January 11, 2023
AWS PrivateLink is an AWS service that you can configure in Tessell. This service allows the resources in Tessell Virtual Private Cloud (VPC) to connect securely to AWS Virtual Private Cloud (VPC) using private IP addresses, without the connectivity traversing the public internet.
To configure AWS PrivateLink for your database service, perform the following steps:
Log into Tessell and click My Services from the left menu bar.
On the My Services page, select the provisioned database service that is hosted on AWS cloud. The database service opens up in a new page.
On the Overview tab of the database service page, find the AWS Private Link option and click the pencil icon next to it.
In the Create Private Link dialog box, enter the Amazon Resource Name (ARN) of AWS principals which allows service consumers to connect to your endpoint service. This is because your endpoint service is not available to service consumers by default.
After entering the ARN, press Enter.
Click Save. The status of AWS PrivateLink changes to 'Updating'.
Wait for the service endpoint appears. Make a note of this service endpoint.
Create an interface endpoint using the AWS console to connect to your service securely by performing the following steps:
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
Log into the AWS account where you want to run your client service.
In the navigation pane, choose Endpoints.
Choose Create endpoint.
From the Service category options, choose Other endpoint services.
In the Service name field, enter the name of the service endpoint that you noted in step 5 above. For example, enter com.amazonaws.vpce.us-east-1.vpce-svc-0e123abc123198abc.
Click Verify service.
In the VPC field, select the VPC where your client machine resides and where you want to create the endpoint.
For Subnets, select the subnets from which you will access the service. It is recommended that you select all subnets.
Select IPv4 for IP address type.
Click Save. It may take a couple of minutes for the endpoint service to become available.
Let's connect to the database service from the VM for which we have configured the AWS PrivateLink.
In the AWS console, after the status of the interface endpoint service changes to 'Available', go to the VPC Details tab.
From the DNS names section, make a note of the DNS name that does not have any region name in it. This DNS name typically appears on the top of the list.
Use SSH to connect to your database service using the DNS name and enter the command in the following syntax:
psql postgresql://master:<PASSWORD>@<DNS from the Endpoint>:5432/postgres
With this configuration, the traffic to your service is sent to the endpoint services that you created. The endpoint service uses a Network Load Balancer to distribute traffic. Traffic destined for the endpoint service is resolved using DNS.