Amazon VPC Endpoints

How to create an Amazon VPC Endpoint for Altinity.Cloud Services

Altinity.Cloud users can connect a VPC (Virtual Private Cloud) Endpoint from existing AWS environments to their Altinity.Cloud environment. The VPC Endpoint becomes a private connection between their existing Amazon services and Altinity.Cloud without exposing the connection to the Internet.

The following instructions are based on the AWS console. Examples of equivalent Terraform scripts are included.

These instructions assume you already have an AWS account with a configured VPC endpoint. From that starting point, there are four steps:

  1. Contact Altinity support to get an endpoint service name and to verify your Altinity.Cloud environment’s URL.
  2. Create a VPC endpoint. This must be in the same region as the AWS-hosted service you’re connecting to.
  3. Create a private Route 53 Hosted Zone for your Altinity.Cloud account.
  4. Create a CNAME record and a routing policy to route traffic to your service.

Step 1. Contact Altinity support

To get started, you’ll need an endpoint service name and your Altinity.Cloud environment’s URL. Contact us to get those.

For an endpoint service name, you’ll need your AWS account ID. You can find that by clicking your username in the upper right corner of the AWS console:

Getting your AWS account ID

Figure 1 - Getting your AWS account ID

The account ID in Figure 1 is 1111-2222-3333. Given your AWS account ID, Altinity support will give you an endpoint service name from Altinity.Cloud’s AWS account. You’ll use that service name in step 2.

Your Altinity.Cloud environment’s URL is typically internal.[altinity.cloud environment name].altinity.cloud. If your environment name is altinity.maddie, your URL is probably internal.altinity.maddie.altinity.cloud, but Altinity Support will tell you for sure. You’ll use that URL in step 3.

Step 2. Create a VPC endpoint

Now it’s time to create a VPC endpoint. To do that, go to the VPC Dashboard, click Endpoints in the left navigation panel, then click the button:

The Endpoints dashboard

Figure 2 - The Endpoints dashboard

This takes you to the Endpoint settings panel:

Creating a VPC endpoint with a service name

Figure 3 - Creating a VPC endpoint with the service name from Altinity support

On the Endpoint settings panel, select Other endpoint services in the middle of the panel, then paste the service name you got from Altinity support into the Service settings section. Click the button. You should see a green box as in Figure 3 above. If the service name is valid, select a VPC from the dropdown list in the VPC section of the panel. You can also add a name tag for the endpoint at the top of the panel if you want.

Once the service name is verified and the VPC is selected, scroll to the bottom of the page and click the button.

Terraform VPC endpoint configuration

To create a VPC endpoint with Terraform, fill in the appropriate values in this script:

resource "aws_vpc_endpoint" "this" {
    service_name = local.service_name,
    vpc_endpoint_type = "Interface",
    vpc_id = aws_vpc.this.id,
    subnet_ids = [aws_subnet.this.id],
    security_group_ids  = [aws_vpc.this.default_security_group_id],
    private_dns_enabled = false,
    tags = local.tags
}

Step 3. Create a private Route 53 Hosted Zone

With your VPC endpoint defined, the next step is to create a private Route 53 Hosted Zone. To do that, go to the Route 53 dashboard, select Hosted zones in the navigation panel, then click the button.

Getting your AWS account ID

Figure 4 - The Hosted zones tab of the Route 53 dashboard

This takes you to the Create hosted zone panel:

Getting your AWS account ID

Figure 5 - The Create hosted zone panel

On the Create hosted zone panel, enter the domain name for your Altinity.Cloud environment. Select Private hosted zone in the Type section, then select one or more regions and one or more VPCs in each. Once you’ve set the values the way you want, scroll to the bottom of the screen and click the button.

Terraform Route 53 configuration

To create a Route 53 private zone with Terraform, fill in the appropriate values in this script:

resource "aws_route53_zone" "this" {
    name  = "$internal.{environment_name}.altinity.cloud.",
    vpc {
        vpc_id = aws_vpc.this.id
    }
    tags = local.tags
}

Step 4. Create a CNAME record

From the Endpoints tab on the VPC dashboard, click on the VPC endpoint ID for the endpoint you created in step 2. You should see a Details panel:

Details of a VPC endpoint

Figure 6 - Details of a VPC endpoint

The detail you need is a DNS name; there will likely be several, as shown in Figure 6. Choose any one of them and click the icon to copy the DNS name.

Now go back to the Route 53 dashboard, and open the Hosted zones tab, then click the hosted zone you just created:

The Route 53 dashboard with your new hosted zone

Figure 7 - The Route 53 dashboard with your new hosted zone

In the hosted zone details panel, click the button:

Creating a new record

Figure 8 - The Hosted zone details panel

Next, choose the Simple routing policy:

Choosing the simple routing policy

Figure 9 - Choosing the simple routing policy

Click Next to continue.

On the Configure records panel, click the button:

The Configure records panel

Figure 10 - The Configure records panel

In the Define simple record panel, enter * as the record name, select CNAME as the record type, then select IP address or another value, depending on the record type and paste in the DNS name from Figure 6 above:

Defining a simple record

Figure 11 - Defining a simple record

With the details set, click the button.

Congratulations! You’re done!

Terraform CNAME configuration

To create a CNAME record with Terraform, fill in the appropriate values in this script:

resource "aws_route53_record" "this" {
    zone_id = aws_route53_zone.this.zone_id,
    name = "*.${aws_route53_zone.this.name}",
    type = "CNAME",
    ttl = 300,
    records = [aws_vpc_endpoint.this.dns_entry[0]["dns_name"]]
}

Testing your endpoint

To verify that the VPC Endpoint works, launch a EC2 instance in your environment. Open a shell in that instance and execute this curl command with the URL of your Altinity.Cloud environment:

curl -sS https://internal.altinity.maddie.altinity.cloud
OK

If everything works, the command will return OK. (The -sS options tell curl to either display the output from the endpoint or error messages if anything fails.)

References

Amazon’s documentation has lots of great articles on using AWS services. Here are a couple that we’ve found really useful: