docs-mintlify/admin/deployment/dedicated/aws/private-link.mdx
This page covers backend connectivity — Cube reaching into your network to query data sources, auth providers, BI APIs targeted by Semantic Layer Sync, and other upstream services. See Backend and frontend connectivity for the full picture. For frontend connectivity (exposing Cube's APIs to your applications, browsers, BI tools, and embedded analytics clients), see Private API Connectivity on AWS.
</Note>AWS PrivateLink provides private connectivity between virtual private clouds (VPCs), supported services and resources, and your on-premises networks, without exposing your traffic to the public internet. To set up a PrivateLink connection between Cube's Dedicated Infrastructure and your own VPC, you'll need to prepare an Endpoint Service, share service details with the Cube team, and accept the incoming connection request.
<Note>Dedicated Infrastructure vs. Bring Your Own Cloud. The flow described on this page — sharing service details with the Cube team and letting Cube create the VPC endpoint and DNS overrides — applies to Dedicated Infrastructure operated by Cube.
In a Bring Your Own Cloud (BYOC) deployment, the Cube VPC lives in
your own AWS account, so you own the networking. The IAM role granted to
the Cube Operator intentionally does not include route53:* permissions,
which means Cube cannot create the VPC interface endpoint or the Route 53
private hosted zone needed for the DNS override on your behalf.
For BYOC, set up PrivateLink yourself inside the Cube VPC:
A ALIAS record pointing at the interface
endpoint.If you'd prefer Cube to do this for you in BYOC, you can grant the Cube
Operator role route53:* (and the matching ec2:*VpcEndpoint* permissions)
on the BYOC role — but most customers keep this networking in their own
hands.
There are two common scenarios for preparing the Endpoint Service:
In the case of your own infrastructure, please follow the official AWS documentation to configure the Endpoint Service pointing at your data source.
If your data source is hosted in a third-party infrastructure, please follow the vendor's documentation for creating and managing an Endpoint Service.
Cube needs to be added to the list of principals allowed to discover your
Endpoint Service. To do so, please go to AWS Console → VPC →
Endpoint Services → Your service → Allow principals and add
arn:aws:iam::331376342520:root to the list.
331376342520 is the AWS account ID of Cube's PrivateLink consumer account.
Adding its root principal authorizes Cube to discover your endpoint service
and create a private endpoint against it; nothing else in Cube's AWS estate
gains access to your network.
To request establishing a PrivateLink connection, please share the following information with the Cube team:
com.amazonaws.vpce.us-west-2.vpce-svc-abcde)How your data source is addressed inside Cube depends on whether it speaks TLS:
sslmode=require, etc.), share
the DNS name(s) the certificate is issued for — typically the same
hostname your in-network clients already use to reach it. Cube creates
internal DNS overrides inside the Dedicated Infrastructure so that the same
hostname resolves to the PrivateLink endpoint. Keeping the original
hostname is what preserves TLS validity: the certificate's CN/SAN keeps
matching what Cube dials.The Cube team will notify you once the connection request is sent. You can accept it by going to AWS Console → VPC → Endpoint Services → Your Service → Endpoint Connections and clicking Accept Connection Request.
Once the connection is established, you can access your data source by addressing it via the DNS name(s) you supplied (TLS case) or the internal endpoint hostname returned to you by the Cube team (non-TLS case).
AWS PrivateLink is available in all AWS commercial regions where Dedicated
Infrastructure can be provisioned. AWS China (cn-north-1, cn-northwest-1)
and AWS GovCloud (us-gov-east-1, us-gov-west-1) are not supported.