Amazon VPC Endpoints
Altinity.Cloud users can connect a VPC (Virtual Private Cloud) Endpoint from existing AWS environments to their Altinity.Cloud environment. The VPC Endpoint becomes a private connection between their existing Amazon services and Altinity.Cloud without exposing the connection to the Internet.
The following instructions are based on the AWS console. Examples of equivalent Terraform scripts are included.
These instructions assume you already have an AWS account with a configured VPC endpoint. From that starting point, there are four steps:
- Contact Altinity support to get an endpoint service name and to verify your Altinity.Cloud environment’s URL.
- Create a VPC endpoint. This must be in the same region as the AWS-hosted service you’re connecting to.
- Create a private Route 53 Hosted Zone for your Altinity.Cloud account.
- Create a CNAME record and a routing policy to route traffic to your service.
Step 1. Contact Altinity support
To get started, you’ll need an endpoint service name and your Altinity.Cloud environment’s URL. Contact us to get those.
For an endpoint service name, you’ll need your AWS account ID. You can find that by clicking your username in the upper right corner of the AWS console:
Figure 1 - Getting your AWS account ID
The account ID in Figure 1 is 1111-2222-3333
. Given your AWS account ID, Altinity support will give you an endpoint service name from Altinity.Cloud’s AWS account. You’ll use that service name in step 2.
Your Altinity.Cloud environment’s URL is typically internal.[altinity.cloud environment name].altinity.cloud
. If your environment name is altinity.maddie
, your URL is probably internal.altinity.maddie.altinity.cloud
, but Altinity Support will tell you for sure. You’ll use that URL in step 3.
Step 2. Create a VPC endpoint
Now it’s time to create a VPC endpoint. To do that, go to the VPC Dashboard, click Endpoints in the left navigation panel, then click the button:
Figure 2 - The Endpoints dashboard
This takes you to the Endpoint settings panel:
Figure 3 - Creating a VPC endpoint with the service name from Altinity support
On the Endpoint settings panel, select Other endpoint services in the middle of the panel, then paste the service name you got from Altinity support into the Service settings section. Click the button. You should see a green box as in Figure 3 above. If the service name is valid, select a VPC from the dropdown list in the VPC section of the panel. You can also add a name tag for the endpoint at the top of the panel if you want.
Once the service name is verified and the VPC is selected, scroll to the bottom of the page and click the button.
Terraform VPC endpoint configuration
To create a VPC endpoint with Terraform, fill in the appropriate values in this script:
resource "aws_vpc_endpoint" "this" {
service_name = local.service_name,
vpc_endpoint_type = "Interface",
vpc_id = aws_vpc.this.id,
subnet_ids = [aws_subnet.this.id],
security_group_ids = [aws_vpc.this.default_security_group_id],
private_dns_enabled = false,
tags = local.tags
}
Step 3. Create a private Route 53 Hosted Zone
With your VPC endpoint defined, the next step is to create a private Route 53 Hosted Zone. To do that, go to the Route 53 dashboard, select Hosted zones in the navigation panel, then click the button.
Figure 4 - The Hosted zones tab of the Route 53 dashboard
This takes you to the Create hosted zone panel:
Figure 5 - The Create hosted zone panel
On the Create hosted zone panel, enter the domain name for your Altinity.Cloud environment. Select Private hosted zone in the Type section, then select one or more regions and one or more VPCs in each. Once you’ve set the values the way you want, scroll to the bottom of the screen and click the button.
Terraform Route 53 configuration
To create a Route 53 private zone with Terraform, fill in the appropriate values in this script:
resource "aws_route53_zone" "this" {
name = "$internal.{environment_name}.altinity.cloud.",
vpc {
vpc_id = aws_vpc.this.id
}
tags = local.tags
}
Step 4. Create a CNAME record
From the Endpoints tab on the VPC dashboard, click on the VPC endpoint ID for the endpoint you created in step 2. You should see a Details panel:
Figure 6 - Details of a VPC endpoint
The detail you need is a DNS name; there will likely be several, as shown in Figure 6. Choose any one of them and click the icon to copy the DNS name.
Now go back to the Route 53 dashboard, and open the Hosted zones tab, then click the hosted zone you just created:
Figure 7 - The Route 53 dashboard with your new hosted zone
In the hosted zone details panel, click the button:
Figure 8 - The Hosted zone details panel
Next, choose the Simple routing policy:
Figure 9 - Choosing the simple routing policy
Click Next to continue.
On the Configure records panel, click the button:
Figure 10 - The Configure records panel
In the Define simple record panel, enter *
as the record name, select CNAME
as the record type, then select IP address or another value, depending on the record type
and paste in the DNS name from Figure 6 above:
Figure 11 - Defining a simple record
With the details set, click the button.
Congratulations! You’re done!
Terraform CNAME configuration
To create a CNAME record with Terraform, fill in the appropriate values in this script:
resource "aws_route53_record" "this" {
zone_id = aws_route53_zone.this.zone_id,
name = "*.${aws_route53_zone.this.name}",
type = "CNAME",
ttl = 300,
records = [aws_vpc_endpoint.this.dns_entry[0]["dns_name"]]
}
Testing your endpoint
To verify that the VPC Endpoint works, launch a EC2 instance in your environment. Open a shell in that instance and execute this curl
command with the URL of your Altinity.Cloud environment:
curl -sS https://internal.altinity.maddie.altinity.cloud
OK
If everything works, the command will return OK
. (The -sS
options tell curl
to either display the output from the endpoint or error messages if anything fails.)
References
Amazon’s documentation has lots of great articles on using AWS services. Here are a couple that we’ve found really useful: