• Glossary
  • Support
  • Downloads
  • DataStax Home
Get Live Help
Expand All
Collapse All

DataStax Astra DB Serverless Documentation

    • Overview
      • Release notes
      • Astra DB FAQs
      • Astra DB Architecture FAQ
      • Astra DB glossary
      • Get support
    • Getting Started
      • Astra Vector Search Quickstart
      • Create your database
      • Grant a user access
      • Load and retrieve data
        • Use DSBulk to load data
        • Use Data Loader in Astra Portal
      • Connect a driver
      • Build sample apps
    • Planning
      • Plan options
      • Database regions
    • Securing
      • Security highlights
      • Security guidelines
      • Default user permissions
      • Change your password
      • Reset your password
      • Authentication and Authorization
      • Astra DB Plugin for HashiCorp Vault
    • Connecting
      • Connecting private endpoints
        • AWS Private Link
        • Azure Private Link
        • GCP Private Endpoints
        • Connecting custom DNS
      • Connecting Change Data Capture (CDC)
      • Connecting CQL console
      • Connect the Spark Cassandra Connector to Astra
      • Drivers for Astra DB
        • Connecting C++ driver
        • Connecting C# driver
        • Connecting Java driver
        • Connecting Node.js driver
        • Connecting Python driver
        • Connecting Legacy drivers
        • Drivers retry policies
      • Get Secure Connect Bundle
    • Migrating
      • Components
      • FAQs
      • Preliminary steps
        • Feasibility checks
        • Deployment and infrastructure considerations
        • Create target environment for migration
        • Understand rollback options
      • Phase 1: Deploy ZDM Proxy and connect client applications
        • Set up the ZDM Proxy Automation with ZDM Utility
        • Deploy the ZDM Proxy and monitoring
        • Configure Transport Layer Security
        • Connect client applications to ZDM Proxy
        • Leverage metrics provided by ZDM Proxy
        • Manage your ZDM Proxy instances
      • Phase 2: Migrate and validate data
        • Cassandra Data Migrator
        • DSBulk Migrator
      • Phase 3: Enable asynchronous dual reads
      • Phase 4: Change read routing to Target
      • Phase 5: Connect client applications directly to Target
      • Troubleshooting
        • Troubleshooting tips
        • Troubleshooting scenarios
      • Glossary
      • Contribution guidelines
      • Release Notes
    • Managing
      • Managing your organization
        • User permissions
        • Pricing and billing
        • Audit Logs
        • Bring Your Own Key
          • BYOK AWS Astra Portal
          • BYOK GCP Astra Portal
          • BYOK AWS DevOps API
          • BYOK GCP DevOps API
        • Configuring SSO
          • Configure SSO for Microsoft Azure AD
          • Configure SSO for Okta
          • Configure SSO for OneLogin
      • Managing your database
        • Create your database
        • View your databases
        • Database statuses
        • Use DSBulk to load data
        • Use Data Loader in Astra Portal
        • Monitor your databases
        • Export metrics to third party
          • Export metrics via Astra Portal
          • Export metrics via DevOps API
        • Manage access lists
        • Manage multiple keyspaces
        • Using multiple regions
        • Terminate your database
      • Managing with DevOps API
        • Managing database lifecycle
        • Managing roles
        • Managing users
        • Managing tokens
        • Managing BYOK AWS
        • Managing BYOK GCP
        • Managing access list
        • Managing multiple regions
        • Get private endpoints
        • AWS PrivateLink
        • Azure PrivateLink
        • GCP Private Service
    • Integrations
    • Astra CLI
    • Astra Vector Search
      • Quickstarts
      • Examples
      • Create a serverless database with Vector Search
      • Query Vector Data with CQL
        • Using analyzers
      • Data modeling
      • Working with embeddings
    • Astra Block
      • Quickstart
      • FAQ
      • Data model
      • About NFTs
    • API QuickStarts
      • JSON API QuickStart
      • Document API QuickStart
      • REST API QuickStart
      • GraphQL CQL-first API QuickStart
    • Developing with APIs
      • Developing with JSON API
      • Developing with Document API
      • Developing with REST API
      • Developing with GraphQL API
        • Developing with GraphQL API (CQL-first)
        • Developing with GraphQL API (Schema-first)
      • Developing with gRPC API
        • gRPC Rust Client
        • gRPC Go Client
        • gRPC Node.js Client
        • gRPC Java Client
      • Developing with CQL API
      • Tooling Resources
      • Node.js Document Collection Client
      • Node.js REST Client
    • API References
      • Astra DB JSON API v1
      • Astra DB REST API v2
      • Astra DB Document API v2
      • Astra DB DevOps API v2
  • DataStax Astra DB Serverless Documentation
  • Connecting
  • Connecting private endpoints
  • AWS Private Link

Connect to AWS Private Endpoints via Astra Portal

To better protect your database connection, you can connect to a private endpoint using Astra Portal.

For details about using API calls instead, see Connect to AWS Private Link with the DevOps API.

This information applies to only serverless databases.

Also, Private endpoints are available for only intra-region use. The region for your private endpoint in AWS and your Astra DB database must match.

For pricing related to using private endpoints, see Pricing and billing.

The following roles can manage private endpoints:

  • Organization Administrator

  • Database Administrator

Alternatively, you can use a custom role with permissions to manage private endpoints.

For more about AWS PrivateLink, see VPC endpoint services (AWS PrivateLink).

Prerequisites

  1. Access to your existing AWS organization and account.

  2. Create your Astra DB database using Astra Portal.

  3. Ensure you have permission to manage private endpoints.

  4. Take note of which region your AWS organization and AWS-based Astra DB use (the chosen region must match).

In AWS, only VPC owners can create resources such as VPC endpoints, subnets, route tables, and NACLs. Participants cannot view, modify, or delete resources that belong to other participants or the VPC owner. Thus a user cannot create resources, including a private endpoint, in a shared VPC that is owned by a different AWS account. To see which account owns your VPC, look at the Owner ID in the AWS Console. Example:

Look at Owner ID in AWS Console

For more, see Work with shared VPCs - Amazon Virtual Private Cloud.

To increase your security, restrict public access to your database using the access list.

Creating and referencing endpoint values between AWS and Astra Portals

Setting up the connection between AWS and Astra DB private endpoints involves a few steps in both consoles.

Let’s start in Astra Portal

  1. On your organization’s Astra DB dashboard, click the link for your active, AWS-based database.

  2. Navigate to your database’s Settings tab, and notice the Private Endpoints section. At this point, no endpoints have been linked. Example:

    Astra Portal Settings tab with Private Endpoints section for AWS

  3. Click Configure Region and enter your AWS account’s Amazon Resource Name (ARN), which includes your AWS account number, in this format:

    arn:aws:iam::<your-aws-account-id>:root

  4. After entering the ARN, click Configure Region.

  5. Astra Portal displays an updated Private Endpoints section.

  6. Click Add Endpoint.

  7. On Add Private Endpoint, copy the generated Service Name.

In Astra Portal, keep the Add Private Endpoint dialog open. We’ll return here with an Endpoint ID after creating it in AWS console.

Switch over to AWS console

  1. After authenticating into your AWS organization and account, start on https://console.aws.amazon.com/vpc/home?region=<your-region-here>#Endpoints:sort=vpcEndpointId or search in AWS console for "Create Endpoint".

    In your AWS account, make sure you’re using the same region as the one used by Astra DB. If necessary, switch to the region specified when you created your Astra DB.

  2. Click Create Endpoint.

  3. On the AWS Create Endpoint dialog, choose or enter:

    1. Service category: Find service by name

    2. Service Name: Paste in the Service Name value that you copied in Astra Portal.

    3. Click Verify* to check that the Service Name copied from Astra DB is correct.

  4. Click Create endpoint.

  5. Click Verify to ensure the Service Name is found. Example after verification:

    AWS Private Service Connect added Endpoint example

  6. Once accepted, AWS displays data for the added endpoint. Copy the generated Virtual Private Cloud (VPC) Endpoint ID. You’ll need to paste in that VPC Endpoint ID value in Astra Portal.

Return to Astra Portal

Back in Astra Portal, return to the Add Private Endpoint dialog that’s available from your databases’s Settings.

  1. In the Endpoint ID field, paste in the copied VPC Endpoint ID value. Also enter a brief description of your Astra DB / AWS endpoint.

  2. Click Add Endpoint.

    Astra DB displays the result. Example:

    Astra DB Settings Private Endpoint details

Your private endpoint is defined. However, notice the warning message if you have not taken further action in your Astra DB Settings.

You’ve set up a private endpoint for this database, but access to your database is still open to the public. Learn how to Manage access lists for public access by using the IP Access List options in Astra Portal Settings. You can enable the Restrict public access toggle, and you can manage endpoints with one or more access lists.

Create a DNS entry for your private endpoint

You can alias your private endpoint with a DNS record to use as your hostname in the Astra DB secure connect bundle. Here are the steps:

  1. Download your secure connect bundle for the region of your choice. Get your latest secure connect bundle.

  2. Unzip the secure connect bundle.

  3. In config.json, copy the host key’s value.

  4. In AWS Console:

    1. Create a CNAME record that points to the DNS name found in your VPC Endpoint details.

    2. Create a private zone to route traffic to your virtual IP using Amazon Route 53. Update the domains to use REST and CQL. Examples:

      • REST

      • CQL

      efe451fe-709e-4700-9185-5cf0fd3474a7-2-us-east-1.apps.astra.datastax.com
      efe451fe-709e-4700-9185-5cf0fd3474a7-2-us-east-1.db.astra.datastax.com

      See Configuring Amazon Route 53 to route traffic to an Amazon VPC interface endpoint.

Once those steps are completed, you can connect to your private endpoint using your updated secure connect bundle. For more, see Drivers for Astra DB.

Remove a private endpoint

In AWS console:

  1. Go to https://console.aws.amazon.com/vpc/home?region=<your-region-here>#Endpoints:sort=vpcEndpointId

    Example link with us-east-1:

    https://console.aws.amazon.com/vpc/home?region=us-east-1#Endpoints:sort=vpcEndpointIdCreate Endpoint, window="_blank"

  2. Select the checkbox for the endpoint(s) you want to remove.

  3. From the AWS Actions drop-down menu, choose Delete Endpoint.

In Astra Portal:

  1. Go to the Settings tab for your database.

  2. Choose the endpoint you want to remove.

  3. Click Delete.

What’s next?

  • Refer to related topics for other cloud providers that are linked from Connect via a private endpoint.

  • Learn how to Manage access lists for public access.

  • For more, see AWS PrivateLink.

Connecting private endpoints Azure Private Link

General Inquiries: +1 (650) 389-6000 info@datastax.com

© DataStax | Privacy policy | Terms of use

DataStax, Titan, and TitanDB are registered trademarks of DataStax, Inc. and its subsidiaries in the United States and/or other countries.

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries.

Kubernetes is the registered trademark of the Linux Foundation.

landing_page landingpage