Use private endpoints

You can use private endpoints to establish a secure connection between your cloud provider and your Astra DB Serverless databases. With a private endpoint, all communication remains within the private network, ensuring that no information is transmitted over the public internet.

Your databases can connect to one or more private endpoints:

  • Single endpoint: Create a private endpoint in your virtual private cloud (VPC) and use it for one database.

  • Multiple endpoints: Create multiple private endpoints in your VPC and use them for the same database.

  • Shared endpoints: Create a private endpoint in your VPC and use it for multiple databases.

Prerequisites

To configure and use private endpoints for Astra DB, you need the following:

Enable private endpoints

To use a private endpoint with a database, you must enable private endpoint connectivity for that database.

For multi-region databases, you must enable private endpoints for each region where you want to use private endpoints.

  • Astra Portal

  • DevOps API

  1. In the Astra Portal, go to Databases, and then select your database.

  2. Click Settings.

  3. In the Private Endpoints section, click Configure Region for the region where you want to use a private endpoint.

  4. Enter an allowed principal:

    • For AWS-based databases, the allowed principal is your AWS account’s Amazon Resource Name (ARN) in the exact, case-sensitive format arn:aws:iam::AWS_ACCOUNT_ID:root where AWS_ACCOUNT_ID is your AWS account ID with no hyphens. For example, arn:aws:iam::123456789012:root. For more information, see Principals for gateway endpoints.

    • For Azure-based databases, the allowed principal is your Azure account’s Subscription ID.

    • For Google Cloud-based databases, the allowed principal is your Google Cloud Project ID.

  5. Click Configure Region.

  1. Set an allowed principal for each database and region where you want to use private endpoints:

    curl -sS --location -X POST "https://api.astra.datastax.com/v2/organizations/clusters/DATABASE_ID/datacenters/DATACENTER_ID/private-link" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Accept: application/json" \
--data '{
  "allowedPrincipals": [
    "ALLOWED_PRINCIPAL"
  ]
}'

    The DATACENTER_ID is the region identifier. For a single-region database, the DATACENTER_ID is the same as the DATABASE_ID. For multi-region databases, each region has a separate ID. For more information, see List database regions. The region selected must correspond with the cloud provider you identify in the allowedPrincipals.

    The ALLOWED_PRINCIPAL depends on the database’s cloud provider:

    • For AWS-based databases, the allowed principal is your AWS account’s Amazon Resource Name (ARN) in the exact, case-sensitive format arn:aws:iam::AWS_ACCOUNT_ID:root where AWS_ACCOUNT_ID is your AWS account ID with no hyphens. For example, arn:aws:iam::123456789012:root. For more information, see Principals for gateway endpoints.

    • For Azure-based databases, the allowed principal is your Azure account’s Subscription ID.

    • For Google Cloud-based databases, the allowed principal is your Google Cloud Project ID.

  2. Get the serviceName from the response. You need it to create the private endpoint.

    • AWS

    • Microsoft Azure

    • Google Cloud

    {
  "serviceName": "com.amazonaws.vpce.REGION.vpce-svc-SERVICE_ID",
  "allowedPrincipals": [
    "ARN"
  ]
}
    {
  "serviceName": "SERVICE_NAME.SERVICE_ID.REGION.azure.privatelinkservice",
  "allowedPrincipals": [
    "AZURE_SUBSCRIPTION_ID"
  ]
}
    {
  "serviceName": "projects/PROJECT_ID/regions/REGION_NAME/serviceAttachments/SERVICE_ATTACHMENT_NAME",
  "allowedPrincipals": [
    "GOOGLE_CLOUD_PROJECT_ID"
  ]
}

Next, add the private endpoint.

Add a private endpoint

After enabling private endpoints for a database, create a VPC endpoint in your cloud provider, and then use the Astra Portal or the DevOps API to connect it to your database.

  • Astra Portal

  • DevOps API

  • AWS

  • Microsoft Azure

  • Google Cloud

For AWS-based databases, use an AWS PrivateLink private endpoint:

  1. In the Astra Portal where you just enabled private endpoints, copy the generated Service Name.

  2. In a new browser tab or window, sign in to the AWS VPC dashboard, and then switch to your database’s region.

  3. Create an endpoint to connect to an endpoint service as the service consumer. Use the generated service name from the Astra Portal as the endpoint’s Service name.

  4. After creating the endpoint, copy the VPC Endpoint ID.

  5. Return to the Astra Portal, click Add Endpoint, and then enter the VPC endpoint ID in the Endpoint ID field.

  6. Optional: Enter a description for the endpoint.

  7. Click Add Endpoint.

For Microsoft Azure-based databases, use an Azure Private Link private endpoint:

  1. In the Astra Portal where you just enabled private endpoints, copy the generated Service Name.

  2. In a new browser tab or window, sign in to the Azure Portal.

  3. Create a private endpoint in the Azure Portal.

    • Make sure you use actual values for your endpoint configuration. Don’t use the demo values given in the Microsoft documentation. For example, make sure that you select a valid resource group, virtual network, and subnet.

    • On the Basics tab, the Region must be the same region as your database.

    • On the Resource tab, for Connection method, select Connect to an Azure resource by resource ID or alias. Then, use the generated service name from the Astra Portal as the endpoint’s Resource ID or alias.

    • Make sure you disable network policies for private endpoints for your virtual network.

  4. After creating the endpoint, copy the endpoint’s Resource ID from the resource Properties page.

  5. Return to the Astra Portal, click Add Endpoint, and then enter the Resource ID in the Endpoint ID field.

  6. Optional: Enter a description for the endpoint.

  7. Click Add Endpoint.

For Google Cloud-based databases, use a Google Cloud Private Service Connect private endpoint:

  1. In the Astra Portal where you just enabled private endpoints, copy the generated Service Name.

  2. In a new browser tab or window, sign in to the Google Cloud Network Services console.

  3. Create an endpoint to access published services. Use the generated service name from the Astra Portal as the endpoint’s Target service.

  4. After creating the endpoint, copy the PSC Connection ID from the endpoint details.

  5. Return to the Astra Portal, click Add Endpoint, and then enter the PSC connection ID in the Endpoint ID field.

  6. Optional: Enter a description for the endpoint.

  7. Click Add Endpoint.

  • AWS

  • Microsoft Azure

  • Google Cloud

For AWS-based databases, use an AWS PrivateLink private endpoint:

  1. Sign in to the AWS VPC dashboard, and then switch to your database’s region.

  2. Create an endpoint to connect to an endpoint service as the service consumer. The endpoint’s Service name is the serviceName generated when you enabled private endpoints.

  3. After creating the endpoint, copy the VPC Endpoint ID.

  4. Connect your private endpoint to your database (DATABASE_ID) and region (DATACENTER_ID):

    curl -sS --location -X POST "https://api.astra.datastax.com/v2/organizations/clusters/DATABASE_ID/datacenters/DATACENTER_ID/endpoints" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Accept: application/json" \
--data '{
  "endpointID": "VPC_ENDPOINT_ID",
  "description": "OPTIONAL_STRING"
}'
    Response

    A successful response contains the private endpoint configuration for the specified database and region. Make sure the status is Accepted.

    {
  "datacenters": [
    {
      "serviceName": "com.amazonaws.vpce.REGION.vpce-svc-SERVICE_ID",
      "allowedPrincipals": [
        "ARN"
      ],
      "datacenterID": "DB_REGION_ID",
      "endpoints": [
        {
          "endpointID": "VPC_ENDPOINT_ID",
          "description": "OPTIONAL_STRING",
          "status": "Accepted",
          "createdDateTime": "2021-04-10T23:00:00"
        }
      ]
    }
  ]
}

For Microsoft Azure-based databases, use an Azure Private Link private endpoint:

  1. Sign in to the Azure Portal.

  2. Create a private endpoint in the Azure Portal.

    1. Make sure you use actual values for your endpoint configuration. Don’t use the demo values given in the Microsoft documentation. For example, make sure that you select a valid resource group, virtual network, and subnet.

    2. On the Basics tab, the Region must be the same region as your database.

    3. On the Resource tab, for Connection method, select Connect to an Azure resource by resource ID or alias. Then, set the endpoint’s Resource ID or alias to the serviceName generated when you enabled private endpoints.

    4. Make sure you disable network policies for private endpoints for your virtual network.

  3. After creating the endpoint, copy the endpoint’s Resource ID from the resource Properties page.

  4. Connect your private endpoint to your database (DATABASE_ID) and region (DATACENTER_ID):

    curl -sS --location -X POST "https://api.astra.datastax.com/v2/organizations/clusters/DATABASE_ID/datacenters/DATACENTER_ID/endpoints" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Accept: application/json" \
--data '{
  "endpointID": "RESOURCE_ID",
  "description": "OPTIONAL_STRING"
}'
    Response

    A successful response contains the private endpoint configuration for the specified database and region. Make sure the status is Accepted.

    {
  "datacenters": [
    {
      "serviceName": "SERVICE_NAME.SERVICE_ID.REGION.azure.privatelinkservice",
      "allowedPrincipals": [
        "AZURE_SUBSCRIPTION_ID"
      ],
      "datacenterID": "DB_REGION_ID",
      "endpoints": [
        {
          "endpointID": "RESOURCE_ID",
          "description": "OPTIONAL_STRING",
          "status": "Accepted",
          "createdDateTime": "2021-04-10T23:00:00"
        }
      ]
    }
  ]
}

For Google Cloud-based databases, use a Google Cloud Private Service Connect private endpoint:

  1. Sign in to the Google Cloud Network Services console.

  2. Create an endpoint to access published services. The VPC endpoint’s Target service is the serviceName generated when you enabled private endpoints.

  3. After creating the endpoint, copy the PSC Connection ID from the endpoint details.

  4. Connect your private endpoint to your database (DATABASE_ID) and region (DATACENTER_ID):

    curl -sS --location -X POST "https://api.astra.datastax.com/v2/organizations/clusters/DATABASE_ID/datacenters/DATACENTER_ID/endpoints" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Accept: application/json" \
--data '{
  "endpointID": "PSC_CONNECTION_ID",
  "description": "OPTIONAL_STRING"
}'
    Response

    A successful response contains the private endpoint configuration for the specified database and region. Make sure the status is Accepted.

    {
  "datacenters": [
    {
      "serviceName": "projects/PROJECT_ID/regions/REGION_NAME/serviceAttachments/SERVICE_ATTACHMENT_NAME",
      "allowedPrincipals": [
        "GOOGLE_CLOUD_PROJECT_ID"
      ],
      "datacenterID": "DB_REGION_ID",
      "endpoints": [
        {
          "endpointID": "PSC_CONNECTION_ID",
          "description": "OPTIONAL_STRING",
          "status": "Accepted",
          "createdDateTime": "2021-04-10T23:00:00"
        }
      ]
    }
  ]
}

If you want to edit the description for a private endpoint, use the Update endpoint description endpoint.

Your database is now connected to a private endpoint. Next, configure DNS mapping.

Create DNS entries for a private endpoint

To ensure proper name resolution for private endpoints, you must configure private DNS mapping for the *.astra.datastax.com domain and subdomains. This overrides the default resolution to the public IP address provided by Astra DB.

If you use a private endpoint for one database, then you must configure private DNS mapping for every database you create, whether it uses a private endpoint or not.

  • AWS

  • Microsoft Azure

  • Google Cloud

  1. In Amazon Route 53, create a private hosted zone to route the astra.datastax.com domain traffic to your AWS PrivateLink VPC ID.

  2. Create alias or CNAME records that route Astra DB subdomains to your Amazon VPC interface endpoint’s DNS name.

    Use alias records if you use DataStax drivers. For more information, see Comparison of alias and CNAME records.

    For each database, you must create records for both the .db. and .apps. domains. For multi-region databases, you must create records for every region where you use private endpoints.

    • DATABASE_ID-REGION.db.astra.datastax.com

    • DATABASE_ID-REGION.apps.astra.datastax.com

  3. Recommended: In the Astra Portal, use the IP Access List to block all public internet traffic to the database. This makes the database available only through private endpoints and allowed IPs.

  1. In the Azure Portal, create a private DNS zone.

  2. Create DNS entries to map Astra DB subdomains to your virtual network.

    For each database, you must create records for both the .db. and .apps. domains. For multi-region databases, you must create records for every region where you use private endpoints.

    • DATABASE_ID-REGION.db.astra.datastax.com

    • DATABASE_ID-REGION.apps.astra.datastax.com

  3. Recommended: In the Astra Portal, use the IP Access List to block all public internet traffic to the database. This makes the database available only through private endpoints and allowed IPs.

  1. In the Google Cloud console, create a private zone to route traffic to your Private Service Connect endpoint IP.

  2. Create Type A standard records for Astra DB subdomains.

    For each database, you must create records for both the .db. and .apps. domains. For multi-region databases, you must create records for every region where you use private endpoints.

    • DATABASE_ID-REGION.db.astra.datastax.com

    • DATABASE_ID-REGION.apps.astra.datastax.com

  3. Recommended: In the Astra Portal, use the IP Access List to block all public internet traffic to the database. This makes the database available only through private endpoints and allowed IPs.

Connect to a database through multiple private endpoints

You can access one database from multiple private endpoints. The private endpoints must have the same region and cloud provider as the database. For multi-region databases, you must create private endpoints in each applicable region.

To connect to one database through multiple private endpoints, Enable private endpoints, Add all private endpoints, and Add a DNS entry for each VPC where you deployed a private endpoint.

Connect to multiple databases through one private endpoint

You can use a private endpoint for multiple databases in the same or different Astra DB organizations.

All databases must be in the same region as the private endpoint that they share. If your databases are in multiple regions, you need a private endpoint for each region.
Multiple databases in the same organization

You can use the same private endpoint for multiple databases in the same Astra DB organization. To do this, Enable private endpoints, Add a private endpoint, and Add a DNS entry for each database in the same region.

For each additional database after the first, when you Add a private endpoint, don’t create a new VPC endpoint in your cloud provider. Instead, use the same Endpoint ID for each database that you want to use the same private endpoint.

Multiple databases in multiple organizations

To use the same private endpoint for databases in multiple Astra DB organizations, contact DataStax Support.

Get private endpoint configurations

In the Astra Portal, you can find a database’s private endpoints on the database’s Settings tab.

With the DevOps API, you can get information about private endpoints for all databases in your organization, a single database, or a single region of a multi-region database.

  • Get private endpoints for all databases

  • Get private endpoints for one database

  • Get private endpoints for one region

curl -sS --location -X GET "https://api.astra.datastax.com/v2/organizations/private-link" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Accept: application/json"
Response

A successful response includes information about private endpoint configurations for all databases in the organization. If there are any multi-region databases, the response includes all regions.

{
  "clusters": [
    {
      "clusterID": "string",
      "datacenters": [
        {
          "serviceName": "com.amazonaws.vpce.us-east-1.vpce-svc-1148ea04af491da11",
          "allowedPrincipals": [
            "arn:aws:iam::123456789012:role/admin"
          ],
          "datacenterID": "string",
          "endpoints": [
            {
              "endpointID": "vpce-svc-1148ea04af491da11",
              "description": "ecomm-team-billing-app",
              "linkID": "126845687",
              "status": "Accepted",
              "createdDateTime": "2009-11-10T23:00:00"
            }
          ]
        }
      ]
    }
  ]
}
curl -sS --location -X GET "https://api.astra.datastax.com/v2/organizations/clusters/DATABASE_ID/private-link" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Accept: application/json"
Response

A successful response includes information about private endpoint configurations for one database. For a multi-region database, the response includes all regions.

{
  "clusterID": "string",
  "datacenters": [
    {
      "serviceName": "com.amazonaws.vpce.us-east-1.vpce-svc-1148ea04af491da11",
      "allowedPrincipals": [
        "arn:aws:iam::123456789012:role/admin"
      ],
      "datacenterID": "string",
      "endpoints": [
        {
          "endpointID": "vpce-svc-1148ea04af491da11",
          "description": "ecomm-team-billing-app",
          "linkID": "126845687",
          "status": "Accepted",
          "createdDateTime": "2009-11-10T23:00:00"
        }
      ]
    }
  ]
}

If the database is not a multi-region database, then the datacenterID is is the same as the databaseID.

curl -sS --location -X GET "https://api.astra.datastax.com/v2/organizations/clusters/DATABASE_ID/datacenters/DATACENTER_ID/private-link" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Accept: application/json"
Response

A successful response includes information about private endpoint configurations for one region of one database:

{
  "serviceName": "com.amazonaws.vpce.us-east-1.vpce-svc-1148ea04af491da11",
  "allowedPrincipals": [
    "arn:aws:iam::123456789012:role/admin"
  ],
  "datacenterID": "string",
  "endpoints": [
    {
      "endpointID": "vpce-svc-1148ea04af491da11",
      "description": "ecomm-team-billing-app",
      "linkID": "126845687",
      "status": "Accepted",
      "createdDateTime": "2009-11-10T23:00:00"
    }
  ]
}

To get information about a specific endpoint by endpoint ID, use the Get endpoint information endpoint.

Delete a private endpoint

To delete a private endpoint, you must delete the private endpoint from Astra DB and your cloud provider:

  • Astra Portal

  • DevOps API

  1. In the Astra Portal, go to Databases, and then select your database.

  2. Click Settings.

  3. In the Private Endpoints section, click the endpoint that you want to delete.

  4. Click Delete, and then click Delete Endpoint to confirm deletion.

  5. Remove your private endpoint from your cloud provider:

  6. Remove or modify private DNS mapping as needed.

  1. Use the DevOps API to delete a private endpoint from Astra DB. The DELETE request removes one endpoint from one region of one database.

    curl -sS --location -X DELETE "https://api.astra.datastax.com/v2/organizations/clusters/DATABASE_ID/datacenters/DATACENTER_ID/endpoints/ENDPOINT_ID" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Accept: application/json"

    If you want to remove an allowed principal, use the Remove allowed principal endpoint.

  2. Remove your private endpoint from your cloud provider:

  3. Remove or modify private DNS mapping as needed.

When you delete a private endpoint, make sure you delete the connection in both the Astra Portal and your cloud provider.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com