Connect to AWS PrivateLink with the DevOps API

To better protect your database connection, you can connect to a private endpoint using the Astra DB private endpoint. Private endpoints are available for only intra-region use. The region for your private endpoint in the AWS console and your Astra DB database must match.

This information applies to only serverless databases.

For pricing related to using private endpoints, see Pricing and billing.

The following roles can manage private endpoints:

  • Organization Administrator

  • Database Administrator

Alternatively, you can use a custom role with permissions to manage private endpoints.

For more about AWS PrivateLink, see AWS PrivateLink.

Prerequisites

  1. Create your Astra DB database using the Astra DB console.

  2. Ensure you have permission to manage private endpoints.

  3. Get your application token.

To increase your security, restrict public access to your database using the access list.

If you are using Postman for your API calls, ensure you use the raw option to enter the body of your API call.

  1. Get the allowed principal from your AWS account.

    1. In your AWS console on the Identify and Access Management (IAM) Users page, select your user name from the available users.

    2. Select the User ARN as your allowed principal. For example, arn:aws:iam::123456789012:root.

  2. Enter the allowed principal for your private endpoints to Astra DB:

    • cURL command (/v2)

    • Result

    curl --request POST \
      --url 'https://api.astra.datastax.com/v2/organizations/clusters/<databaseID>/datacenters/<datacenterID>/private-link' \
      --header 'Accept: application/json' \
      --header 'Authorization: Bearer <application_token>' \
      --data '{
          "allowedPrincipals": [
            "arn:aws:iam::123456789012:role/admin"
          ]
        }'

    To confirm your datacenter ID, see your database Dashboard or use the DevOps API to get all datacenter IDs within your database.

    {
      "serviceName": "com.amazonaws.vpce.us-east-1.vpce-svc-1148ea04af491da11",
      "allowedPrincipals": [
        "arn:aws:iam::123456789012:role/admin"
      ]
    }
  3. Use the serviceName to create an endpoint in your AWS Console.

    • CLI

    • AWS console

    Get a list of available services:

    aws ec2 describe-vpc-endpoint-services

    Results:

    {
        "VpcEndpoints": [
            {
                "VpcEndpointId": "vpce-08a979e28f97a9f7c",
                "VpcEndpointType": "Interface",
                "VpcId": "vpc-06e4ab6c6c3b23ae3",
                "ServiceName": "com.amazonaws.us-east-2.monitoring",
                "State": "available",
                "PolicyDocument": "{\n  \"Statement\": [\n    {\n      \"Action\": \"*\", \n      \"Effect\": \"Allow\", \n      \"Principal\": \"*\", \n      \"Resource\": \"*\"\n    }\n  ]\n}",
                "RouteTableIds": [],
                "SubnetIds": [
                    "subnet-0931fc2fa5f1cbe44"
                ],
                "Groups": [
                    {
                        "GroupId": "sg-06e1d57ab87d8f182",
                        "GroupName": "default"
                    }
                ],
                "PrivateDnsEnabled": false,
                "RequesterManaged": false,
                "NetworkInterfaceIds": [
                    "eni-019b0bb3ede80ebfd"
                ],
                "DnsEntries": [
                    {
                        "DnsName": "vpce-08a979e28f97a9f7c-4r5zme9n.monitoring.us-east-2.vpce.amazonaws.com",
                        "HostedZoneId": "ZC8PG0KIFKBRI"
                    },
                    {
                        "DnsName": "vpce-08a979e28f97a9f7c-4r5zme9n-us-east-2c.monitoring.us-east-2.vpce.amazonaws.com",
                        "HostedZoneId": "ZC8PG0KIFKBRI"
                    }
                ],
                "CreationTimestamp": "2019-06-04T19:10:37.000Z",
                "Tags": [],
                "OwnerId": "123456789012"
            }
        ]

    In the Amazon VPC console navigation pane, select Endpoints > Create Endpoint. The available serviceNames are listed in the Service Name section.

    The status for your private endpoint should show pending acceptance.

  4. Accept your AWS private endpoint connection with your serviceName:

    • cURL command (/v2)

    • Result

    curl --request POST \
      --url 'https://api.astra.datastax.com/v2/organizations/clusters/<databaseID>/datacenters/<datacenterID>/endpoints' \
      --header 'Accept: application/json' \
      --header 'Authorization: Bearer <application_token>' \
      --data '{
          "endpointID": "vpce-svc-1148ea04af491da11",
          "description": "project-desc-dev-app"
        }'
    {
      "datacenters": [
        {
          "serviceName": "com.amazonaws.vpce.us-east-1.vpce-svc-1148ea04af491da11",
          "allowedPrincipals": [
            "arn:aws:iam::123456789012:role/admin"
          ],
          "datacenterID": "string",
          "endpoints": [
            {
              "endpointID": "vpce-svc-1148ea04af491da11",
              "description": "project-desc-dev-app",
              "status": "Accepted",
              "createdDateTime": "2021-04-10T23:00:00"
            }
          ]
        }
      ]
    }

    Your AWS console will show that it is in the available state. For more, see Accept and reject endpoint connect requests.

  5. Create a DNS entry for your private endpoint.

    1. Download your private secure connect bundle. Your secure connect bundle is updated when you create your private endpoint. Get your latest secure connect bundle.

    2. Unzip the bundle secure connect.

    3. In config.json, copy the key host value.

    4. In the AWS Console, create a virtual IP address point to the endpoint.

    5. In the AWS Console, create a private zone to route traffic to your virtual IP using Amazon Route 53. Update the following domains to use REST and CQL:

      • REST

      • CQL

      efe451fe-709e-4700-9185-5cf0fd3474a7-2-us-east-1.apps.astra.datastax.com
      efe451fe-709e-4700-9185-5cf0fd3474a7-2-us-east-1.db.astra.datastax.com
    6. In the AWS Console, create a DNS entry for the key host value and map it to your virtual IP address.

You can now connect to your private endpoint using your updated secure connect bundle. For more, see Drivers for Astra.

Remove a private endpoint

  1. Delete a private endpoint from your Astra DB:

    • cURL command (/v2)

    curl --request DELETE \
      --url 'https://api.astra.datastax.com/v2/organizations/clusters/<databaseID>/datacenters/<datacenterID>/endpoints/<endpointID>' \
      --header 'Accept: application/json' \
      --header 'Authorization: Bearer <application_token>'
  2. Remove your connection from AWS PrivateLink:

    • CLI

    • AWS Console

    aws ec2 delete-vpc-endpoint-service-configurations --service-ids <serviceId>
    1. In the Amazon VPC console navigation pane, select Endpoint Services.

    2. For the service you want to delete, select Actions > Delete.

    3. Select Yes, Delete to remove the connection.