AWS PrivateLink

AWS PrivateLink is an AWS service which allows one-way secure access to Rockset from a customer's VPC without API requests or queries ever traversing through the public internet. It provides additional security and protection against data exfiltration and allows customers to take advantage of Rockset's fully managed real-time analytics platform while meeting high security standards.

Architecture

AWS PrivateLink architecture with the customer's AWS VPC/account and their Rockset account

  • All traffic that flows through the AWS PrivateLink will incur additional network expenses in your AWS account. Please work with your Rockset and AWS solutions partners to estimate what those charges would be ahead of time to avoid surprises. These AWS network charges will be accrued for every AZ in every VPC endpoint ($/hour) from which you will be accessing Rockset in addition to the network transfer costs based on data transferred over the AWS PrivateLink ($/GiB).
  • Use IP Allowlisting to allow IP addresses from which administrators might want to access their Rockset account. This will help administrators troubleshoot issues without the fear of getting locked out of their Rockset account.
  • You will need outbound Internet access to access and login to the Rockset Console. This is required for the Rockset Console to authenticate the user including enforcing SSO and Multi-Factor Authentication. Once authenticated, all console traffic will traverse through AWS PrivateLink. This requirement only applies for accessing Rockset Console. Applications can connect securely to Rockset using API keys over the AWS PrivateLink API endpoint and your servers hosting your application do not need outbound Internet access.

Installation

🚧

API endpoint addresses will vary by region.

The following set of instructions uses the Frankfurt region as an example.

Step 1: Register your AWS Account with Rockset

Please provide your 12 digit AWS account ID to your Rockset solutions architect.

Step 2: Configure your AWS VPC endpoint

In your AWS account, create a VPC endpoint by following directions on the AWS docs.

  1. Go to "Create Endpoint".
  2. Create an endpoint and select "Other endpoint services".
    AWS PrivateLink Endpoint Settings
  3. Set the correct VPC endpoint service depending on region.
    • Use com.amazonaws.vpce.eu-central-1.vpce-svc-02f409ce75f330219 for Frankfurt.
    • Use com.amazonaws.vpce.us-west-2.vpce-svc-030e98de8dbf451c0 for Oregon.
    • Use com.amazonaws.vpce.us-east-1.vpce-svc-00b38ed8b65eac319 for N. Virginia.
    • Use com.amazonaws.vpce.ap-southeast-2.vpce-svc-0e87c1c5e53c17630 for Sydney.
    • Use com.amazonaws.vpce.eu-west-1.vpce-svc-0a6d7db7c0b18f762 for Dublin.
      AWS PrivateLink Service Settings
  4. Choose the VPC you want to use to connect to the endpoint
    AWS PrivateLink VPC Endpoint
  5. Next, expand "Additional Settings" and check "Enable DNS name". Refer to the info blurb to ensure you have the correct VPC attributes enabled.
    AWS PrivateLink Additional Settings
  6. Once you select VPC, you can set your subnets for your availability zones. These are subnets where the resources that connect to privatelink live. Our load balancers may not be present in every availability zone in the region, but as long as you can route through the subnets capable of connecting to privatelink, you should not experience any issues. Contact our support team if this does not work for you.
    AWS PrivateLink Subnets
  7. Set a security group. Note that this security group must allow port 443 inbound from wherever your requests originate, as that is the port required to make API requests to Rockset.
    AWS PrivateLink Security Groups
  8. Hit create endpoint
    Wait for the endpoint to go from “Pending” to “Active”. This usually takes about 5 minutes.
    AWS PrivateLink VPC Pending
    AWS PrivateLink VPC Available
  9. Verify that the "Private DNS names enabled" section reads "Yes"
    AWS PrivateLink VPC Verify

At this point your Rockset account can be accessed both via the AWS PrivateLink API endpoint and the public API endpoint (example for Frankfurt region: api.euc1a1.rockset.com). Follow steps below to turn off your public API endpoint.

Step 3: Validate connectivity

If the steps above were set up correctly, then at this point you should be able to access Rockset from both the AWS PrivateLink API endpoint and the public API endpoint.

Connectivity diagram where both AWS PrivateLink API endpoint and the public API endpoint are available

Run the following commands from any client computer that has outbound Internet connectivity in order to verify you have access to the public API endpoint. Example below uses thee public API endpoints for the Frankfurt region:

$ curl https://api.euc1a1.rockset.com/
{"message":"GO ROCKSET!"}

$ curl --request GET \
 --url https://api.euc1a1.rockset.com/v1/orgs/self/users/self \
 -H 'Authorization: ApiKey $ROCKSET_APIKEY'
{
  "created_at": "2021-08-28T00:23:41Z",
  "state": "ACTIVE",
  "email": ...
}

Run the following commands from a client computer that has a connection to the network that hosts your AWS PrivateLink API endpoint in order to verify you have access to the AWS PrivateLink API endpoint. Example below uses the AWS PrivateLink API endpoint for the Frankfurt region:

$ curl https://privatelink.euc1a1.rockset.com/
{"message":"GO ROCKSET!"}

$ curl --request GET \
 --url https://privatelink.euc1a1.rockset.com/v1/orgs/self/users/self \
 -H 'Authorization: ApiKey $ROCKSET_APIKEY'
{
  "created_at": "2021-08-28T00:23:41Z",
  "state": "ACTIVE",
  "email": ...
}

Step 4: Turn off the public API endpoint

Once you confirm that you are able to access your Rockset account from both privatelink and the public API endpoint, use the IP Allowlisting feature to turn off the public API endpoint. Rockset's IP Allowlisting will only affect the public API endpoint and will not have any effect on the AWS PrivateLink API endpoint.

Connectivity diagram where both AWS PrivateLink API endpoint and the public API endpoint are available

Step 5: Validate public endpoint access is blocked

Run the following commands from a client computer that has a connection to the network that hosts your AWS PrivateLink API endpoint. From there you need to verify that you have blocked access to the public API endpoint but your AWS PrivateLink API endpoint works as expected. Example for Frankfurt region:

# this should succeed

$ curl https://api.euc1a1.rockset.com/
{"message":"GO ROCKSET!"}

# this should fail

$ curl --request GET \
 --url https://api.euc1a1.rockset.com/v1/orgs/self/users/self \
 -H 'Authorization: ApiKey $ROCKSET_APIKEY'
{"message":"Authentication Failure","type":"AuthException", ...}

# this should succeed

$ curl --request GET \
 --url https://privatelink.euc1a1.rockset.com/v1/orgs/self/users/self \
 -H 'Authorization: ApiKey $ROCKSET_APIKEY'
{
  "created_at": "2021-08-28T00:23:41Z",
  "state": "ACTIVE",
  "email": ...
}