Connecting from AWS
Two different methods enable you to connect to your private cluster from your application's VPC in AWS. Each method offers different levels of accessibility and security. The VPC endpoint method is recommended and is most commonly used. However, you can also use the VPC peering connection method if required by your organization.
AWS VPC endpoint (recommended)
AWS VPC endpoint (AWS Private Link) service is a network interface that securely connects a private IP address from your AWS VPC to an external service. You grant access only to a single cluster instead of the entire BigAnimal resource VPC, thus ensuring maximum network isolation. Other advantages include:
- You need to configure the PrivateLink only once. Then you can use multiple VPC endpoints to connect applications from different VPCs.
- There's no risk of IP address conflicts.
There's an associated cost of resources, however.
For more information, see VPC endpoint services (AWS PrivateLink).
Example
This example shows how to connect your cluster using VPC endpoints.
Assume that your cluster is on an account called development
and is being accessed from a client on another account called test
. It has the following properties:
BigAnimal cluster:
- AWS account:
development
- Amazon resource name (ARN):
arn:aws:iam::123456789123:root
- Cluster ID:
p-mckwlbakq5
- Account ID:
brcxzr08qr7rbei1
- Organization's domain name:
biganimal.io
- AWS account:
Client:
- AWS account:
test
- Resource group:
rg-client
- VPC:
vpc-client
- VPC subnet:
snet-client
- AWS account:
Prerequisites
To walk through an example in your own environment, you need:
- Your cluster URL. You can find the URL in the Connect tab of your cluster instance in the BigAnimal portal.
Step 1: Create an endpoint service for your cluster
In the AWS account connected to BigAnimal, create an endpoint service to provide access to your clusters from other VPCs in other AWS accounts. Perform this procedure for each cluster to which you want to provide access.
Open the Amazon EC2 console. Ensure that the region where your cluster is deployed is selected in the upper-right corner of the console.
In the navigation pane, under Load Balancing, select Load Balancers.
Identify the load balancer that's tagged with the ID of the cluster to which you want to connect (
<cluster-id>-rw-internal-lb
), for example,p-96fh28m3cb-rw-internal-lb
. Note the name of that network load balancer.Open the Amazon VPC console.
From the navigation pane on the left, under Virtual Private Cloud, select Endpoint Services, and then select Create endpoint service.
Enter a suitable name for the endpoint service.
Select Network for the load balancer type.
Under Available load balancers, select the network load balancer of the cluster to which you want to connect.
Leave all the other fields with their default values, and select Create.
Under Details, note the Service name of the created endpoint service (for example,
com.amazonaws.vpce.us-east-1.vpce-svc-0e123abc123198abc
). You need the service name while creating a VPC endpoint.In the navigation pane, select Endpoint Services.
Select your endpoint service from the Actions list, and select Allow principals.
Add the AWS account with which you want to connect to the endpoint service by specifying the ARN for the principal. The ARN must be in this format:
arn:aws:iam::<AWS ACCOUNT ID>:root
Step 2: Create a VPC endpoint in the client's VPC
Now that your endpoint service is created, you can connect it to the cluster VPC using a VPC endpoint. Perform this procedure in your application's AWS account.
Note
In your application's AWS account, ensure that you allow your application's security group to connect to your cluster.
Open the Amazon VPC console.
Ensure that the region where your cluster is deployed is selected in the upper-right corner of the console.
From the navigation pane on the left, under Virtual Private Cloud, select Endpoints, and then select Create endpoint.
Enter a suitable name for the endpoint service.
Under Service category, select Other endpoint services.
Under Service Name, enter the name of the endpoint service that you created earlier (
com.amazonaws.vpce.us-east-1.vpce-svc-0e123abc123198abc
). To verify whether you successfully allowed access to the endpoint, select Verify service.Under VPC, select the client's VPC in which to create the endpoint.
Under Subnets, select the subnets (availability zones) in which to create the endpoint network interfaces. Enable the endpoint in all availability zones used by your application.
Select Create endpoint.
Step 3: Accept and test the connection
In your AWS account connected to BigAnimal, select VPCs, and then select Endpoint services.
Select the endpoint service instance you created previously, and accept the endpoint connection request under Endpoint connections.
You can now successfully connect to your cluster.
In your application's AWS account, select VPC and then select Endpoints. Select the endpoint you created previously and use the DNS name provided in the details section to access your cluster.