AWS PrivateLink and e6data
Last updated
Last updated
This topic describes configuring AWS PrivateLink to securely connect the e6data to your AWS account.
is an AWS service that facilitates the creation of private VPC endpoints, enabling direct and secure connectivity between your AWS VPCs and the e6data VPC without requiring traversal through the public Internet. The connectivity is for AWS VPCs in the same AWS region.
Leveraging AWS Endpoint services and Endpoints, this integration ensures the utmost confidentiality and integrity of your data.
Creating an OIDC (OpenID Connect) provider for your EKS cluster is crucial in this context because it directly relates to providing secure access for e6data clusters to interact with data buckets within your AWS account. e6data uses OIDC for more secure access as it provides the least privilege & credential isolation. To create an OIDC (OpenID Connect) provider for your EKS cluster, please refer to the documentation
Update the security group associated with your EKS cluster. Allow inbound traffic on port 443 from e6data's Virtual Private Cloud (VPC) CIDR range. Please reach out to the e6data administrator to obtain the specific CIDR range information.
Establish a target group for the Network LoadBalancer. The target group should correspond to the private IP addresses of the Elastic Network Interfaces (ENIs) allocated during the creation of your EKS cluster.
Parameters to specify in the first step of creating a target group (Specify group details)
Target type
IP addresses
Protocol
TCP
Port
443
IP address type
IPv4
VPC
VPC in which the EKS cluster is present
Health check protocol
TCP
Parameters to specify in the second step of creating a target group (Register targets)
Choose a network
VPC in which the EKS cluster is present
Specify IP’s and define ports-> IPv4 address
The NIC’S IP addresses of the EKS cluster (Please follow the steps provided below to get the IPs of the NIC’S)
Ports
443
Steps to get the private IP's of the NIC's of the EKS cluster
The network interfaces (NICs) with the description "AMAZON EKS <EKS_CLUSTER_NAME>" will be the two NICs associated with your EKS cluster.
You can get the private IPs using the aws cli command:
Create an internal Network Load Balancer (NLB) within your Virtual Private Cloud (VPC). This NLB will manage network traffic within the VPC, ensuring it remains isolated from public internet access.
List of parameters to specify
Scheme
Internal
IP address type
IPv4
VPC
VPC in which the EKS cluster is present
Subnets
Private subnets specified for the EKS cluster
Security Groups
Security group attached to the EKS cluster
Default Action
Protocol
TCP
Port
443
Once the endpoint service is created, You need to add “arn:aws:iam::<e6data_account_id>:root” in the allowed principals.
To enhance security AWS provides the option to access S3 buckets privately within your Amazon Virtual Private Cloud (VPC) using VPC endpoints.
You can access Amazon S3 from your VPC using gateway VPC endpoints. After you create the gateway endpoint, you can add it as a target in your route table for traffic destined from your VPC to Amazon S3.
To update bucket policies to control access to buckets from specific endpoints.
After setting up the Private Link:
Please log in to your AWS account and proceed to the "Endpoint Services" section.
This endpoint service has been configured to permit access to the e6data
AWS account ID as an allowed principal.
A connection will be successfully created with the e6data control plane to facilitate secure communication
To create a Target Group, please refer to the following documentation: .
To create an internal network load balancer, please refer to the following documentation:
Target Group created in
To enhance data security and maintain compliance, set up endpoint services for the NLB. This will enable secure access to your data processing service from other AWS accounts, all while avoiding exposure to the public internet. To create an endpoint service, please refer to the following documentation:
To create S3 VPC Endpoint, please refer to the following documentation: