Use the HeatWave Console to create a PrivateLink.

This task requires the following:

• A DB System in the Active state.
• For a Query PrivateLink only: ARNs of authorized principals.
• For an Egress PrivateLink only:
  • A VPC Endpoint Service name in your AWS account that provides connectivity to your source database. See how to set up an endpoint service for your source in Source Configuration When Using an Egress PrivateLink.
  • If you want TLS certificate identity verification for the replication channel: The endpoint hostname for accessing the source database. Obtain it using the AWS console and browse to RDS > Databases > (your source database instance) > Connectivity and security.

Do the following to create a PrivateLink:

1. In the HeatWave Console, select the Resources tab.
2. On the PrivateLink tab, click Create PrivateLink.
3. Enter the following:
   • Basic information:
     • Display name: Specify a display name for the PrivateLink or use the generated default name.
     • Description: (Optional) Specify a description for the PrivateLink.
   • Select PrivateLink type: Choose the desired PrivateLink type and then provide the type-specific configuration.
     • Query: Provide connectivity from a customer application to a HeatWave on AWS DB System using private IP addresses. Select and click Next to finish configuring the PrivateLink on the next page:
       • Target DB System: Select the DB System with which you want to associate the PrivateLink.
       • ARNs of Authorized Principals: Authorize principal ARNs to create connections to the PrivateLink. You can specify more than one ARN delimited by semicolons. You can specify either of the following:
         • (Recommended) Entire AWS accounts in the following format:

           arn:aws:iam::<ACCOUNT_ID>:root

         • Specific principals in the following format:

           arn:aws:iam::<ACCOUNT_ID>:user/<user_id>

           arn:aws:iam::<ACCOUNT_ID>:role/<role_id>

           See Amazon Resource Names (ARNs).

           For enhanced security, authorize a specific set of principals. In this case, the authorization to create a PrivateLink is checked twice: first inside the AWS account requesting the new endpoint, and then in HeatWave on AWS to ensure that the entity requesting the endpoint is in the set of authorized principals. Once you have updated the authorized principals list, configure IAM policies in your AWS account to grant principals the permissions to create and delete VPC endpoints. See Configuring IAM Policies for Endpoints for a Query PrivateLink.

     • Egress: Provides private connectivity to an external system running in your AWS account. Use Egress PrivateLinks to replicate data into your DB Systems inside HeatWave on AWS. Select and click Next to finish configuring the PrivateLink on the next page:
       • Configure external endpoint service name: Set this to the VPC endpoint service name in your AWS account to which this PrivateLink will connect. See how to set up an endpoint service for your source in Source Configuration When Using an Egress PrivateLink.
       • Configure egress endpoints: Configure the list of endpoints for which this Egress PrivateLink is to provide connectivity. Provide the following information for each endpoint:
         • Source Hostname: (Optional) The endpoint of the source database on AWS. Only required if you want to support TLS certificate identity verification; leave blank otherwise.
         • Source Port: The port on which this egress endpoint provides connectivity.
         • Target DB System: Select the target DB System that is allowed to connect with this Egress PrivateLink.
4. Click Create.

You can see the details of the PrivateLink including a new Hostname and, for Query PrivateLink, a new Service name —note the Service name, as you will need it to create an endpoint.