Private Connectivity with AWS PrivateLink - Cube

Cube Cloud BYOC deployments on AWS support private connectivity for Cube API endpoints using AWS PrivateLink. This enables secure, private access to your Cube deployment without exposing endpoints to the public internet.

<Note>

Available on the Enterprise plan with BYOC deployments. Contact us for details.

</Note>

Overview

In a private setup, Cube Cloud BYOC deployments can be configured to:

Keep HTTP and SQL load balancers private within the BYOC VPC
Expose API endpoints through AWS PrivateLink services
Enable secure connectivity from your VPCs and corporate networks

This approach ensures that all traffic between your applications and Cube Cloud remains within the AWS network backbone, never traversing the public internet.

Architecture

With private connectivity enabled, Cube Cloud exposes two AWS PrivateLink services:

HTTP API Service: For REST (JSON) API and GraphQL endpoints
SQL API Service: For PostgreSQL-compatible SQL interface connections

Your Cube deployment APIs are available on dedicated hostnames following this pattern:

HTTP API: <deployment-id>.<byoc-region>.cubecloudapp.dev
SQL API: <deployment-id>.sql.<byoc-region>.cubecloudapp.dev

Setting up PrivateLink connections

Step 1: Obtain PrivateLink service details

Contact Cube Cloud support to obtain the PrivateLink service details for your BYOC deployment. You'll receive:

HTTP NLB PrivateLink service name
SQL NLB PrivateLink service name
Your deployment ID and infrastructure region

Step 2: Create VPC endpoints

In your AWS account, create two VPC endpoints for the Cube Cloud services:

Navigate to AWS Console → VPC → Endpoints
Click Create Endpoint
For the HTTP API endpoint:
- Service category: Other endpoint services
- Service name: Enter the HTTP NLB service name provided by Cube support
- VPC: Select your target VPC
- Subnets: Select appropriate subnets
- Security Group: Create or select a security group allowing HTTPS traffic (port 443)
Repeat for the SQL API endpoint:
- Use the SQL NLB service name
- Configure security group to allow PostgreSQL traffic (port 5432)

Step 3: Configure DNS resolution

To enable proper hostname resolution, create a private Route 53 hosted zone:

Navigate to AWS Console → Route 53 → Hosted zones
Click Create hosted zone
Configure the zone:
- Domain name: <byoc-region>.cubecloudapp.dev
- Type: Private hosted zone
- VPCs: Associate with your target VPC(s)

<Info>

The <byoc-region> placeholder in the domain name should be replaced with the exact region identifier provided by Cube Cloud support. This is not the standard AWS region name (like us-east-1), but rather a Cube Cloud-specific identifier that uniquely identifies your BYOC infrastructure provisioned.

For example, if Cube Cloud provides you with a region identifier like aws-us-east-1-t-12345-prod, you would use that exact string in place of <byoc-region>.

</Info>

Create the following DNS records in the zone:

Record Name	Type	Value
`*.<byoc-region>.cubecloudapp.dev`	A	Alias to HTTP VPC endpoint
`*.sql.<byoc-region>.cubecloudapp.dev`	A	Alias to SQL VPC endpoint
`sql.<byoc-region>.cubecloudapp.dev`	A	Alias to SQL VPC endpoint

Note: Each BYOC infrastructure provisioning will have a different region identifier. If you provision additional regions in the future, each will require its own private zone with the corresponding region-specific identifier.

Step 4: Verify connectivity

To test the connection from within your VPC, obtain the test connection commands from the Cube Cloud UI:

Navigate to your deployment in Cube Cloud
Access the connection details section
Use the provided commands to verify HTTP API and SQL connectivity

Enabling Cube Cloud UI access

The Cube Cloud web interface requires access to live Cube APIs to function properly. In a private setup, these APIs aren't accessible from user browsers by default, which would limit Cube Cloud functionality.

Solution: Corporate network integration

To enable full Cube Cloud UI functionality, you need to establish PrivateLink endpoints within your corporate network:

Create PrivateLink endpoints in your corporate VPC: Follow the same process as above, but create the endpoints in a VPC that's accessible from your corporate network
Configure DNS resolution: Choose one of these approaches:
- Cube-hosted DNS: We can host the PrivateLink endpoint IPs in our public DNS records (contact Cube support)
- Corporate DNS override: If you control DNS resolution within your corporate network, create private DNS overrides similar to the Route 53 configuration

Limitations

No custom domain support

Cube Cloud's custom domains feature is not compatible with PrivateLink connectivity. This limitation exists because:

Custom domains require automatic SSL certificate provisioning via Let's Encrypt
Let's Encrypt uses HTTP-01 challenges that require public internet accessibility
PrivateLink endpoints are not accessible from the public internet

If you require custom domains, consider using Cube Cloud's standard public endpoints with appropriate security controls.

Troubleshooting

Common issues

DNS resolution failures

Verify Route 53 hosted zone is associated with the correct VPC
Check that DNS records point to the correct VPC endpoints
Test resolution using nslookup or dig from within the VPC

Connection timeouts

Verify security groups allow traffic on required ports (443 for HTTP, 5432 for SQL)
Check that VPC endpoints are in "Available" state
Ensure network ACLs aren't blocking traffic

Certificate errors

Cube Cloud uses valid SSL certificates for *.cubecloudapp.dev domains
Ensure your client trusts standard certificate authorities
For SQL connections, configure your client to use SSL/TLS

Getting help

For assistance with PrivateLink setup:

Gather the following information:
- VPC endpoint IDs
- Security group configurations
- DNS test results (nslookup output)
- Any error messages from connection attempts
Contact Cube Cloud support with your deployment ID and collected information