AWS PrivateLink

Overview

By default, client traffic to SkySQL services may transit the public internet and is protected with TLS and a firewall configured by IP allowlist.

Some customers may have regulatory requirements or information security policies that prohibit the default database connections over the public internet.

Options are available to enable private connections between VPC (Virtual Private Clouds) and supported cloud provider services such as SkySQL.

For SkySQL services on AWS, AWS PrivateLink is supported.

For detailed information about AWS PrivateLink, see "AWS PrivateLink" (Amazon documentation).

Requirements

AWS PrivateLink is used for private connections within the same AWS region.

Prior to configuring AWS PrivateLink on a SkySQL service, you must have created a VPC with a private subnet that will be used to communicate with private IP addresses.

Endpoint Choices

The default endpoint mechanism is "nlb", which supports accessing the SkySQL service via the public internet.

Use of AWS PrivateLink occurs when the endpoint mechanism is changed to "privateconnect".

AWS PrivateLink can be enabled using the SkySQL Portal, SkySQL DBaaS API, or SkySQL Terraform Provider.

Implementation Steps

  1. Review the details of this page, including Requirements, Controls, and Connectivity

  2. Enable AWS PrivateLink on your SkySQL service using one of the available interfaces for your use case:

    Use Case

    Method

    Launch a new service

    Modify an existing service

  3. Perform AWS Endpoint Setup

Portal

AWS PrivateLink can be enabled with a web browser using the SkySQL Portal:

SkySQL DBaaS API

AWS PrivateLink can be enabled with a REST client using the SkySQL DBaaS API:

For general instructions on using the SkySQL DBaaS API, see "DBaaS API Launch Walkthrough".

Terraform Provider

AWS PrivateLink can be enabled with Terraform using the SkySQL Terraform provider:

For general instructions on using the SkySQL Terraform Provider, see "Terraform Launch Walkthrough".

For an example Terraform configuration that enables AWS PrivateLink, see "https://github.com/mariadb-corporation/terraform-provider-skysql/tree/main/examples/privateconnect".

Connectivity

When a SkySQL service has the privateconnect endpoint mechanism, public endpoints are disabled and connections can only occur through private endpoints.

Client connections can originate from private IP addresses in the linked VPC.

For topologies with MariaDB MaxScale, client connections occur through MaxScale.

Replication can be configured with private IP addresses in the linked VPC.

AWS PrivateLink supports DNS propagation which can be configured to resolve the Database FQDN to the private IP for an internal DNS request. The private DNS names feature must be enabled on the customer's VPC.

Controls

The SkySQL IP Allowlist is not used with the privateconnect endpoint mechanism.

With AWS PrivateLink, connections are restricted to the list of allowed accounts that were specified when configuring the SkySQL endpoint.

Further restrictions are controlled through the customer's AWS account. VPC security group policies apply. For detailed information, see "Control traffic to resources using security groups" (Amazon documentation).

Some customers using AWS PrivateLink may choose to disable TLS, but MariaDB recommends keeping TLS enabled for extra security.

Endpoint changes can be destructive, resulting in downtime. When you change the connection type from private to public, or public to private, the endpoint must be destroyed and recreated. Changing the SkySQL endpoint between nlb and privateconnect will result in a service interruption.

Connections to SkySQL services by features such as SkySQL backups, and monitoring do not depend on AWS PrivateLink.

Query Editor is not supported when AWS PrivateLink is enabled.

AWS Endpoint Setup

In addition to switching the SkySQL service to the privateconnect endpoint mechanism, an AWS Endpoint must be created using the customer's AWS account in order for the SkySQL service to become accessible.

  1. Log in to the AWS console.

  2. Confirm the correct region is selected.

  3. Navigate to the "VPC" page, then the "Endpoint" section.

  4. Click the "Create Endpoint" button.

  5. Fill in the name to help you to identify it. (This is optional.)

  6. Set the Service category to "Other endpoint services".

  7. The value for the "Service name" field must be set to the value of the endpoint_service that was queried from the SkySQL DBaaS API (as detailed earlier).

  8. Click "Verify service". AWS should find the service and auto-populate the rest of the form.

  9. In the VPC search field, find the VPC that you want to use for the interconnect between the clients and the SkySQL service.

  10. In the Subnets section, it is suggested that you select all the Availability Zones in the list, entering the proper subnet ID for each one. If you are unsure, view the details of your running instances to see the Subnet ID that they have configured.

  11. Select IPv4 for "IP address type".

  12. For the "Security Groups" section, we suggest that you create a new security group that will regulate which instances can make a connection to the database.

    • In a new browser tab, use the AWS console to visit the "Security Groups" settings (under Network & Security).

    • Click on the "Create security group" button.

    • Fill in the group's name and (optionally) its description.

    • Under "Inbound rules" click the "Add rule" button.

    • Set the value for the "Port range" to be the port number that the API revealed for the "readwrite" endpoint.

    • Set the Source to either a list of private (internal) IPv4 addresses that you want to authorize (adding a "/32" suffix to each one), or set it to an existing security group name that can be used to authorize all instances that have that security group in their configuration.

    • Press the "Create security group" button.

  13. Back on the endpoint tab, click the refresh button on the "Security Groups" section and choose the newly created security group.

  14. Optionally add a "Name" tag for easy identification.

  15. Press the "Create endpoint" button. Endpoint creation may take several minutes. When complete, status will change from "Pending" to "Available".

  16. In the details of the new endpoint will be a list of DNS names. Copy the first name in the list and use that as the hostname for your clients to use when they connect.

The newly created endpoint now authorizes the internal IPs or security groups that you specified in the Source values to access the SkySQL service's connection port. When testing a client connection, ensure that the client host is authorized by the security group's Source settings and that you're using the "readwrite" port plus the appropriate username and password (either the default values or the value for any user you have created).