a database in AWS us-west-2 can only use AWS PrivateLink private endpoints in us-west-2.
    Check VPC ownership for AWS

    Only VPC owners can create resources such as VPC endpoints, subnets, route tables, and NACLs. Participants can not view, modify, or delete resources that belong to other participants or the VPC owner.

    This means that a user can’t create private endpoints in a shared VPC that is owned by a different AWS account.

    To determine which account owns your VPC, check the Owner ID in the AWS Console.

    Checking the Owner ID in the AWS Console.

    For more information, see Share your VPC subnets with other accounts.

  • You have an application token with the Organization Administrator or Database Administrator role.

Get existing private endpoint configurations

You can get information about existing private endpoint configurations for all databases in your organization, a single database, or a single region of a multi-region database.

  • Get private endpoints for all databases

  • Get private endpoints for one database

  • Get private endpoints for one region

curl --request GET \
  --url 'https://api.astra.datastax.com/v2/organizations/<organizationID>/clusters/private-link' \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer <application_token>'
curl --request GET \
  --url 'https://api.astra.datastax.com/v2/organizations/clusters/<databaseId>/private-link' \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer <application_token>'

If the database is not a multi-region database, then the datacenterID is is the same as the databaseID.

curl --request GET \
  --url 'https://api.astra.datastax.com/v2/organizations/clusters/*DATABASE_ID*/datacenters/*DATACENTER_ID/private-link' \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer *APPLICATION_TOKEN*'
Responses

A successful response includes information about private endpoint configurations, depending on the request:

  • Information for all databases in an organization. If there are any multi-region databases, the response includes all regions.

    {
  "clusters": [
    {
      "clusterID": "string",
      "datacenters": [
        {
          "serviceName": "com.amazonaws.vpce.us-east-1.vpce-svc-1148ea04af491da11",
          "allowedPrincipals": [
            "arn:aws:iam::123456789012:role/admin"
          ],
          "datacenterID": "string",
          "endpoints": [
            {
              "endpointID": "vpce-svc-1148ea04af491da11",
              "description": "ecomm-team-billing-app",
              "linkID": "126845687",
              "status": "Accepted",
              "createdDateTime": "2009-11-10T23:00:00"
            }
          ]
        }
      ]
    }
  ]
}

  • Information for one database. For a multi-region database, the response includes all regions.

    {
  "clusterID": "string",
  "datacenters": [
    {
      "serviceName": "com.amazonaws.vpce.us-east-1.vpce-svc-1148ea04af491da11",
      "allowedPrincipals": [
        "arn:aws:iam::123456789012:role/admin"
      ],
      "datacenterID": "string",
      "endpoints": [
        {
          "endpointID": "vpce-svc-1148ea04af491da11",
          "description": "ecomm-team-billing-app",
          "linkID": "126845687",
          "status": "Accepted",
          "createdDateTime": "2009-11-10T23:00:00"
        }
      ]
    }
  ]
}

  • Information for one region of one database:

    {
  "serviceName": "com.amazonaws.vpce.us-east-1.vpce-svc-1148ea04af491da11",
  "allowedPrincipals": [
    "arn:aws:iam::123456789012:role/admin"
  ],
  "datacenterID": "string",
  "endpoints": [
    {
      "endpointID": "vpce-svc-1148ea04af491da11",
      "description": "ecomm-team-billing-app",
      "linkID": "126845687",
      "status": "Accepted",
      "createdDateTime": "2009-11-10T23:00:00"
    }
  ]
}

Add private endpoints

Astra DB Classic supports AWS PrivateLink and Google Cloud Private Service Connect endpoints.

This page explains how to configure private endpoints with the DevOps API. You can also use the Astra Portal.

Enable private endpoints

  1. To enable private endpoints in Astra DB, you need to set the allowed principal for each database and region where you want to use private endpoints:

    curl --request POST \
  --url 'https://api.astra.datastax.com/v2/organizations/clusters/*DATABASE_ID*/datacenters/*DATACENTER_ID*/private-link' \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer *APPLICATION_TOKEN*' \
  --data '{
      "allowedPrincipals": [
        "*ALLOWED_PRINCIPAL*"
      ]
    }'

    Replace the following:

    • DATABASE_ID: The database identifier.

    • DATACENTER_ID: The region identifier. The region must correspond to the cloud provider you identify in the allowedPrincipals.

      To get the datacenter ID, you can use the DevOps API List datacenters endpoint.

    • APPLICATION_TOKEN: Your application token.

    • ALLOWED_PRINCIPAL:

      • For AWS-based databases, the allowed principal is your AWS account’s Amazon Resource Name (ARN) in the format arn:aws:iam::*AWS-ACCOUNT-ID*:root. For more information, see Principals for gateway endpoints.

      • For Google Cloud-based databases, the allowed principal is your Google Cloud Project ID.

  2. Get the serviceName from the response. You need it to create the private endpoint.

    • AWS

    • Google Cloud

    {
  "serviceName": "com.amazonaws.vpce.*REGION*.vpce-svc-*SERVICE_ID*",
  "allowedPrincipals": [
    "*ARN*"
  ]
}
    {
  "serviceName": "projects/*PROJECT_ID*/regions/*REGION_NAME*/serviceAttachments/*SERVICE_ATTACHMENT_NAME*",
  "allowedPrincipals": [
    "*GOOGLE_CLOUD_PROJECT_ID*"
  ]
}

You have now allowed one region of one database to use private endpoints from the cloud provider identified in the allowedPrincipals. For multi-region databases, you must enable private endpoints for each region where you want to use private endpoints.

Create a private endpoint

After enabling private endpoints for a database, create a private endpoint in your cloud provider, and then connect it to the database.

  • AWS

  • Google Cloud

For AWS-based databases, use an AWS PrivateLink private endpoint:

  1. Sign in to the AWS VPC dashboard, and then switch to your database’s region.

  2. Create an endpoint to connect to an endpoint service as the service consumer.

    The VPC endpoint’s Service name is the serviceName generated when you enabled private endpoints.

  3. After creating the endpoint, copy the VPC Endpoint ID.

  4. Connect the private endpoint to your database and region:

    curl --request POST \
  --url 'https://api.astra.datastax.com/v2/organizations/clusters/*DATABASE_ID*/datacenters/*DATACENTER_ID*/endpoints' \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer *APPLICATION_TOKEN*' \
  --data '{
      "endpointID": "*VPC_ENDPOINT_ID*",
      "description": "*OPTIONAL_STRING*"
    }'
    Response

    A successful response contains the private endpoint configuration for the specified database and region. Make sure the status is Accepted.

    {
  "datacenters": [
    {
      "serviceName": "com.amazonaws.vpce.*REGION*.vpce-svc-*SERVICE_ID*",
      "allowedPrincipals": [
        "*ARN*"
      ],
      "datacenterID": "*DB_REGION_ID*",
      "endpoints": [
        {
          "endpointID": "*VPC_ENDPOINT_ID*",
          "description": "*OPTIONAL_ID*",
          "status": "Accepted",
          "createdDateTime": "2021-04-10T23:00:00"
        }
      ]
    }
  ]
}

For Google Cloud-based databases, use a Google Cloud Private Service Connect private endpoint:

  1. Sign in to the Google Cloud Network Services console.

  2. Create an endpoint to access published services.

    The VPC endpoint’s Target service is the serviceName generated when you enabled private endpoints.

  3. After creating the endpoint, copy the PSC Connection ID from the endpoint details.

  4. Connect the private endpoint to your database and region:

    curl --request POST \
  --url 'https://api.astra.datastax.com/v2/organizations/clusters/*DATABASE_ID*/datacenters/*DATACENTER_ID*/endpoints' \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer *APPLICATION_TOKEN*' \
  --data '{
      "endpointID": "*PSC_CONNECTION_ID*",
      "description": "*OPTIONAL_STRING*"
    }'
    Response

    A successful response contains the private endpoint configuration for the specified database and region. Make sure the status is Accepted.

    {
  "datacenters": [
    {
      "serviceName": "projects/*PROJECT_ID*/regions/*REGION_NAME*/serviceAttachments/*SERVICE_ATTACHMENT_NAME*",
      "allowedPrincipals": [
        "*GOOGLE_CLOUD_PROJECT_ID*"
      ],
      "datacenterID": "*DB_REGION_ID*",
      "endpoints": [
        {
          "endpointID": "*PSC_CONNECTION_ID*",
          "description": "*OPTIONAL_STRING*",
          "status": "Accepted",
          "createdDateTime": "2021-04-10T23:00:00"
        }
      ]
    }
  ]
}

Your database is now connected to a private endpoint.

Next, create a DNS entry for the private endpoint.

Create a DNS entry for a private endpoint

When you create a database, Astra DB Classic automatically sets up a DNS entry so that applications can connect to the database.

When you use private endpoints, you must create a DNS entry as a local version of the *.astra.datastax.com domain to override the name resolution to the public IP address advertised by Astra DB Classic.

When you override the *.astra.datastax.com domain, you must manually manage this configuration for every database you create, whether it uses private endpoints or not.

Alternatively, you can configure custom DNS so that you don’t have to create and manage local zones for every database.

  • AWS

  • Google Cloud

  1. Get the hostname for the database and region that you connected to your private endpoint. The default hostname format is DATABASE-ID-REGION.apps.astra.datastax.com.

    • To get the hostname in the Astra Portal, you can go to your database’s Overview tab and copy the API Endpoint without the https:// portion.

    • Alternatively, you can download the secure connect bundle (SCB) for the database and region where you configured a private endpoint, open config.json, and get the value of the host key.

  2. In the AWS console, do the following:

    1. Create a CNAME record that points to your AWS PrivateLink VPC Endpoint’s DNS name.

    2. Create a private zone to route traffic to your virtual IP using Amazon Route 53, and then update the domains to use your database’s hostname.

      For example, update these domains to use REST and CQL:

  3. Recommended: Use the IP access list to block all public internet traffic to the database. This makes the database available only through private endpoints and allowed IPs.

  1. Get the hostname for the database and region that you connected to your private endpoint. The default hostname format is DATABASE-ID-REGION.apps.astra.datastax.com.

    • To get the hostname in the Astra Portal, you can go to your database’s Overview tab and copy the API Endpoint without the https:// portion.

    • Alternatively, you can download the secure connect bundle (SCB) for the database and region where you configured a private endpoint, open config.json, and get the value of the host key.

  2. In the Google Cloud console, do the following:

    1. Create a private zone to route traffic to your Private Service Connect endpoint IP.

    2. Update the domains to use your database’s hostname.

    3. Add a type A standard record.

      For more information, see the Google Cloud documentation on configuring DNS manually, creating private zones, and adding records.

  3. Recommended: Use the IP access list to block all public internet traffic to the database. This makes the database available only through private endpoints and allowed IPs.

After you configure private endpoints, you might need update SCB connection details for any drivers, applications, scripts, or otherwise that use the SCB to connect to your database.

Connect to a database through multiple private endpoints

You can access one database from multiple private endpoints. The private endpoints must have the same region and cloud provider as the database. For multi-region databases, you must create private endpoints in each applicable region.

To connect to one database through multiple private endpoints, Enable private endpoints, Create all private endpoints, and Add a DNS entry for each VPC where you deployed a private endpoint.

Delete a private endpoint

To delete a private endpoint, you must delete the private endpoint from Astra DB and your cloud provider:

  1. Delete the private endpoint from Astra DB. The DELETE request removes one endpoint from one region of one database.

    curl --request DELETE \
  --url 'https://api.astra.datastax.com/v2/organizations/clusters/*DATABASE_ID*/datacenters/*DATACENTER_ID*/endpoints/*ENDPOINT_ID*' \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer *APPLICATION_TOKEN*'

  2. Remove the private endpoint from your cloud provider:

  3. If you configured custom DNS, you might need to modify your custom DNS configuration after removing private endpoints.

When you delete a private endpoint, make sure you delete the connection in both the Astra Portal and your cloud provider.

See also

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com