LogoLogo
  • Welcome to e6data
  • Introduction to e6data
    • Concepts
    • Architecture
      • e6data in VPC Deployment Model
      • Connect to e6data serverless compute
  • Get Started
  • Sign Up
  • Setup
    • AWS Setup
      • In VPC Deployment (AWS)
        • Prerequisite Infrastructure
        • Infrastructure & Permissions for e6data
        • Setup Kubernetes Components
        • Setup using Terraform in AWS
          • Update a AWS Terraform for your Workspace
        • AWS PrivateLink and e6data
        • VPC Peering | e6data on AWS
      • Connect to e6data serverless compute (AWS)
        • Workspace Creation
        • Catalog Creation
          • Glue Metastore
          • Hive Metastore
          • Unity Catalog
        • Cluster Creation
    • GCP Setup
      • In VPC Deployment (GCP)
        • Prerequisite Infrastructure
        • Infrastructure & Permissions for e6data
        • Setup Kubernetes Components
        • Setup using Terraform in GCP
        • Update a GCP Terraform for your Workspace
      • Connect to e6data serverless compute (GCP)
    • Azure Setup
      • Prerequisite Infrastructure
      • Infrastructure & Permissions for e6data
      • Setup Kubernetes Components
      • Setup using Terraform in AZURE
        • Update a AZURE Terraform for your Workspace
  • Workspaces
    • Create Workspaces
    • Enable/Disable Workspaces
    • Update a Workspace
    • Delete a Workspace
  • Catalogs
    • Create Catalogs
      • Hive Metastore
        • Connect to a Hive Metastore
        • Edit a Hive Metastore Connection
        • Delete a Hive Metastore Connection
      • Glue Metastore
        • Connect to a Glue Metastore
        • Edit a Glue Metastore Connection
        • Delete a Glue Metastore Connection
      • Unity Catalog
        • Connect to Unity Catalog
        • Edit Unity Catalog
        • Delete Unity Catalog
      • Cross-account Catalog Access
        • Configure Cross-account Catalog to Access AWS Hive Metastore
        • Configure Cross-account Catalog to Access Unity Catalog
        • Configure Cross-account Catalog to Access AWS Glue
        • Configure Cross-account Catalog to Access GCP Hive Metastore
    • Manage Catalogs
    • Privileges
      • Access Control
      • Column Masking
      • Row Filter
  • Clusters
    • Edit & Delete Clusters
    • Suspend & Resume Clusters
    • Cluster Size
    • Load Based Sizing
    • Auto Suspension
    • Query Timeout
    • Monitoring
    • Connection Info
  • Pools
    • Delete Pools
  • Query Editor
    • Editor Pane
    • Results Pane
    • Schema Explorer
    • Data Preview
  • Notebook
    • Editor Pane
    • Results Pane
    • Schema Explorer
    • Data Preview
  • Query History
    • Query Count API
  • Connectivity
    • IP Sets
    • Endpoints
    • Cloud Resources
    • Network Firewall
  • Access Control
    • Users
    • Groups
    • Roles
      • Permissions
      • Policies
    • Single Sign-On (SSO)
      • AWS SSO
      • Okta
      • Microsoft My Apps-SSO
      • Icons for IdP
    • Service Accounts
    • Multi-Factor Authentication (Beta)
  • Usage and Cost Management
  • Audit Log
  • User Settings
    • Profile
    • Personal Access Tokens (PAT)
  • Advanced Features
    • Cross-Catalog & Cross-Schema Querying
  • Supported Data Types
  • SQL Command Reference
    • Query Syntax
      • General functions
    • Aggregate Functions
    • Mathematical Functions & Operators
      • Arithematic Operators
      • Rounding and Truncation Functions
      • Exponential and Root Functions
      • Trigonometric Functions
      • Logarithmic Functions
    • String Functions
    • Date-Time Functions
      • Constant Functions
      • Conversion Functions
      • Date Truncate Function
      • Addition and Subtraction Functions
      • Extraction Functions
      • Format Functions
      • Timezone Functions
    • Conditional Expressions
    • Conversion Functions
    • Window Functions
    • Comparison Operators & Functions
    • Logical Operators
    • Statistical Functions
    • Bitwise Functions
    • Array Functions
    • Regular Expression Functions
    • Generate Functions
    • Cardinality Estimation Functions
    • JSON Functions
    • Checksum Functions
    • Unload Function (Copy into)
    • Struct Functions
  • Equivalent Functions & Operators
  • Connectors & Drivers
    • DBeaver
    • DbVisualiser
    • Apache Superset
    • Jupyter Notebook
    • Tableau Cloud
    • Tableau Desktop
    • Power BI
    • Metabase
    • Zeppelin
    • Python Connector
      • Code Samples
    • JDBC Driver
      • Code Samples
      • API Support
    • Configure Cluster Ingress
      • ALB Ingress in Kubernetes
      • GCE Ingress in Kubernetes
      • Ingress-Nginx in Kubernetes
  • Security & Trust
    • Best Practices
      • AWS Best Practices
    • Features & Responsibilities Matrix
    • Data Protection Addendum(DPA)
  • Tutorials and Best Practices
    • How to configure HIVE metastore if you don't have one?
    • How-To Videos
  • Known Limitations
    • SQL Limitations
    • Other Limitations
    • Restart Triggers
    • Cloud Provider Limitations
  • Error Codes
    • General Errors
    • User Account Errors
    • Workspace Errors
    • Catalog Errors
    • Cluster Errors
    • Data Governance Errors
    • Query History Errors
    • Query Editor Errors
    • Pool Errors
    • Connectivity Errors
  • Terms & Condition
  • Privacy Policy
    • Cookie Policy
  • FAQs
    • Workspace Setup
    • Security
    • Catalog Privileges
  • Services Utilised for e6data Deployment
    • AWS supported regions
    • GCP supported regions
    • AZURE supported regions
  • Release Notes & Updates
    • 6th Sept 2024
    • 6th June 2024
    • 18th April 2024
    • 9th April 2024
    • 30th March 2024
    • 16th March 2024
    • 14th March 2024
    • 12th March 2024
    • 2nd March 2024
    • 10th February 2024
    • 3rd February 2024
    • 17th January 2024
    • 9th January 2024
    • 3rd January 2024
    • 18th December 2023
    • 12th December 2023
    • 9th December 2023
    • 4th December 2023
    • 27th November 2023
    • 8th September 2023
    • 4th September 2023
    • 26th August 2023
    • 21st August 2023
    • 19th July 2023
    • 23rd May 2023
    • 5th May 2023
    • 28th April 2023
    • 19th April 2023
    • 15th April 2023
    • 10th April 2023
    • 30th March 2023
Powered by GitBook
On this page
  • What is AWS PrivateLink?
  • Why do we need AWS Privatelink?
  • What are the prerequisites for configuring AWS PrivateLink?
  • Create an IAM OIDC Identity Provider
  • How to establish a Private Link Between the Customer Account and the e6data Client Account?
  • Step 1: Update Security Group Settings
  • Step 2: Setting Up Target Group
  • Step 3: Create an Internal Network Load Balancer (NLB)
  • Step 4: Create an Endpoint Service for NLB
  • Step 5: Create Amazon S3 VPC Endpoint:
  • Step 6: Update the e6data S3 Bucket Policy:
  • Step 7: Validating the Endpoint Service and Connection:
  1. Setup
  2. AWS Setup
  3. In VPC Deployment (AWS)

AWS PrivateLink and e6data

PreviousUpdate a AWS Terraform for your WorkspaceNextVPC Peering | e6data on AWS

Last updated 10 months ago

This topic describes configuring AWS PrivateLink to securely connect the e6data to your AWS account.

Note that AWS PrivateLink is not a service provided by e6data. It is an AWS service that e6data supports use with your e6data account.

What is AWS PrivateLink?

is an AWS service that facilitates the creation of private VPC endpoints, enabling direct and secure connectivity between your AWS VPCs and the e6data VPC without requiring traversal through the public Internet. The connectivity is for AWS VPCs in the same AWS region.

It's important to note that the private link solution applies to both types of EKS clusters, whether public or private.

Why do we need AWS Privatelink?

Leveraging AWS Endpoint services and Endpoints, this integration ensures the utmost confidentiality and integrity of your data.

What are the prerequisites for configuring AWS PrivateLink?

Create an IAM OIDC Identity Provider

Creating an OIDC (OpenID Connect) provider for your EKS cluster is crucial in this context because it directly relates to providing secure access for e6data clusters to interact with data buckets within your AWS account. e6data uses OIDC for more secure access as it provides the least privilege & credential isolation. To create an OIDC (OpenID Connect) provider for your EKS cluster, please refer to the documentation

Please avoid using "us-east-1e" AZ due to quota unavailability on e6data controlplane side.

How to establish a Private Link Between the Customer Account and the e6data Client Account?

Step 1: Update Security Group Settings

Update the security group associated with your EKS cluster. Allow inbound traffic on port 443 from e6data's Virtual Private Cloud (VPC) CIDR range. Please reach out to the e6data administrator to obtain the specific CIDR range information.

Step 2: Setting Up Target Group

Establish a target group for the Network LoadBalancer. The target group should correspond to the private IP addresses of the Elastic Network Interfaces (ENIs) allocated during the creation of your EKS cluster.

Parameters to specify in the first step of creating a target group (Specify group details)

Parameter
Value

Target type

IP addresses

Protocol

TCP

Port

443

IP address type

IPv4

VPC

VPC in which the EKS cluster is present

Health check protocol

TCP

Parameters to specify in the second step of creating a target group (Register targets)

Parameter
Value

Choose a network

VPC in which the EKS cluster is present

Specify IP’s and define ports-> IPv4 address

The NIC’S IP addresses of the EKS cluster (Please follow the steps provided below to get the IPs of the NIC’S)

Ports

443

Steps to get the private IP's of the NIC's of the EKS cluster

The network interfaces (NICs) with the description "AMAZON EKS <EKS_CLUSTER_NAME>" will be the two NICs associated with your EKS cluster.

You can get the private IPs using the aws cli command:

aws ec2 describe-network-interfaces --filters "Name=description,Values=Amazon EKS <EKS_CLUSTER_NAME>" --query 'NetworkInterfaces[].{ID:NetworkInterfaceId,PrivateIP:PrivateIpAddress,Status:Status}' --output text

Step 3: Create an Internal Network Load Balancer (NLB)

  • Create an internal Network Load Balancer (NLB) within your Virtual Private Cloud (VPC). This NLB will manage network traffic within the VPC, ensuring it remains isolated from public internet access.

To configure your load balancer and listener

List of parameters to specify

Parameter
Value

Scheme

Internal

IP address type

IPv4

VPC

VPC in which the EKS cluster is present

Subnets

Private subnets specified for the EKS cluster

Security Groups

Security group attached to the EKS cluster

Default Action

Protocol

TCP

Port

443

Step 4: Create an Endpoint Service for NLB

  • Once the endpoint service is created, You need to add “arn:aws:iam::<e6data_account_id>:root” in the allowed principals.

Please contact the e6data administrator for the e6data_account_id and provide the service name of the created endpoint service, which the e6data client will need to create an endpoint to establish the private link.

Step 5: Create Amazon S3 VPC Endpoint:

To enhance security AWS provides the option to access S3 buckets privately within your Amazon Virtual Private Cloud (VPC) using VPC endpoints.

You can access Amazon S3 from your VPC using gateway VPC endpoints. After you create the gateway endpoint, you can add it as a target in your route table for traffic destined from your VPC to Amazon S3.

Step 6: Update the e6data S3 Bucket Policy:

To update bucket policies to control access to buckets from specific endpoints.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::<e6data_s3_bucket_name>/*",
            "Condition": {
                "StringEquals": {
                    "aws:SourceVpce": "<VPC_endpoint_ID>"
                }
            }
        }
    ]
}

Step 7: Validating the Endpoint Service and Connection:

After setting up the Private Link:

  • Please log in to your AWS account and proceed to the "Endpoint Services" section.

  • This endpoint service has been configured to permit access to the e6data AWS account ID as an allowed principal.

  • A connection will be successfully created with the e6data control plane to facilitate secure communication

To create a Target Group, please refer to the following documentation: .

To create an internal network load balancer, please refer to the following documentation:

Target Group created in

To enhance data security and maintain compliance, set up endpoint services for the NLB. This will enable secure access to your data processing service from other AWS accounts, all while avoiding exposure to the public internet. To create an endpoint service, please refer to the following documentation:

To create S3 VPC Endpoint, please refer to the following documentation:

AWS PrivateLink
Creating an IAM OIDC provider for your cluster - Amazon EKS.
Creating Target Group
Creating an Internal NLB.
Creating an Endpoint Service
Creating S3 VPC Endpoint.
step 2