Private service endpoints
A private service endpoint (PSE) is used to connect a YugabyteDB Aeon cluster that is deployed in a Virtual Private Cloud (VPC) with other services on the same cloud provider - typically a VPC hosting the application that you want to access your cluster. The PSE on your cluster connects to an endpoint on the VPC hosting your application over a private connection, referred to as a private link.
Overview
While cloud providers refer to the components of a private link service in different ways, these components serve the same purposes.
| YugabyteDB | AWS PrivateLink | Azure Private Link | Description |
|---|---|---|---|
| VPC | VPC | VNet | Secure virtual network created on a cloud provider. |
| PSE | Endpoint service | Private Link service | The endpoints on your cluster that you make available to the private link. |
| Application VPC endpoint | Interface VPC endpoint | Private endpoint | The endpoints on the application VPC corresponding to the PSEs on your cluster. |
| Security principal | AWS principal (ARN) | Subscription ID | Cloud provider account with permissions to manage endpoints. |
| Service name | Service name | Alias | Identifies the PSE to the application VPC endpoint. You provide the service name when creating the application VPC endpoint. |
Setting up a private link to connect your cluster to your application VPC involves the following tasks:
-
Deploy your cluster in a VPC. You must create a VPC and deploy your cluster before you can configure the PSE.
-
Create a PSE in each region of your cluster. The PSE is an endpoint service, and you activate it by granting access to a security principal on your application VPC.
In the case of AWS, a security principal is an AWS principal, in the form of Amazon resource names (ARNs).
For Azure, a security principal is a subscription ID of the service you want to have access.
-
On the cloud provider, create an interface VPC endpoint (AWS) or a private endpoint (Azure) on the VPC (VNet) hosting your application. You create an endpoint for each region in your cluster, providing the service name of the corresponding PSE on your cluster.
Limitations
- Currently, PSEs are supported for AWS PrivateLink and Azure Private Link.
- You can't use smart driver load balancing features when connecting to clusters over a private link. See YugabyteDB smart drivers for YSQL.
Prerequisites
Before you can create a PSE, you need to do the following:
- Create a VPC. Refer to Create a VPC. Make sure your VPC is in the same region as the application VPC to which you will connect your endpoint.
- Deploy a YugabyteDB cluster in the VPC. Refer to Create a cluster.
In addition, if you want to use ybm CLI to create PSEs, you need to do the following:
- Create an API key. Refer to API keys.
- Install and configure ybm CLI. Refer to Install and configure.
Note that, unlike VPC peering, when connected to an application VPC using a private link, you do not need to add an IP allow list to your cluster.
