Private service endpoints

A private service endpoint (PSE) is used to connect a YugabyteDB Aeon cluster that is deployed in a Virtual Private Cloud (VPC) with other services on the same cloud provider - typically a VPC hosting the application that you want to access your cluster. The PSE on your cluster connects to an endpoint on the VPC hosting your application over a private connection, referred to as a private link.

Overview

While cloud providers refer to the components of a private link service in different ways, these components serve the same purposes.

YugabyteDB	AWS PrivateLink	Azure Private Link	Description
VPC	VPC	VNet	Secure virtual network created on a cloud provider.
PSE	Endpoint service	Private Link service	The endpoints on your cluster that you make available to the private link.
Application VPC endpoint	Interface VPC endpoint	Private endpoint	The endpoints on the application VPC corresponding to the PSEs on your cluster.
Security principal	AWS principal (ARN)	Subscription ID	Cloud provider account with permissions to manage endpoints.
Service name	Service name	Alias	Identifies the PSE to the application VPC endpoint. You provide the service name when creating the application VPC endpoint.

Setting up a private link to connect your cluster to your application VPC involves the following tasks:

1. Deploy your cluster in a VPC. You must create a VPC and deploy your cluster before you can configure the PSE.

2. Create a PSE in each region of your cluster. The PSE is an endpoint service, and you activate it by granting access to a security principal on your application VPC.

   In the case of AWS, a security principal is an AWS principal, in the form of Amazon resource names (ARNs).

   For Azure, a security principal is a subscription ID of the service you want to have access.

3. On the cloud provider, create an interface VPC endpoint (AWS) or a private endpoint (Azure) on the VPC (VNet) hosting your application. You create an endpoint for each region in your cluster, providing the service name of the corresponding PSE on your cluster.

Limitations

• Currently, PSEs are supported for AWS PrivateLink and Azure Private Link.
• You can't use smart driver load balancing features when connecting to clusters over a private link. See YugabyteDB smart drivers for YSQL.

Prerequisites

Before you can create a PSE, you need to do the following:

1. Create a VPC. Refer to Create a VPC. Make sure your VPC is in the same region as the application VPC to which you will connect your endpoint.
2. Deploy a YugabyteDB cluster in the VPC. Refer to Create a cluster.

In addition, if you want to use ybm CLI to create PSEs, you need to do the following:

• Create an API key. Refer to API keys.
• Install and configure ybm CLI. Refer to Install ybm.

Note that, unlike VPC peering, when connected to an application VPC using a private link, you do not need to add an IP allow list to your cluster.

Get started

{{< sections/2-boxes >}} {{< sections/bottom-image-box title="Set up an AWS PrivateLink" description="Add PSEs to your cluster and create interface endpoints on your application VPC in AWS." buttonText="Setup Guide" buttonUrl="../managed-endpoint-aws/"

}}

{{< sections/bottom-image-box title="Set up an Azure Private Link" description="Add a PSE to your cluster and create a private endpoint on your application VNet in Azure." buttonText="Setup Guide" buttonUrl="../managed-endpoint-azure/"

}} {{< /sections/2-boxes >}}