Skip to main content

PrivateLink Setup

AWS PrivateLink enables private connectivity between your VPC and EZ-CDC without exposing traffic to the public internet. This is the recommended setup for enterprise deployments and regulated industries.

Overview

With PrivateLink, traffic between your workers and the EZ-CDC control plane stays entirely within the AWS network:

PrivateLink Architecture

Benefits

AspectStandardPrivateLink
Network PathInternetAWS backbone
IP AddressesPublicPrivate
Data exposureEncrypted over internetNever leaves AWS
Firewall rulesAllow outbound internetAllow VPC endpoint only
ComplianceVariesHIPAA, PCI-DSS friendly

Prerequisites

  • An existing EZ-CDC deployment (Standard mode)
  • VPC with private subnets
  • AWS account in a supported region
  1. Go to Deployments → your deployment
  2. Click SettingsConnectivity
  3. Click Enable PrivateLink

You'll receive the VPC Endpoint Service Name:

com.amazonaws.vpce.us-west-2.vpce-svc-0abc123456789def0

Step 2: Create VPC Endpoint

In your AWS account, create an interface endpoint:

Using AWS Console

  1. Go to VPCEndpointsCreate Endpoint
  2. Select Other endpoint services
  3. Enter the service name from Step 1
  4. Click Verify service
  5. Select your VPC
  6. Select subnets (same as workers)
  7. Select/create a security group
  8. Click Create endpoint

Using Terraform

# Security group for VPC endpoint
resource "aws_security_group" "ezcdc_vpce" {
  name        = "ezcdc-privatelink-endpoint"
  description = "EZ-CDC PrivateLink endpoint"
  vpc_id      = var.vpc_id

  ingress {
    description     = "HTTPS from workers"
    from_port       = 443
    to_port         = 443
    protocol        = "tcp"
    security_groups = [aws_security_group.ezcdc_worker.id]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

# VPC Endpoint for EZ-CDC
resource "aws_vpc_endpoint" "ezcdc" {
  vpc_id              = var.vpc_id
  service_name        = "com.amazonaws.vpce.us-west-2.vpce-svc-0abc123456789def0"
  vpc_endpoint_type   = "Interface"
  subnet_ids          = var.private_subnet_ids
  security_group_ids  = [aws_security_group.ezcdc_vpce.id]
  private_dns_enabled = false  # We'll use the endpoint DNS

  tags = {
    Name = "ezcdc-privatelink"
  }
}

output "ezcdc_endpoint_dns" {
  value = aws_vpc_endpoint.ezcdc.dns_entry[0].dns_name
}

Using AWS CLI

aws ec2 create-vpc-endpoint \
  --vpc-id vpc-0123456789abcdef0 \
  --service-name com.amazonaws.vpce.us-west-2.vpce-svc-0abc123456789def0 \
  --vpc-endpoint-type Interface \
  --subnet-ids subnet-111111 subnet-222222 \
  --security-group-ids sg-0123456789abcdef0

Step 3: Accept Connection

The endpoint will be in pendingAcceptance state. EZ-CDC automatically accepts connections from authorized accounts.

Wait 1-2 minutes for status to change to available.

Step 4: Update Deployment

  1. Get the VPC Endpoint DNS name:

    vpce-0abc123def456.vpce-svc-0xyz789.us-west-2.vpce.amazonaws.com

  2. In EZ-CDC portal:

    • Go to Deployments → your deployment
    • Click SettingsConnectivity
    • Enter the Endpoint DNS
    • Click Switch to PrivateLink

Workers will restart and connect via PrivateLink.

Check Endpoint Status

aws ec2 describe-vpc-endpoints \
  --vpc-endpoint-ids vpce-0abc123def456 \
  --query 'VpcEndpoints[0].State'

Should return available.

Check Worker Connectivity

In the portal, verify workers show:

Deployment: production
Connectivity: PrivateLink ✓
Workers: 1/1 healthy
Endpoint: vpce-0abc123def456.vpce-svc-0xyz789.us-west-2.vpce.amazonaws.com

Verify No Internet Traffic

Workers should no longer need NAT Gateway for control plane traffic. You can verify by:

  1. Removing the 0.0.0.0/0 route from private subnets
  2. Verifying workers still connect (they use VPC endpoint)
  3. (Re-add route if workers need internet for other purposes)

Security Group Configuration

VPC Endpoint Security Group

resource "aws_security_group" "ezcdc_vpce" {
  name        = "ezcdc-privatelink-endpoint"
  vpc_id      = var.vpc_id

  # Allow HTTPS from workers
  ingress {
    from_port       = 443
    to_port         = 443
    protocol        = "tcp"
    security_groups = [aws_security_group.ezcdc_worker.id]
  }
}

Update Worker Security Group

With PrivateLink, workers only need:

resource "aws_security_group" "ezcdc_worker" {
  name   = "ezcdc-worker"
  vpc_id = var.vpc_id

  # HTTPS to VPC endpoint (instead of internet)
  egress {
    from_port       = 443
    to_port         = 443
    protocol        = "tcp"
    security_groups = [aws_security_group.ezcdc_vpce.id]
  }

  # Database access (unchanged)
  egress {
    from_port       = 5432
    to_port         = 5432
    protocol        = "tcp"
    security_groups = [aws_security_group.postgres.id]
  }

  egress {
    from_port       = 8040
    to_port         = 8040
    protocol        = "tcp"
    security_groups = [aws_security_group.starrocks.id]
  }

  egress {
    from_port       = 9030
    to_port         = 9030
    protocol        = "tcp"
    security_groups = [aws_security_group.starrocks.id]
  }
}

Costs

PrivateLink incurs additional AWS charges:

ComponentCost (us-west-2)
VPC Endpoint (hourly)~$0.01/hour
Data processed~$0.01/GB

Typical monthly cost: $10-30 depending on data volume.

Troubleshooting

Endpoint stuck in "pending"

  • Verify the service name is correct
  • Check your AWS account is allowed (contact EZ-CDC support)
  1. Verify endpoint status is available
  2. Check security group allows 443 from workers
  3. Verify workers have the correct endpoint DNS configured

Mixed connectivity (some workers on internet)

  • Ensure all workers are restarted after enabling PrivateLink
  • Check deployment configuration shows PrivateLink mode

To revert to standard connectivity:

  1. Go to Deployments → your deployment
  2. Click SettingsConnectivity
  3. Click Switch to Standard

Workers will restart and use internet connectivity.

You can then delete the VPC endpoint in AWS to stop incurring charges.

Next Steps