Last Updated: 2024-04-16
AWS PrivateLink provides private connectivity between virtual private clouds (VPCs), supported AWS services, and on-premises networks without exposing traffic to the public internet.
Starburst Galaxy supports AWS PrivateLink for some of its catalogs. In this tutorial, you will learn how to configure PrivateLink for an Amazon RDS instance using an AWS CloudFormation Template (CFT).
A CloudFormation template (CFT) is a JSON or YAML file used to define AWS resources and their configurations when deploying application or infrastructure stacks. It is a popular way of automating infrastructure deployments on AWS, and is particularly useful in multi-region clusters.
The CFT provided in this tutorial should be used whenever you are working with a multi-region RDS cluster or Aurora cluster. These clusters can failover from one availability zone to another, resulting in a change in the endpoint's IP address. The CFT includes a crucial Lambda script that monitors failovers and updates the IP address of the target group used by the endpoint service accordingly. This ensures seamless and continuous service availability even during failover events.
The CFT also deploys the target group, network load balancer, and endpoint service required for PrivateLink.
In this tutorial, you will learn how to use a CFT to configure AWS PrivateLink for an Amazon RDS instance.
Once you've completed this tutorial, you will be able to:
Starburst tutorials are designed to get you up and running quickly by providing bite-sized, hands-on educational resources. Each tutorial explores a single feature or topic through a series of guided, step-by-step instructions.
As you navigate through the tutorial you should follow along using your own Starburst Galaxy account. This will help consolidate the learning process by mixing theory and practice.
If you are configuring PrivateLink for the first time you are encouraged to work with a Starburst technical resource. This individual will work with you to set up the environment needed to complete the tutorial.
To be assigned this resource, you should reach out to your regular Starburst account team for assistance.
Once assigned, your Starburst technical resource will work with you to set up an environment where you can complete the tutorial.
Please review the following overview of this process before beginning the tutorial.
Your responsibilities:
Understanding the Amazon RDS PrivateLink architecture is important when completing the steps in this tutorial. In this section you will learn about this architecture and the way that Starburst Galaxy uses it to securely connect private clouds.
This tutorial also follows the corresponding GitHub readme on the topic. It is recommended that you review this alongside this tutorial for more information.
The following diagram illustrates a PrivateLink connection between the Starburst Galaxy VPC and the Amazon RDS VPC.
Review the diagram and corresponding notes below for more information.
It's time to get started. In this section, you'll begin by obtaining some key information about your Amazon RDS instance, including:
You'll need this information to prepare the CloudFormation Template prior to deployment.
You're going to start by signing in to your AWS console.
Remember that this should be the AWS account containing the RDS instance that you would like to connect using PrivateLink, so if you use multiple AWS accounts, ensure that you pick the correct one.
Now it's time to find the right RDS instance. Depending on your workflow, you might have multiple instances in the same AWS account, so make sure you select the correct one.
Now it's time to record details about your RDS instance.
For example:
PostgreSQL
erin-rosas-bootcamp-postgresql.cs8j7iukogcy.us-east-2.rds.amazonaws.com
5432
us-east-2a
bootcamp-vpc (vpc-0a354f3468f906f36)
subnet-0ba16d518af670462, subnet-079aebff5aec9ee59, subnet-011342a0c2d61823d
Next, you will use your RDS endpoint to determine its IP address.
To do this, you'll use a terminal window. Again, you will be copying information into your text editor.
Note: The command you choose will depend on your operating system. Be sure to replace [rds-endpoint]
with your actual RDS endpoint.
nslookup [rds-endpoint]
dig [rds-endpoint]
Now it's time to work with the CloudFormation Template. You will be using a template file provided by AWS. This template simplifies resource creation by completing most of the steps automatically.
For this to work, you will need to enter the required information from your RDS instance. After that, the CFT will create a target group, load balancer, endpoint service, and AWS lambda automatically.
In production, this helps to save significant time.
The AWS-samples GitHub repository provides a template file outlining cross-account access methods using PrivateLink.
You'll download this file to simplify the CFT deployment.
Now that you have your CFT template, it's time to deploy the CFT in the AWS console.
Next you'll upload the template that you obtained from GitHub.
CrossAccountRDSAccess.yml
file that you downloaded earlier in this tutorial.The template you just uploaded has several parameters that must be entered.
You're going to use the information you recorded in the first section of this tutorial to complete the next few steps.
Next, it's time to add additional parameters to the CFT. Specifically, you need to enter information into the VPC input for lambda section of the console.
arn:aws:iam::179619298502:root
. Your stack deployment will now be created. This process takes several minutes.
While you wait, you should monitor the progress of your stack deployment to ensure that the process has finished.
The CFT you configured in the last section created a stack of available resources. You will now configure these resources to work with your RDS instance using PrivateLink.
To do this, you will update the target group by adding your RDS endpoint IP address to the registered targets list.
In the last section, you ended on the information page listing the details of the new stack that you created using the CFT.
You will continue from this stage by locating your target group.
Now it's time to add your RDS endpoint IP address to the list of targets for the target group.
Time to switch gears. You've completed all of the steps required on your own. Now it's time to contact the Starburst support team to finish the last steps.
Starburst support needs this information to complete the steps on their end.
vpce-svc-035362fdf1ed4780c
vpce-svc-035362fdf1ed4780c
You are going to use the automated assistant in Starburst Galaxy to open a support ticket and provide support with the Service name that you just copied. You will also need to provide the port your database is listening on and your preferred Starburst Galaxy PrivateLink configuration name.
That's it. The connection is now being created. This process takes between 1 to 3 minutes to complete.
When this process is complete, you are finished and ready to start using PrivateLink.
Congratulations! You have reached the end of this tutorial, and the end of this stage of your journey.
You're all set! Now you can use PrivateLink to configure access from Starburst Galaxy to data in your Amazon RDS instance.
At Starburst, we believe in continuous learning. This tutorial provides the foundation for further training available on this platform, and you can return to it as many times as you like. Future tutorials will make use of the concepts used here.
Starburst has lots of other tutorials to help you get up and running quickly. Each one breaks down an individual problem and guides you to a solution using a step-by-step approach to learning.
Visit the Tutorials section to view the full list of tutorials and keep moving forward on your journey!