HeatWave on AWS  /  ...  /  Configuring the Network Infrastructure for an Egress PrivateLink

6.2.1 Configuring the Network Infrastructure for an Egress PrivateLink

Before creating an Egress PrivateLink, configure the network infrastructure in your AWS account.

These are the prerequisites for this task:
  • Access to your AWS account through the AWS Console.
  • Knowledge of the following information regarding your service (for example, a source database that replicates to your DB System in HeatWave on AWS):
    • The VPC that is hosting the service you wish to expose to HeatWave on AWS (for example, a database instance).
    • The AWS Availability Zone IDs of that service
    • The IP address on which your service should be reached. For example, if your service is a database source such as an Amazon RDS or Aurora instance, run this command on any internet-connected system using the hostname of its primary endpoint: 
      nslookup <service hostname>
To configure your service and its surrounding network infrastructure, you need to: (1) Create and configure a Target Group, (2) Create and configure a Network Load Balancer, (3) Allow your service to receive traffic from your Network Load Balancer, and (4) Create and configure an endpoint service. Here are the details for each step:
  1. Create and configure a Target Group:
    • Go to AWS Console > EC2 > Target Groups (also reachable from the console's navigation pane under Load Balancing), and select Create target group
    • Under Basic configuration
      • Select IP addresses
      • Add a Target group name
      • For Protocol: Port, select TCP for protocol, and enter the port number of your service (for example, the port number of a MySQL database source).
      • Under VPC, select the VPC in which the service is located to be included into the Target Group
    • Under Health checks
      • Select TCP for Health check protocol

      • Under Advanced health check settings, select Override, and enter any port number other than the port for your service (e.g., 40000).

        This setting will force the Target Group's health status to "Unhealthy". Your service will still be accessible over the PrivateLink, because the load balancer will continue to forward connections. For details, see Health checks for Network Load Balancer target groups.

        WARNING:

        If your service is a MySQL database that acts as a replication source, depending on the its configuration, failing to adjust the health check port may result in your source blocking all traffic from the load balancer. For details, see the MySQL Server documentation pertaining to the host cache.
    • Click Next, to go to the Register targets page
    • Go to Step 2 on the Register targets page and enter the IP addresses for your service (see the prerequisites above).
    • Under Ports, make sure the port number for the service is correct.
    • Click Include as pending below, then click Create target group.

    Note:

    If the IP address of your service changes , you must update the Target Group's IP addresses so that the service can continue to be reachable.
  2. Create and configure a Network Load Balancer:
    • Navigate to AWS Console > EC2 > Load Balancers, and click Create load balancer. The Compare and select load balancer type page opens.
    • Under Load balancer types, select Network Load Balancer by clicking the Create button under its description. The Create Network Load Balancer page opens.
    • Enter a Load balancer name.
    • For Scheme, select Internal.
    • Under Network mapping:
      • Make sure the service's VPC is selected.
      • For Mappings, select the Availability Zone IDs for your service.

        Note:

        Your target DB System in HeatWave on AWS must be in one of the Availability Zones you select here. For example, if you only choose us-east-1d (use1-az1) in your account, all HeatWave DB Systems that will connect to this Endpoint Service via Egress PrivateLink must be in use1-az1. Also see the discussion on Availability Zone selection in Creating a DB System.
      • For each of the Availability Zone IDs you selected, pick a private Subnet
    • Under Security Groups, click create a new security group. In the Create security group page that opens, configure the following before you click Create security group:
      • Security group name: Give a group name.
      • Description: Give a description.
      • For VPC, select the service's VPC.
      • For Inbound rules and Outbound rules, keep the default configurations.
    • Go back to the Create Network Load Balancers page and under Security Groups, select the security group you just created and deselect any other security groups.
    • Under Listeners and routing, configure the Listener with the Port the service is on, and Default action to Forward to and select the target group you created above in Step 1.
    • Click Create load balancer. The load balancer is created.
    • Select in AWS Console > EC2 > Load Balancers the load balancer you just created. A configuration page for the load balancer is opened.
    • Scroll down and select the Security tab. Make sure Enforce inbound rules on PrivateLink traffic is Off. If it is not, click Edit and then deselect it.

    Note:

    If your load balancer is configured in multiple availability zones, follow the steps below to ensure the DB System can reach your service, regardless of which Availability Zone your service is located:

    • Return to the load balancer configuration page by navigating to AWS Console > EC2 > Load Balancers and selecting your load balancer.
    • Select the Attributes tab and click Edit.
    • Under Availability Zone routing configuration > Load balancer targets selection policy, select Enable cross-zone load balancing and click Save changes.
  3. Allow your service to receive traffic from your Network Load Balancer:
    • Go to the configuration page for your service (for example, for a database instance on AWS RDS, go to AWS > RDS > Databases > your instance). Under Connectivity and security > Security, click on the security group associated with the database instance. The Security Groups page opens.
    • Check the security group, and then select Edit inbound rules under Actions. The Edit inbound rules page opens.
    • Click Add rule and add a new rule with the following specifications:
      • Choose Custom TCP for Type.
      • Choose Custom and then search for and select the security group created in Step 2 above for the Network Load Balancer.
      • Enter the service instance's port number for Port Range.
      • Provide an optional Description.
    • Click Save rules
  4. Create and configure an endpoint service:
    • Navigate to AWS> VPC > Endpoint services, and click Create endpoint service. The Create endpoint service page opens.
    • Configure your endpoint service with the following information:
      • Load balancer type: Select Network
      • Under Available load balancers, select the load balancer you created in Step 2 above.
      • Under Additional settings:
        • Select Acceptance required
        • Select IPv4 for Supported IP address types
        • Ensure Enable private DNS names is NOT selected, because it is unnecessary.
    • Click Create. Note the Service name under Details of the VPC endpoint service you created. You will need it to configure your Egress PrivateLink.
    • Navigate to AWS > VPC > Endpoint services and choose the endpoint service you just created, and then under Actions choose Allow principals. The Allow principals page opens.
    • Under Principals to add, add the ARN of the HeatWave on AWS account:
      arn:aws:iam::612981981079:root
    • Click Allow principals

PREV   HOME   UP   NEXT
Download this Manual
PDF (US Ltr) - 1.0Mb