Connect out from SingleStore Helios Workspaces to Private Networks/Services via AWS PrivateLink

For outbound connections, create a private link service, and send the Service name to SingleStore.

If you are using Kafka brokers with AWS MSK, you must specify the IP address of the broker endpoints while creating the target groups of the load balancer. Run the nslookup command with the DNS names of the MSK brokers to get their IP addresses. Note, the IP address of the endpoint does not change since it is attached to the VPC ENI (elastic network interfaces). Hence, resolve the broker endpoint IP address before initiating the connection.

You need to specify the broker endpoints in the support ticket. Also, update your security group configuration to grant access to the the interface endpoint's private IP address. When using Kafka brokers, use the broker name with the port instead of the endpoint name in the CREATE PIPELINE command.

To connect out from SingleStore Helios to AWS PrivateLink, perform the following tasks:

  1. Request AWS account ID from SingleStore.

  2. Create a Network Load Balancer.

  3. Create an endpoint service.

  4. Send the Service name to SingleStore.

Request AWS Account ID from SingleStore

Contact SingleStore Support and request the AWS account ID from SingleStore. You'll need to whitelist this ID while creating your endpoint service (as explained below).

Create a Network Load Balancer

  1. On the AWS console, select EC2 > Target groups > Create target group. Create a target group, one for each broker service.

  2. On the AWS console, select EC2 > Load Balancers > Create Load Balancer.

  3. Under Network Load Balancer, select Create. Your workspace and the load balancer must be in the same region. Make sure that Cross-zone load balancing is enabled.

Create an Endpoint Service


Your workspace and endpoint service must be in the same region.

  1. In the AWS Console, select VPC > Endpoint Services > Create Endpoint Service, and associate it with the Network Load Balancer created in the previous step.

  2. For this service, under Whitelisted principals, add the account ID received from SingleStore. This enables SingleStore to find and access the private endpoint service. Use the format, "arn:aws:iam::<account id>:root" and replace <account id> with the AWS Account ID supplied by SingleStore Support.

  3. Verify that the security group rules in your VPC allow inbound traffic from the endpoint service. Refer to Control traffic to resources using security groups for more information.

Send the Service Name to SingleStore

Contact SingleStore support, and provide the following details:

  • Workspace ID. SingleStore can only process the connection request when your workspace is in the Active state.

  • Region details

  • Service name of your AWS endpoint service

  • In the support ticket, specify that the request is for outbound connection

Once the endpoint status changes to Available, you can connect out from your SingleStore Helios workspace via AWS PrivateLink.


  • AWS PrivateLink Concepts

  • Create a private endpoint service

  • This tutorial builds cross account connectivity to Amazon MSK clusters with AWS PrivateLink by fronting all brokers in the cluster with a single NLB that has cross-zone load balancing enabled. Refer to Pattern 2: Front all MSK brokers with a single shared interface endpoint in the tutorial for more information.

Last modified: October 19, 2023

Was this article helpful?