Use Aws Privatelink

1. In the SQL Shell, or your preferred SQL client connected to Materialize, use the CREATE CONNECTION command to create an AWS PrivateLink connection: ↕️ **In-region connections** To connect to an AWS PrivateLink endpoint service in the **same region** as your Materialize environment: mzsql CREATE CONNECTION privatelink\_svc TO AWS PRIVATELINK ( SERVICE NAME 'com.amazonaws.vpce..vpce-svc-', AVAILABILITY ZONES ('use1-az1', 'use1-az2', 'use1-az4') ); - Replace the SERVICE NAME value with the service name you noted earlier. - Replace the AVAILABILITY ZONES list with the IDs of the availability zones in your AWS account. For in-region connections the availability zones of the NLB and the consumer VPC must match. To find your availability zone IDs, select your database in the RDS Console and click the subnets under Connectivity & security. For each subnet, look for Availability Zone ID (e.g., use1-az6), not Availability Zone (e.g., us-east-1d). ↔️ Cross-region connections To connect to an AWS PrivateLink endpoint service in a different region to the one where your Materialize environment is deployed: mzsql CREATE CONNECTION privatelink\_svc TO AWS PRIVATELINK ( SERVICE NAME 'com.amazonaws.vpce.us-west-1.vpce-svc-', -- For now, the AVAILABILITY ZONES clause \*\*is\*\* required, but will be -- made optional in a future release. AVAILABILITY ZONES () ); - Replace the SERVICE NAME value with the service name you noted earlier. - The service name region refers to where the endpoint service was created. You do not need to specify AVAILABILITY ZONES manually — these will be optimally auto-assigned when none are provided. 1. Retrieve the AWS principal for the AWS PrivateLink connection you just created: mzsql SELECT principal FROM mz\_aws\_privatelink\_connections plc JOIN mz\_connections c ON plc.id = c.id WHERE c.name = 'privatelink\_svc';

principal --------------------------------------------------------------------------- arn:aws:iam::664411391173:role/mz_20273b7c-2bbe-42b8-8c36-8cc179e9bbc3_u1 1. Update your VPC endpoint service to accept connections from the AWS principal. 1. If your AWS PrivateLink service is configured to require acceptance of connection requests, manually approve the connection request from Materialize. **Note:** It can take some time for the connection request to show up. Do not move on to the next step until you've approved the connection. 1. Validate the AWS PrivateLink connection you created using the VALIDATE CONNECTION command: mzsql VALIDATE CONNECTION privatelink_svc; If no validation error is returned, move to the next step. 1. Use the CREATE SECRET command to securely store the password for the materialize SQL Server user you created: mzsql CREATE SECRET sql\_server\_pass AS ''; 1. Use the CREATE CONNECTION command to create another connection object, this time with database access and authentication details for Materialize to use: mzsql CREATE CONNECTION sql\_server\_connection TO SQL SERVER ( HOST , PORT 1433, USER 'materialize', PASSWORD SECRET sql\_server\_pass, SSL MODE REQUIRED, AWS PRIVATELINK privatelink\_svc ); - Replace with your RDS endpoint. To find your RDS endpoint, select your database in the RDS Console, and look under **Connectivity & security**. - Replace with the name of the database containing the tables you want to replicate to Materialize. AWS IAM authentication is also available, see the CREATE CONNECTION command for details.