Add docs for AWS PrivateLink using VPC Resource #3925
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -32,26 +32,96 @@ | |
| - [MSK multi-VPC connectivity for MSK ClickPipe](https://docs.aws.amazon.com/msk/latest/developerguide/aws-access-mult-vpc.html) | ||
| - [VPC endpoint service](https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-share-your-services.html) | ||
|
|
||
| ### VPC resource {#vpc-resource} | ||
|
|
||
| Your VPC resources can be accessed in ClickPipes using PrivateLink and [AWS VPC Lattice](https://docs.aws.amazon.com/vpc-lattice/latest/ug/what-is-vpc-lattice.html). This approach doesn't require setting up a load balancer in front of your data source. | ||
|
|
||
| Resource configuration can be targeted with a specific host or RDS cluster ARN. | ||
| Cross-region is not supported. | ||
|
|
||
| It's the preferred choice for Postgres CDC ingesting data from an RDS cluster. | ||
|
|
||
| To set up PrivateLink with VPC resource: | ||
| 1. Create a resource gateway | ||
| 2. Create a resource configuration | ||
| 3. Create a resource share | ||
|
|
||
| #### 1. Create a Resource-Gateway {#create-resource-gateway} | ||
|
|
||
| Resource-Gateway is the point that receives traffic for specified resources in your VPC. | ||
|
|
||
| You can create a Resource-Gateway from the [AWS console](https://docs.aws.amazon.com/vpc/latest/privatelink/create-resource-gateway.html) or with the following command: | ||
|
|
||
| ```bash | ||
| aws vpc-lattice create-resource-gateway \ | ||
| --vpc-identifier <VPC_ID> \ | ||
| --subnet-ids <SUBNET_IDS> \ | ||
| --security-group-ids <SG_IDs> \ | ||
| --name <RESOURCE_GATEWAY_NAME> | ||
| ``` | ||
|
|
||
| The output will contain a Resource-Gateway id, which you will need for the next step. | ||
|
|
||
| Before you can proceed, you'll need to wait for the Resource-Gateway to enter into an `Active` state. You can check the state by running the following command: | ||
|
|
||
| ```bash | ||
| aws vpc-lattice get-resource-gateway \ | ||
| --resource-gateway-identifier <RESOURCE_GATEWAY_ID> | ||
| ``` | ||
|
|
||
| #### 2. Create a VPC Resource-Configuration {#create-resource-configuration} | ||
|
|
||
| Resource-Configuration is associated with Resource-Gateway to make your resource accessible. | ||
|
|
||
| You can create a Resource-Configuration from the [AWS console](https://docs.aws.amazon.com/vpc/latest/privatelink/create-resource-configuration.html) or with the following command: | ||
|
|
||
| ```bash | ||
| aws vpc-lattice create-resource-configuration \ | ||
| --resource-gateway-identifier <RESOURCE_GATEWAY_ID> \ | ||
| --type <RESOURCE_CONFIGURATION_TYPE> \ | ||
| --resource-configuration-definition <RESOURCE_CONFIGURATION_DEFINITION> \ | ||
| --name <RESOURCE_CONFIGURATION_NAME> | ||
| ``` | ||
|
|
||
| The simplest [resource configuration type](https://docs.aws.amazon.com/vpc-lattice/latest/ug/resource-configuration.html#resource-configuration-types) is a single Resource-Configuration. You can configure with the ARN directly, or share an IP address or a domain name that is publicly resolvable. | ||
|
|
||
| For example, to configure with the ARN of an RDS Cluster: | ||
|
|
||
| ```bash | ||
| aws vpc-lattice create-resource-configuration \ | ||
| --name my-rds-cluster-config \ | ||
| --type ARN \ | ||
| --resource-gateway-identifier rgw-0bba03f3d56060135 \ | ||
|
There was a problem hiding this comment. arbitrary value taken from aws doc |
||
| --resource-configuration-definition 'arnResource={arn=arn:aws:rds:us-east-1:123456789012:cluster:my-rds-cluster}' | ||
| ``` | ||
|
|
||
jgao54 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| The output will contain a Resource-Configuration ARN, which you will need for the next step. It will also contain a Resource-Configuration ID, which you will need to set up a ClickPipe connection with VPC resource. | ||
|
|
||
| #### 3. Create a Resource-Share {#create-resource-share} | ||
|
|
||
| Sharing your resource requires a Resource-Share. This is facilitated through the Resource Access Manager (RAM). | ||
|
|
||
| You can put the Resource-Configuration into the Resource-Share through [AWS console](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing-create.html) or by running the following command with ClickPipes account ID `072088201116`: | ||
|
|
||
| ```bash | ||
| aws ram create-resource-share \ | ||
| --principals 072088201116 \ | ||
| --resource-arns <RESOURCE_CONFIGURATION_ARN> \ | ||
| --name <RESOURCE_SHARE_NAME> | ||
| ``` | ||
|
|
||
| The output will contain a Resource-Share ARN, which you will need to set up a ClickPipe connection with VPC resource. | ||
|
|
||
| You are ready to [create a ClickPipe with Reverse private endpoint](#creating-clickpipe) using VPC resource. You will need to: | ||
| - Set `VPC endpoint type` to `VPC Resource`. | ||
| - Set `Resource configuration ID` to the ID of the Resource-Configuration created in step 2. | ||
| - Set `Resource share ARN` to the ARN of the Resource-Share created in step 3. | ||
|
|
||
| For more details on PrivateLink with VPC resource, see [AWS documentation](https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-access-resources.html). | ||
|
|
||
| ### MSK multi-VPC connectivity {#msk-multi-vpc} | ||
|
|
||
| The [Multi-VPC connectivity](https://docs.aws.amazon.com/msk/latest/developerguide/aws-access-mult-vpc.html) is a built-in feature of AWS MSK that allows you to connect multiple VPCs to a single MSK cluster. | ||
|
Check notice on line 124 in docs/integrations/data-ingestion/clickpipes/aws-privatelink.md
|
||
| Private DNS support is out of the box and does not require any additional configuration. | ||
| Cross-region is not supported. | ||
|
|
||
|
|
@@ -67,7 +137,7 @@ | |
|
|
||
| ### VPC endpoint service {#vpc-endpoint-service} | ||
|
|
||
| [VPC endpoint service](https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-share-your-services.html) is another approach to share your data source with ClickPipes. | ||
| It requires setting up a NLB (Network Load Balancer) in front of your data source | ||
| and configuring the VPC endpoint service to use the NLB. | ||
|
|
||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.