Connecting from AWS

Suggest edits

Two different methods enable you to connect to your private cluster from your application's VPC in AWS. Each method offers different levels of accessibility and security. The VPC endpoint method is recommended and is most commonly used. However, you can also use the VPC peering connection method if required by your organization.

AWS VPC endpoint (recommended)

AWS VPC endpoint (AWS PrivateLink) service is a network interface that securely connects a private IP address from your AWS VPC to an external service. You grant access only to a single cluster instead of the entire BigAnimal resource VPC, thus ensuring maximum network isolation. Other advantages include:

  • You need to configure the PrivateLink only once. Then you can use multiple VPC endpoints to connect applications from different VPCs.
  • There's no risk of IP address conflicts..

There's an associated cost of resources, however.

For more information, see VPC endpoint services (AWS PrivateLink).

Example

This example shows how to connect your cluster using VPC endpoints.

Assume that your cluster is on an account called development and is being accessed from a client on another account called test with the following properties:

  • BigAnimal cluster:

    • AWS account: development
    • Amazon resource name (ARN): arn:aws:iam::123456789123:root
    • Cluster ID: p-mckwlbakq5
    • Account ID: brcxzr08qr7rbei1
    • Organization's domain name: biganimal.io

  • Client:

    • AWS account: test
    • Resource group: rg-client
    • VPC: vpc-client
    • VPC subnet: snet-client

Prerequisites

To walk through an example in your own environment, you need:

  • Your cluster URL. You can find the URL in the Connect tab of your cluster instance in the BigAnimal portal.

Step 1: Create an endpoint service for your cluster

In the AWS account connected to BigAnimal, create an endpoint service to provide access to your clusters from other VPCs in other AWS accounts. Perform this procedure for each cluster to which you want to provide access.

  1. Open the Amazon EC2 console. Ensure that the correct region, where your cluster is deployed, is selected in the upper-right corner of the console.

  2. In the navigation pane, under Load Balancing, select Load Balancers.

  3. Identify the load balancer that is tagged with the ID of the cluster to which you want to connect (<cluster-id>-rw-internal-lb). For example, p-96fh28m3cb-rw-internal-lb. Note the name of that network load balancer.

  4. Open the Amazon VPC console.

  5. From the navigation pane on the left, select Endpoint Services under Virtual Private Cloud, and then select Create endpoint service.

  6. Enter a suitable name for the endpoint service.

  7. Select Network for the load balancer type.

  8. Under Available load balancers, select the network load balancer of the cluster to which you want to connect.

  9. Leave all the other fields with their default values and select Create.

  10. Under Details, note the Service name of the created endpoint service (for example, com.amazonaws.vpce.us-east-1.vpce-svc-0e123abc123198abc). You will need the service name while creating a VPC endpoint.

  11. In the navigation pane, select Endpoint Services.

  12. Select your endpoint service from the Actions list, and select Allow principals.

  13. Add the AWS account with which you want to connect to the endpoint service by specifying the ARN for the principal. The ARN must be in this format:

    arn:aws:iam::<AWS ACCOUNT ID>:root

Step 2: Create a VPC endpoint in the client's VPC

Now that your endpoint service is created, you can connect it to the cluster VPC using a VPC endpoint. Perform this procedure in your application's AWS account.

Note

In your application's AWS account, ensure that you allow your application's security group to connect to your cluster.

  1. Open the Amazon VPC console.

  2. Ensure that the correct region, where your cluster is deployed, is selected in the upper-right corner of the console.

  3. From the navigation pane on the left, select Endpoints under Virtual Private Cloud, and then select Create endpoint.

  4. Enter a suitable name for the endpoint service.

  5. Under Service category, select Other endpoint services.

  6. Under Service Name, enter the name of the endpoint service that you created earlier (com.amazonaws.vpce.us-east-1.vpce-svc-0e123abc123198abc). Verify whether you have successfully allowed access to the endpoint by selecting Verify service.

  7. Under VPC, select the client's VPC in which to create the endpoint.

  8. Under Subnets, select the subnets (availability zones) in which to create the endpoint network interfaces. Enable the endpoint in all availability zones used by your application.

  9. Select Create endpoint.

Step 3: Accept and test the connection

  1. In your AWS account connected to BigAnimal, select VPCs and then select Endpoint services.

  2. Select the endpoint service instance you created previously and accept the endpoint connection request under Endpoint connections.

  3. You can now successfully connect to your cluster.

    In your application's AWS account, select VPC and then select Endpoints. Select the endpoint you created previously and use the DNS name provided in the details section to access your cluster.

    # Replace the port 5432 below if that has been changed in the Big Animal DB Configuration
psql -h vpce-XXXXXXXXXXXXXXXXXXXX.eu-west-1.vpce.amazonaws.com -U edb_admin -p 5432
    Output
    Password for user edb_admin: 

psql (13.4 (Ubuntu 13.4-1.pgdg28.84+1), server 13.4.8 (Debian 13.4.8-1+deb10)) 
WARNING : psql major version 13, server major version 13. Some psql features might not work. 
SSL connection (protocol : TLSV1.3cipherTLS_AES_256_GCM_SHA384, bits : 256, compression : off) Type "help" for help. 

edb_admin=>

Other method

VPC peering

← Prev

Connecting from Azure

Next →

VPC peering