• Glossary
  • Support
  • Downloads
  • DataStax Home
Get Live Help

DataStax Astra DB Serverless Documentation

    • Overview
      • Release notes
      • Astra DB FAQs
      • Astra DB glossary
      • Get support
    • Getting Started
      • Grant a user access
      • Load and retrieve data
        • Use DSBulk to load data
        • Use Data Loader in Astra Portal
      • Connect a driver
      • Build sample apps
      • Use integrations
        • Connect with DataGrip
        • Connect with DBSchema
        • Connect with JanusGraph
        • Connect with Strapi
    • Planning
      • Plan options
      • Database regions
    • Securing
      • Security highlights
      • Security guidelines
      • Default user permissions
      • Change your password
      • Reset your password
      • Authentication and Authorization
      • Astra DB Plugin for HashiCorp Vault
    • Managing
      • Managing your organization
        • User permissions
        • Pricing and billing
        • Bring Your Own Key
          • BYOK AWS Astra DB console
          • BYOK GCP Astra DB console
          • BYOK AWS DevOps API
          • BYOK GCP DevOps API
        • Configuring SSO
          • Configure SSO for Microsoft Azure AD
          • Configure SSO for Okta
          • Configure SSO for OneLogin
      • Managing your database
        • Create your database
        • View your databases
        • Database statuses
        • Use DSBulk to load data
        • Use Data Loader in Astra Portal
        • Monitor your databases
        • Export metrics to third party
          • Export metrics via Astra Portal
          • Export metrics via DevOps API
        • Manage access lists
        • Manage multiple keyspaces
        • Using multiple regions
        • Terminate your database
      • Managing with DevOps API
        • Managing database lifecycle
        • Managing roles
        • Managing users
        • Managing tokens
        • Managing BYOK AWS
        • Managing BYOK GCP
        • Managing access list
        • Managing multiple regions
        • Get private endpoints
        • AWS PrivateLink
        • Azure PrivateLink
        • GCP Private Service
    • Connecting
      • Connecting private endpoints
        • AWS Private Link
        • Azure Private Link
        • GCP Private Endpoints
        • Connecting custom DNS
      • Connecting Change Data Capture (CDC)
      • Connecting CQL console
      • Connect the Spark Cassandra Connector to Astra
      • Drivers for Astra DB
        • Connecting C++ driver
        • Connecting C# driver
        • Connecting Java driver
        • Connecting Node.js driver
        • Connecting Python driver
        • Drivers retry policies
      • Connecting Legacy drivers
      • Get Secure Connect Bundle
    • DataStax Astra Block
      • FAQs
      • About NFTs
      • DataStax Astra Block for Ethereum quickstart
    • Developing with Stargate APIs
      • Develop with REST
      • Develop with Document
      • Develop with GraphQL
        • Develop with GraphQL (CQL-first)
        • Develop with GraphQL (Schema-first)
      • Develop with gRPC
        • gRPC Rust client
        • gRPC Go client
        • gRPC Node.js client
        • gRPC Java client
      • Develop with CQL
      • Tooling Resources
      • Node.js Document API client
      • Node.js REST API client
    • Stargate QuickStarts
      • Document API QuickStart
      • REST API QuickStart
      • GraphQL API CQL-first QuickStart
    • API References
      • DevOps REST API v2
      • Stargate Document API v2
      • Stargate REST API v2
  • DataStax Astra DB Serverless Documentation
  • Managing
  • Managing with DevOps API
  • AWS PrivateLink

Connecting to AWS PrivateLink

To better protect your database connection, you can connect to a private endpoint using the Astra DB private endpoint. Private endpoints are available for only intra-region use. The region for your private endpoint in the AWS console and your Astra DB database must match.

For pricing related to using private endpoints, see Pricing and billing.

The following roles can manage private endpoints:

  • Organization Administrator

  • Database Administrator

Alternatively, you can use a custom role with permissions to manage private endpoints.

For more about AWS PrivateLink, see AWS PrivateLink.

Prerequisites

  1. Create your Astra DB database using Astra Portal.

  2. Ensure you have permission to manage private endpoints.

  3. Get your application token.

Only VPC owners can create resources such as VPC endpoints, subnets, route tables, and NACLs. Participants cannot view, modify, or delete resources that belong to other participants or the VPC owner. Thus a user cannot create resources, including a private endpoint, in a shared VPC that is owned by a different AWS account. To see which account owns your VPC, look at the Owner ID in the AWS Console. Example:

Look at Owner ID in AWS Console

For more, see Work with shared VPCs - Amazon Virtual Private Cloud.

To increase your security, restrict public access to your database using the access list.

If you are using Postman for your API calls, ensure you use the raw option to enter the body of your API call.

Connect to your AWS PrivateLink endpoint

  1. Get the allowed principal from your AWS account.

    1. In your AWS console on the Identify and Access Management (IAM) Users page, select your user name from the available users.

    2. Select the User ARN as your allowed principal. For example, arn:aws:iam::123456789012:root.

  2. Enter the allowed principal for your private endpoints to Astra DB:

    • cURL command (/v2)

    • Result

    curl --request POST \
  --url 'https://api.astra.datastax.com/v2/organizations/clusters/<databaseID>/datacenters/<datacenterID>/private-link' \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer <application_token>' \
  --data '{
      "allowedPrincipals": [
        "arn:aws:iam::123456789012:role/admin"
      ]
    }'

    To confirm your datacenter ID, see your database Dashboard or use the DevOps API to get all datacenter IDs within your database.

    {
  "serviceName": "com.amazonaws.vpce.us-east-1.vpce-svc-1148ea04af491da11",
  "allowedPrincipals": [
    "arn:aws:iam::123456789012:role/admin"
  ]
}

  3. Use the serviceName to create an endpoint in your AWS Console.

    • CLI

    • AWS console

    Get a list of available services:

    aws ec2 describe-vpc-endpoint-services

    Results:

    {
    "VpcEndpoints": [
        {
            "VpcEndpointId": "vpce-08a979e28f97a9f7c",
            "VpcEndpointType": "Interface",
            "VpcId": "vpc-06e4ab6c6c3b23ae3",
            "ServiceName": "com.amazonaws.us-east-2.monitoring",
            "State": "available",
            "PolicyDocument": "{\n  \"Statement\": [\n    {\n      \"Action\": \"*\", \n      \"Effect\": \"Allow\", \n      \"Principal\": \"*\", \n      \"Resource\": \"*\"\n    }\n  ]\n}",
            "RouteTableIds": [],
            "SubnetIds": [
                "subnet-0931fc2fa5f1cbe44"
            ],
            "Groups": [
                {
                    "GroupId": "sg-06e1d57ab87d8f182",
                    "GroupName": "default"
                }
            ],
            "PrivateDnsEnabled": false,
            "RequesterManaged": false,
            "NetworkInterfaceIds": [
                "eni-019b0bb3ede80ebfd"
            ],
            "DnsEntries": [
                {
                    "DnsName": "vpce-08a979e28f97a9f7c-4r5zme9n.monitoring.us-east-2.vpce.amazonaws.com",
                    "HostedZoneId": "ZC8PG0KIFKBRI"
                },
                {
                    "DnsName": "vpce-08a979e28f97a9f7c-4r5zme9n-us-east-2c.monitoring.us-east-2.vpce.amazonaws.com",
                    "HostedZoneId": "ZC8PG0KIFKBRI"
                }
            ],
            "CreationTimestamp": "2019-06-04T19:10:37.000Z",
            "Tags": [],
            "OwnerId": "123456789012"
        }
    ]

    In the Amazon VPC console navigation pane, select Endpoints > Create Endpoint. The available serviceNames are listed in the Service Name section.

    The status for your private endpoint should show pending acceptance.

  4. Accept your AWS private endpoint connection with your serviceName:

    • cURL command (/v2)

    • Result

    curl --request POST \
  --url 'https://api.astra.datastax.com/v2/organizations/clusters/<databaseID>/datacenters/<datacenterID>/endpoints' \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer <application_token>' \
  --data '{
      "endpointID": "vpce-svc-1148ea04af491da11",
      "description": "project-desc-dev-app"
    }'
    {
  "datacenters": [
    {
      "serviceName": "com.amazonaws.vpce.us-east-1.vpce-svc-1148ea04af491da11",
      "allowedPrincipals": [
        "arn:aws:iam::123456789012:role/admin"
      ],
      "datacenterID": "string",
      "endpoints": [
        {
          "endpointID": "vpce-svc-1148ea04af491da11",
          "description": "project-desc-dev-app",
          "status": "Accepted",
          "createdDateTime": "2021-04-10T23:00:00"
        }
      ]
    }
  ]
}

    Your AWS console will show that it is in the available state. For more, see Accept and reject endpoint connect requests.

  5. Create a DNS entry for your private endpoint.

    1. Download your secure connect bundle for the region of your choice. Get your latest secure connect bundle.

    2. Unzip the secure connect bundle.

    3. In config.json, copy the host key’s value.

    4. In the AWS Console, create a CNAME record that points to the DNS name found in your VPC Endpoint details.

    5. In the AWS Console, create a private zone to route traffic to your virtual IP using Amazon Route 53. Update the following domains to use REST and CQL:

      • REST

      • CQL

      efe451fe-709e-4700-9185-5cf0fd3474a7-2-us-east-1.apps.astra.datastax.com
      efe451fe-709e-4700-9185-5cf0fd3474a7-2-us-east-1.db.astra.datastax.com

      For more, see Configuring Amazon Route 53 to route traffic to an Amazon VPC interface endpoint.

    6. In the AWS Console, create a DNS entry for the key host value and map it to your virtual IP address.

You can now connect to your private endpoint using your updated secure connect bundle. For more, see Drivers for Astra.

Remove a private endpoint

  1. Delete a private endpoint from your Astra DB:

    • cURL command (/v2)

    curl --request DELETE \
  --url 'https://api.astra.datastax.com/v2/organizations/clusters/<databaseID>/datacenters/<datacenterID>/endpoints/<endpointID>' \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer <application_token>'

  2. Remove your connection from AWS PrivateLink:

    • CLI

    • AWS Console

    aws ec2 delete-vpc-endpoint-service-configurations --service-ids <serviceId>

    1. In the Amazon VPC console navigation pane, select Endpoint Services.

    2. For the service you want to delete, select Actions > Delete.

    3. Select Yes, Delete to remove the connection.

What’s next?

  • AWS PrivateLink

  • DevOps API reference

  • Learn how to Manage access lists for public access.

Get private endpoints Azure PrivateLink

General Inquiries: +1 (650) 389-6000 info@datastax.com

© DataStax | Privacy policy | Terms of use

DataStax, Titan, and TitanDB are registered trademarks of DataStax, Inc. and its subsidiaries in the United States and/or other countries.

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries.

Kubernetes is the registered trademark of the Linux Foundation.

landing_page landingpage