Manage private endpoints
You can use private endpoints to create a secure connection between your cloud provider and your Astra DB Serverless databases. With a private endpoint, no information is sent over the public network.
Your databases can connect to one or more private endpoints:
-
Single endpoint: Create a private endpoint in your virtual private cloud (VPC) and use it for one database.
-
Multiple endpoints: Create multiple private endpoints in your VPC and use them for the same database.
-
Shared endpoints: Create a private endpoint in your VPC and use it for multiple databases.
Prerequisites
-
You have an Astra DB Serverless database.
-
You have the Organization Administrator or Database Administrator role.
-
You can access your cloud provider’s console and create network resources.
-
You can create a private endpoint in your VPC that is in the same region as your database.
Astra DB Serverless supports AWS PrivateLink, Microsoft Azure Private Link, and Google Cloud Private Service Connect.
A database must have the same region and cloud provider as the private endpoint that it uses.
For example, a database in AWS Private endpoints have cost implications. For information about private endpoint pricing, see the plan details on the Astra DB pricing page. |
Enable private endpoints
To use a private endpoint with a database, you must enable private endpoint connectivity for that database.
-
In the Astra Portal, go to Databases, and then select your database.
-
Click Settings.
-
In the Private Endpoints section, click Configure Region for the region where you want to use a private endpoint.
-
For AWS-based databases, enter your AWS account’s Amazon Resource Name (ARN) in the format
arn:aws:iam::*AWS-ACCOUNT-ID*:root
, whereAWS-ACCOUNT-ID
is your AWS account ID. -
For Azure-based databases, enter your Azure account’s Subscription ID.
-
For Google Cloud-based databases, enter your Google Cloud Project ID.
-
-
Click Configure Region.
This database can now use a private endpoint from the cloud provider and region that you enabled. For multi-region databases, you must enable private endpoints for each region where you want to use private endpoints.
Next, add the private endpoint.
Add a private endpoint
After enabling private endpoints for a database, create a private endpoint and connect it to the database.
For AWS-based databases, use an AWS PrivateLink private endpoint:
-
In the Astra Portal, go to Databases, and then select the same database where you enabled private endpoints.
-
Click Settings.
-
In the Private Endpoints section, click Add Endpoint.
-
In the Add Private Endpoint dialog, copy the generated Service Name.
Keep this dialog open while you create the VPC endpoint in AWS.
-
In a new tab or window, sign in to the AWS VPC dashboard, and then switch to your database’s region.
-
Create an endpoint to connect to an endpoint service as the service consumer.
Use the generated service name from the Astra Portal as the endpoint’s Service name.
-
After creating the endpoint, copy the VPC Endpoint ID.
-
Return to the Astra Portal, and then enter the VPC endpoint ID in the Endpoint ID field.
-
Optional: Enter a description for the endpoint.
-
Click Add Endpoint.
For Microsoft Azure-based databases, use an Azure Private Link private endpoint.
-
In the Astra Portal, go to Databases, and then select the same database where you enabled private endpoints.
-
Click Settings.
-
In the Private Endpoints section, click Add Endpoint.
-
In the Add Private Endpoint dialog, copy the generated Service Name.
Keep this dialog open while you create the VPC endpoint in AWS.
-
In a new tab or window, sign in to the Azure Portal.
-
Create a private endpoint in the Azure Portal.
-
Make sure you use actual values for your endpoint configuration. Don’t use the demo values given in the Microsoft documentation. For example, make sure that you select a valid resource group, virtual network, and subnet.
-
On the Basics tab, the Region must be the same region as your database.
-
On the Resource tab, for Connection method, select Connect to an Azure resource by resource ID or alias. Then, use the generated service name from the Astra Portal as the endpoint’s Resource ID or alias.
-
Make sure you disable network policies for private endpoints for your virtual network.
-
-
After creating the endpoint, copy the endpoint’s Resource ID from the resource Properties page.
-
Return to the Astra Portal, and then enter the Resource ID in the Endpoint ID field.
-
Optional: Enter a description for the endpoint.
-
Click Add Endpoint.
For Google Cloud-based databases, use a Google Cloud Private Service Connect private endpoint:
-
In the Astra Portal, go to Databases, and then select the same database where you enabled private endpoints.
-
Click Settings.
-
In the Private Endpoints section, click Add Endpoint.
-
In the Add Private Endpoint dialog, copy the generated Service Name.
Keep this dialog open while you create the private endpoint in Google Cloud.
-
In a new tab or window, sign in to the Google Cloud Network Services console.
-
Create an endpoint to access published services.
Use the generated service name from the Astra Portal as the endpoint’s Target service.
-
After creating the endpoint, copy the PSC Connection ID from the endpoint details.
-
Return to the Astra Portal, and then enter the PSC connection ID in the Endpoint ID field.
-
Optional: Enter a description for the endpoint.
-
Click Add Endpoint.
Your database is now connected to a private endpoint.
Next, create a DNS entry for the private endpoint.
Create a DNS entry for a private endpoint
When you create a database, Astra DB Serverless automatically sets up a DNS entry so that applications can connect to the database.
When you use private endpoints, you must create a DNS entry as a local version of the *.astra.datastax.com
domain to override the name resolution to the public IP address advertised by Astra DB Serverless.
When you override the Alternatively, you can configure custom DNS so that you don’t have to create and manage local zones for every database. |
-
AWS
-
Microsoft Azure
-
Google Cloud
-
In the Astra Portal, go to Databases, and then select your AWS-based database.
-
On the Overview tab, copy the API Endpoint.
-
Remove the
https://
scheme so that the endpoint is formatted asDATABASE-ID-REGION.apps.astra.datastax.com
. -
In the AWS console, do the following:
-
Create a CNAME record that points to your AWS PrivateLink VPC Endpoint’s DNS name.
-
Create a private zone to route traffic to your virtual IP using Amazon Route 53, and then update the domains to use your database’s API endpoint from the Astra Portal.
For more information, see the AWS documentation on routing traffic to an Amazon VPC interface endpoint by using your domain name.
-
-
Recommended: In the Astra Portal, use the IP Access List to block all public internet traffic to the database. This makes the database available only through private endpoints and allowed IPs.
-
In the Astra Portal, go to Databases, and then select your Azure-based database.
-
On the Overview tab, copy the API Endpoint.
-
Remove the
https://
scheme so that the endpoint is formatted asDATABASE-ID-REGION.apps.astra.datastax.com
. -
In the Azure Portal, do the following:
-
Create a DNS entry for the API endpoint, and then map it to your virtual IP address.
-
Update the domains to use the API endpoint.
For more information, see the Azure documentation on Creating an Azure private DNS zone using the Azure portal.
-
-
In the Astra Portal, go to Databases, and then select your Google Cloud-based database.
-
On the Overview tab, copy the API Endpoint.
-
Remove the
https://
scheme so that the endpoint is formatted asDATABASE-ID-REGION.apps.astra.datastax.com
. -
In the Google Cloud console, do the following:
-
Create a private zone to route traffic to your Private Service Connect endpoint IP.
-
Update the domains to use your database’s API endpoint from the Astra Portal.
-
Add a type A standard record.
For more information, see the Google Cloud documentation on configuring DNS manually, creating private zones, and adding records.
-
-
Recommended: In the Astra Portal, use the IP Access List to block all public internet traffic to the database. This makes the database available only through private endpoints and allowed IPs.
Connect to a database through multiple private endpoints
You can access one database from multiple private endpoints. The private endpoints must have the same region and cloud provider as the database. For multi-region databases, you must create private endpoints in each applicable region.
To connect to one database through multiple private endpoints, Enable private endpoints, Add all private endpoints, and Add a DNS entry for each VPC where you deployed a private endpoint.
Connect to multiple databases through one private endpoint
You can use a private endpoint for multiple databases in the same or different Astra DB organizations.
All databases must be in the same region as the private endpoint that they share. If your databases are in multiple regions, you need a private endpoint for each region. |
- Multiple databases in the same organization
-
You can use the same private endpoint for multiple databases in the same Astra DB organization. To do this, Enable private endpoints, Add a private endpoint, and Add a DNS entry for each database in the same region.
For each additional database after the first, when you Add a private endpoint, don’t create a new VPC endpoint in your cloud provider. Instead, use the same Endpoint ID for each database that you want to use the same private endpoint.
- Multiple databases in multiple organizations
-
To use the same private endpoint for databases in multiple Astra DB organizations, contact DataStax support.
Delete a private endpoint
To delete a private endpoint, you must delete the private endpoint from the Astra Portal and your cloud provider:
-
In the Astra Portal, go to Databases, and then select your database.
-
Click Settings.
-
In the Private Endpoints section, click the endpoint that you want to delete.
-
Click Delete, and then click Delete Endpoint to confirm deletion.
-
Remove your private endpoint from your cloud provider:
-
If you configured custom DNS, you might need to modify your custom DNS configuration after removing private endpoints.
When you delete a private endpoint, make sure you delete the connection in both the Astra Portal and your cloud provider. |