ContextQMD
Back to Prefect

How to secure access over PrivateLink

docs/v3/how-to-guides/cloud/manage-users/secure-access-by-private-link.mdx

3.7.03.4 KB
Original Source

PrivateLink is an available upgrade to certain Enterprise plans. PrivateLink enables account administrators to route API and UI traffic to Prefect Cloud through AWS, keeping it off the public internet. Traffic between your network and Prefect Cloud is encrypted end-to-end.

To learn more, please contact your account manager or the Prefect team at [email protected].

Getting started

The Prefect team will provide you with two VPC Endpoint Service names (one for the API, one for the UI). Create a VPC Endpoint in your AWS account for each service you want to use.

Provide the following information to Prefect so the connection can be accepted:

  • AWS Account Number
  • VPC ID
  • Source Region (for example, us-east-1)
  • API VPC Endpoint ID
  • UI VPC Endpoint ID (if using the private UI)

Prefect will review and accept the connection.

Enable Private DNS

Once the connection is accepted, enable Private DNS on each VPC Endpoint. This allows your VPC to resolve the Prefect private endpoints automatically.

Without Private DNS enabled, DNS queries for api.private.prefect.cloud and app.private.prefect.cloud will return NXDOMAIN.

Validate connectivity

Run these commands from within the VPC that has the VPC Endpoints configured.

DNS resolution (should return private 10.x.x.x IPs):

bash
nslookup api.private.prefect.cloud
nslookup app.private.prefect.cloud

API health check (should return HTTP 200):

bash
curl -i https://api.private.prefect.cloud/api/health

UI health check (should return HTTP 200):

bash
curl -i https://app.private.prefect.cloud/private-ui/health

Configure Prefect clients

Set PREFECT_CLOUD_API_URL and PREFECT_CLOUD_UI_URL to the private endpoints:

bash
prefect config set PREFECT_CLOUD_API_URL="https://api.private.prefect.cloud/api"
prefect config set PREFECT_CLOUD_UI_URL="https://app.private.prefect.cloud"
prefect cloud login -k <your-api-key>
prefect cloud workspace ls

PREFECT_CLOUD_UI_URL is inferred automatically from PREFECT_CLOUD_API_URL in most cases, but setting it explicitly ensures that UI links in logs and CLI output point to the private UI endpoint.

Workers and other Prefect clients running inside your VPC will use these endpoints automatically once configured.

Troubleshooting

DNS does not resolve (NXDOMAIN)

If nslookup api.private.prefect.cloud or nslookup app.private.prefect.cloud returns NXDOMAIN, Private DNS is not enabled on the VPC Endpoint or the command is being run from outside the VPC. In the AWS console, navigate to VPC > Endpoints, select the endpoint, and confirm Private DNS names enabled is true. If it is not enabled, modify the endpoint to enable it.

VPC Endpoint status is not "Available"

In the AWS console, navigate to VPC > Endpoints and check the Status column. If the status is "Pending", Prefect has not yet accepted the connection. Contact your Prefect team. If the status is "Rejected" or "Failed", the endpoint may need to be recreated.

Cannot reach the API or UI from within the VPC

  • Confirm you are running commands from an instance inside the VPC that has the VPC Endpoints configured.
  • Verify the VPC Endpoint's security group allows outbound HTTPS (port 443) traffic.
  • Check that the subnet associated with the VPC Endpoint has a route to the instance you are testing from.
  • Run nslookup api.private.prefect.cloud or nslookup app.private.prefect.cloud to confirm DNS resolves.