Connect to SingleStore Helios using AWS PrivateLink

Configure both the outbound and inbound connections to connect your workspace to AWS PrivateLink. For information on managing private connections, refer to SingleStore Private Connections.

Contact SingleStore Support if you need assistance setting up or configuring private connections.

Note

This tutorial builds cross account connectivity to Amazon MSK clusters with AWS PrivateLink by fronting all brokers in the cluster with a single NLB that has cross-zone load balancing enabled. Refer to Pattern 2: Front all MSK brokers with a single shared interface endpoint in the tutorial for more information.

Configure Inbound Connections

To successfully set up an inbound connection to SingleStore Helios using AWS PrivateLink, you need to perform the following tasks:

  1. Create an Inbound Connection on the Cloud Portal

  2. Create a Private Endpoint on the Amazon VPC Console

Create an Inbound Connection on the Cloud Portal

On the Cloud Portal,

  1. Select Deployments > your_workspace_group > Firewall.

  2. Under Private Links, select Create Connection.

  3. On the Create Connection dialog, enter or select the following information:

    1. Endpoint: Select SingleStore Endpoint.

    2. Connection Type: Select the Inbound connection type from the list.

    3. Workspaces:

      • To create a DML connection, select a workspace you want to connect with from the list.

      • To create a DDL connection, select None.

    4. AWS Account ID (Inbound connections only): Enter the AWS Account ID associated with your VPC/private endpoint.

  4. Select Create Connection.

Once the connection is ready to use, which may take a few minutes, its status changes to ACTIVE. If an error occurs while creating the private connection, the connection is deleted automatically. Hover over the DELETED status indicator to view the error message.

Copy the VPC Endpoint Service Name of your connection, and enter it in the Service name box while creating a private endpoint on the Amazon VPC Console. Refer to Manage Private Connections for information on how to view the private connection details.

Create a Private Endpoint on the Amazon VPC Console

Note

Your workspace group and endpoint must be in the same region.

Create a private endpoint using the Service name copied earlier:

  1. On the Amazon VPC console, select Endpoints > Create endpoint.

  2. Under Service Category, select Other endpoint services.

  3. Enter the Service name copied from the Cloud Portal in the Service name box.

  4. Select Verify service to verify the Service name.

  5. Under VPC, select the VPC from which you'll connect with the AWS service.

  6. Under Subnets, select one subnet per Availability Zone from which you'll connect to the AWS service.

  7. Select Create endpoint.

You can use the endpoint after it enters the Available state. Refer to Endpoint states for more information. Create a security group to control access to the endpoint, and then attach the security group to the endpoint. Refer to Control traffic to resources using security groups for more information.

Note

SingleStore Helios does not support Certificate Authority (CA) verification for inbound connections. For information on connecting to SingleStore Helios using SSL, refer to Connect to SingleStore Helios using TLS/SSL.

Configure Outbound Connections

To successfully set up an outbound connection to SingleStore Helios using AWS PrivateLink, you need to perform the following tasks:

  1. Copy the AWS account ID from the Cloud Portal

  2. Create an Endpoint Service on the AWS Console

  3. Create an Outbound Connection on the Cloud Portal

If you are using Kafka brokers with AWS MSK, you must specify the IP address of the broker endpoints while creating the target groups of the load balancer. Run the nslookup command with the DNS names of the MSK brokers to get their IP addresses. Note, the IP address of the endpoint does not change since it is attached to the VPC ENI (elastic network interfaces). Hence, resolve the broker endpoint IP address before initiating the connection. When using Kafka brokers, use the broker name with the port instead of the endpoint name in the CREATE PIPELINE command.

Copy the AWS Account ID from the Cloud Portal

On the Cloud Portal,

  1. Select Deployments > your_workspace_group > Firewall > Private Links > Create Connection.

  2. On the Create Connection dialog, from the Connection Type list, select Outbound. Copy the AWS account ID displayed below.

You'll need to whitelist this ID while creating your endpoint service (as explained below).

Create an Endpoint Service on the AWS Console

On the AWS Console,

  1. Create a target group for each of the AWS services that you want to access using AWS PrivateLink, select EC2 > Target groups > Create Target group. Refer to Target Groups for more information.

  2. Create a network load balancer, select EC2 > Load Balancers > Create Load Balancer.

  3. Under Network Load Balancer, select Create. Your workspace group and the load balancer must be in the same region. Ensure that Cross-zone load balancing is enabled.

  4. In the AWS Console, select VPC > Endpoint Services > Create Endpoint Service, and associate it with the Network Load Balancer created in the previous step. Your workspace and endpoint service must be in the same region.

  5. For this service, under Allow principals, add the AWS account ID copied from the Cloud Portal in the "arn:aws:iam::<account id>:root" format. This enables SingleStore to find and access the private endpoint service.

  6. Verify that the security group rules in your VPC allow inbound traffic from the endpoint service. Refer to Control traffic to resources using security groups for more information.

  7. Copy the Service Name of this AWS endpoint service,

Create an Outbound Connection On the Cloud Portal

On the Cloud Portal,

  1. Select Deployments > your_workspace_group > Firewall.

  2. Under Private Links, select Create Connection.

  3. On the Create Connection dialog, enter or select the following information:

    1. Endpoint: Select SingleStore Endpoint.

    2. Connection Type: Select the Outbound connection type from the list.

    3. Workspaces:

      • To create a DML connection, select a workspace you want to connect with from the list.

      • To create a DDL connection, select None.

    4. DNS name (Outbound connections only): Enter the Service Name associated with your AWS endpoint service.

  4. Select Create Connection.

The connection is ready to use, once the endpoint status changes to ACTIVE. If an error occurs while creating the private connection, the connection is deleted automatically. Hover over the DELETED status indicator to view the error message.

References

In this section

Last modified: November 26, 2024

Was this article helpful?