Use Aws Privatelink

1. In the SQL Shell, or your preferred SQL client connected to Materialize, use the CREATE CONNECTION command to create an AWS PrivateLink connection: ↕️ **In-region connections** To connect to an AWS PrivateLink endpoint service in the **same region** as your Materialize environment: mzsql CREATE CONNECTION privatelink\_svc TO AWS PRIVATELINK ( SERVICE NAME 'com.amazonaws.vpce..vpce-svc-', AVAILABILITY ZONES ('use1-az1', 'use1-az2', 'use1-az4') ); - Replace the SERVICE NAME value with the service name you noted earlier. - Replace the AVAILABILITY ZONES list with the IDs of the availability zones in your AWS account. For in-region connections the availability zones of the NLB and the consumer VPC must match. To find your availability zone IDs, select your database in the RDS Console and click the subnets under Connectivity & security. For each subnet, look for Availability Zone ID (e.g., use1-az6), not Availability Zone (e.g., us-east-1d). ↔️ Cross-region connections To connect to an AWS PrivateLink endpoint service in a different region to the one where your Materialize environment is deployed: mzsql CREATE CONNECTION privatelink\_svc TO AWS PRIVATELINK ( SERVICE NAME 'com.amazonaws.vpce.us-west-1.vpce-svc-', -- For now, the AVAILABILITY ZONES clause \*\*is\*\* required, but will be -- made optional in a future release. AVAILABILITY ZONES () ); - Replace the SERVICE NAME value with the service name you noted earlier. - The service name region refers to where the endpoint service was created. You do not need to specify AVAILABILITY ZONES manually — these will be optimally auto-assigned when none are provided. 1. Retrieve the AWS principal for the AWS PrivateLink connection you just created: mzsql SELECT principal FROM mz\_aws\_privatelink\_connections plc JOIN mz\_connections c ON plc.id = c.id WHERE c.name = 'privatelink\_svc';

principal --------------------------------------------------------------------------- arn:aws:iam::664411391173:role/mz_20273b7c-2bbe-42b8-8c36-8cc179e9bbc3_u1 1. Update your VPC endpoint service to accept connections from the AWS principal. 1. If your AWS PrivateLink service is configured to require acceptance of connection requests, manually approve the connection request from Materialize. **Note:** It can take some time for the connection request to show up. Do not move on to the next step until you've approved the connection. 1. Validate the AWS PrivateLink connection you created using the VALIDATE CONNECTION command: mzsql VALIDATE CONNECTION privatelink_svc; If no validation error is returned, move to the next step. 1. Use the CREATE SECRET command to securely store the password for the materialize MySQL user you created earlier: mzsql CREATE SECRET mysqlpass AS ''; For AWS IAM authentication, you must create a connection to AWS. See the CREATE CONNECTION command for details. 1. Use the CREATE CONNECTION command to create another connection object, this time with database access and authentication details for Materialize to use: mzsql CREATE CONNECTION mysql\_connection TO MYSQL ( HOST , PORT 3306, USER 'materialize', PASSWORD SECRET mysqlpass, SSL MODE REQUIRED, AWS PRIVATELINK privatelink\_svc ); - Replace `` with your RDS endpoint. To find your RDS endpoint, select your database in the RDS Console, and look under Connectivity & security. AWS IAM authentication is also available, see the CREATE CONNECTION command for details.