# Connect to SingleStore Helios using AWS PrivateLink

Configure both outbound and inbound connections to connect your workspace to AWS PrivateLink. For information on managing private connections, refer to [SingleStore Private Connections](https://docs.singlestore.com/cloud/connect-to-singlestore/private-connections/singlestore-private-connections.md).

To connect via AWS PrivateLink using Flow, specify the VPC endpoint of your private link in the destination database configuration. Refer to [Configure Flow](https://docs.singlestore.com/#section-id235511456889768.md).

Contact [SingleStore Support](https://support.singlestore.com) for assistance with setting up or configuring private connections.

> **📝 Note**: [This tutorial](https://aws.amazon.com/blogs/big-data/how-goldman-sachs-builds-cross-account-connectivity-to-their-amazon-msk-clusters-with-aws-privatelink/) builds cross-account connectivity to Amazon MSK clusters with AWS PrivateLink by fronting all brokers in the cluster with a single NLB that has cross-zone load balancing enabled. Refer to **Pattern 2: Front all MSK brokers with a single shared interface endpoint** in the tutorial for more information.

## Configure Inbound Connections

To successfully set up an inbound connection to SingleStore Helios using AWS PrivateLink, perform the following tasks:

1. [Create an Inbound Connection on the Cloud Portal](https://docs.singlestore.com/#section-idm4577804916545633710638230996.md)

2. [Create a Private Endpoint on the Amazon VPC Console](https://docs.singlestore.com/#section-idm4587784974278433710639955862.md)

## Create an Inbound Connection on the Cloud Portal

On the [Cloud Portal](https://portal.singlestore.com),

1. Select **Workspaces**.

2. Select the three dots under **Actions** for your workspace and select **Access & Security** from the list.

3. Under **Private Links**, select **Create Connection**.

4. On the **Create Connection** dialog, enter or select the following information:

   1. **Endpoint**: Select **SingleStore Endpoint**.

   2. **Connection Type**: Select the **Inbound** connection type from the list.

   3. **AWS Account ID** (Inbound connections only): Enter the AWS Account ID associated with your VPC/private endpoint.

5. Select **Create Connection**.

Once the connection is ready to use, which may take a few minutes, its status changes to `ACTIVE`. If an error occurs while creating the private connection, the connection is deleted automatically. Hover over the `DELETED` status indicator to view the error message.

Copy the **VPC Endpoint Service Name** of your connection, and enter it in the **Service name** field while creating a private endpoint on the Amazon VPC Console. Refer to [Manage Private Connections](https://docs.singlestore.com/cloud/connect-to-singlestore/private-connections/singlestore-private-connections/#section-idm4493093347076833710473823166.md) for information on how to view the private connection details.

## Create a Private Endpoint on the Amazon VPC Console

> **📝 Note**: Your workspace and endpoint must be in the same region.

Create a private endpoint using the **Service name** copied earlier:

1. On the [Amazon VPC console](https://console.aws.amazon.com/vpc/), select **Endpoints > Create endpoint**.

2. Under **Service Category**, select **Other endpoint services**.

3. Enter the **Service name** copied from the [Cloud Portal](https://portal.singlestore.com) in the **Service name** box.

4. Select **Verify service** to verify the Service name.

5. Under VPC, select the VPC from which you'll connect with the AWS service.

6. Under **Subnets**, select one subnet per Availability Zone from which you'll connect to the AWS service.

7. Select **Create endpoint**.

You can use the endpoint after it enters the `Available` state. Refer to [Endpoint states](https://docs.aws.amazon.com/vpc/latest/privatelink/concepts.html#concepts-service-consumers) for more information. Create a security group to control access to the endpoint, and then attach the security group to the endpoint. Refer to [Control traffic to resources using security groups](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html) for more information.

> **📝 Note**: SingleStore Helios does not support Certificate Authority (CA) verification for inbound connections. For information on connecting to SingleStore Helios using SSL, refer to [Connect to SingleStore Helios using TLS/SSL](https://docs.singlestore.com/cloud/connect-to-singlestore/connect-with-mysql/connect-with-mysql-client/connect-to-singlestore-helios-using-tls-ssl.md).

## Configure Outbound Connections

To successfully set up an outbound connection to SingleStore Helios using AWS PrivateLink, perform the following tasks:

1. [Copy the AWS account ID from the Cloud Portal](https://docs.singlestore.com/#section-idm4587785065080033710540738094.md)

2. [Create an Endpoint Service on the AWS Console](https://docs.singlestore.com/#section-idm4573444058233633710541583593.md)

3. [Create an Outbound Connection on the Cloud Portal](https://docs.singlestore.com/#section-idm4602413659161633710543006469.md)

4. [Accept the Connection Request in your AWS Console](https://docs.singlestore.com/#section-id23551147332954.md)

If you are using Kafka brokers with AWS MSK, you must specify the IP address of the broker endpoints while creating the target groups of the load balancer. Run the `nslookup` command with the DNS names of the MSK brokers to get their IP addresses. Note that the IP address of the endpoint does not change since it is attached to the VPC ENI (elastic network interfaces). Hence, resolve the broker endpoint IP address before initiating the connection. When using Kafka brokers, use the broker name with the port instead of the endpoint name in the `CREATE PIPELINE` command.

## Copy the AWS Account ID from the Cloud Portal

On the [Cloud Portal](https://portal.singlestore.com),

1. Select **Workspaces**.

2. Select the three dots under **Actions** for your workspace and select **Access & Security** from the list.

3. Under **Private Links**, select **Create Connection**.

4. On the **Create Connection** dialog, from the **Connection Type** list, select **Outbound**. Copy the AWS account ID displayed.

You'll need to whitelist this ID while creating your endpoint service.

## Create an Endpoint Service on the AWS Console

On the AWS Console,

1. Create a target group for each of the AWS services that you want to access using AWS PrivateLink, select **EC2 > Target groups > Create Target group**. Refer to [Target Groups](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-groups.html) for more information.

2. Create a network load balancer, select **EC2 > Load Balancers > Create Load Balancer**.

3. Under **Network Load Balancer**, select **Create**. Your workspace and the load balancer must be in the same region. Ensure that **Cross-zone load balancing** is enabled. Refer to [Create a Network Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-application-load-balancer.html) for related information.

4. In the AWS Console, select **VPC > Endpoint Services > Create Endpoint Service**.
   > **📝 Note**: Your workspace and endpoint service must be in the same region.
   * Associate the endpoint service with the Network Load Balancer created in the previous step.
   * Enable **Require acceptance for endpoint** for additional security.

5. For this service, under **Allow principals**, add the AWS account ID copied from the Cloud Portal in the `"arn:aws:iam::<account id>:root"` format. This enables SingleStore to find and access the private endpoint service.

6. Verify that the security group rules in your VPC allow inbound traffic from the endpoint service, including traffic from internal private IP ranges (for example, RFC1918 ranges such as 10.0.0.0/8), depending on your network configuration. Refer to [Control traffic to resources using security groups](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html) for more information.

7. Copy the **Service Name** of this AWS endpoint service.

## Create an Outbound Connection on the Cloud Portal

On the [Cloud Portal](https://portal.singlestore.com),

1. Select **Workspaces**.

2. Select the three dots under **Actions** for your workspace and select **Access & Security** from the list.

3. Under **Private Links**, select **Create Connection**.

4. On the **Create Connection** dialog, enter or select the following information:

   1. **Endpoint**: Select **SingleStore Endpoint**.

   2. **Connection Type**: Select the **Outbound** connection type from the list.

   3. **Service name** (Outbound connections only): Enter the **Service Name** associated with your AWS endpoint service.

5. Select **Create Connection**.

6. (Optional) [Accept the connection request in your AWS Console](https://docs.singlestore.com/#section-id23551147332954.md).

The connection is ready to use once the endpoint status changes to `ACTIVE`. If an error occurs while creating the private connection, the connection is deleted automatically. Hover over the `DELETED` status indicator to view the error message.

![](https://images.contentstack.io/v3/assets/bltac01ee6daa3a1e14/blt550f79e363bf3f6d/6a3eba360cbbcabbc9991b67/spc_deleted_status-citjnt.png)

## Accept the Connection Request in your AWS Console

If **Require acceptance for endpoint** is enabled while creating the endpoint service, you must accept the connection request from SingleStore in your AWS account. On the AWS Console,

1. Select **VPC > Endpoint Services**, and then select your endpoint service.

2. On the **Endpoints Connections** tab, find the request from the SingleStore AWS account with the **Pending Acceptance** status.

3. From the **Actions** menu, select **Accept Endpoint Connection Request**.

The connection status changes to **Available**, indicating that the connection is successfully established and is ready to use.

## Configure Flow

To configure Flow to connect using AWS PrivateLink:

1. Log in to the [Cloud Portal](https://portal.singlestore.com).

2. Copy the **VPC Endpoint** of your outbound private link.

   1. Select **Workspaces**.

   2. Select the three dots under **Actions** for your workspace and select **Access & Security** from the list.

   3. Under **Private Links**, select the three dots under **Actions** for your private link, and then select **View Connection**.

   4. Copy the **VPC Endpoint** for your private link.

3. Select **Ingestion > Load Data**, and then select a source supported by Flow.

4. Configure the destination database, connection name, Flow instance size, and then select **Create Flow Instance**.

5. Select **Open Flow** under the **Actions** column of the Flow instance created in the previous step.

6. On the **Setup** tab, configure the source database and then select **Next**.

7. Under **Destination Database**, enter the **VPC Endpoint** copied earlier in the **Host Name** field.

8. Enter the username and password of the SingleStore database user with which to connect.

9. Select **Test** to test the connection.

Once the connection is verified, [configure the Flow instance](https://docs.singlestore.com/cloud/load-data/load-data-with-singlestore-flow-on-helios/use-flow-on-helios.md) as required and proceed with data ingestion.

Refer to [Load Data with SingleStore Flow on Helios](https://docs.singlestore.com/cloud/load-data/load-data-with-singlestore-flow-on-helios.md) for more information.

## References

* [AWS PrivateLink Concepts](https://docs.aws.amazon.com/vpc/latest/privatelink/concepts.html#concepts-service-consumers)
* [Create a private endpoint service](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html)

## In this section

* [Connect SingleStore Helios to AWS MSK using AWS PrivateLink](https://docs.singlestore.com/cloud/connect-to-singlestore/private-connections/connect-to-singlestore-helios-using-aws-privatelink/connect-singlestore-helios-to-aws-msk-using-aws-privatelink.md)
* [Connect to MongoDB® using AWS PrivateLink](https://docs.singlestore.com/cloud/connect-to-singlestore/private-connections/connect-to-singlestore-helios-using-aws-privatelink/connect-to-mongodb-using-aws-privatelink.md)

***

Modified at: May 15, 2026

Source: [/cloud/connect-to-singlestore/private-connections/connect-to-singlestore-helios-using-aws-privatelink/](https://docs.singlestore.com/cloud/connect-to-singlestore/private-connections/connect-to-singlestore-helios-using-aws-privatelink/)

(An index of the documentation is available at /llms.txt)