Cloudplex Secure Connectivity
Overview
As the adoption of externally managed applications increases, IT Organizations demand seamless and secure connectivity to both their on-premises and private cloud endpoints.
The Secure Connectivity subscription feature provides a new level of support for SnapLogic's Cloudplex managed data plane solution. You can now connect Cloudplexes to your AWS cloud and on-premises endpoints using an AWS PrivateLink. For setting up an AWS PrivateLink, refer to Create a service powered by AWS PrivateLink - Amazon Virtual Private Cloud.
After you set up the VPC Endpoint Service URL, provide it in the Cloudplex Secure Connectivity wizard. Initiate the connection with your Endpoint Service. You will be provided an endpoint URL to use in the SnapLogic Accounts.
You can also use the Cloud Formation template to assist in the setup.
Features
- The ability to create an AWS PrivateLink connection from your Cloudplexes to your endpoints
- A connection wizard that offers an easy workflow for Admins to configure and manage connections
- A dedicated page to manage connections and their statuses
Support and limitations
- This feature is only available in the new Admin Manager.
- Supported Applications: AWS PrivateLink.
- Both the Global and EMEA control planes support this feature.
- Cloudplexes only support three connections currently. Contact your CSM if more connections are required.
- The following Cloudplex regions are supported:
- U.S. (us-west-2)
- Ireland (eu-west-1)
- London (eu-west-2)
- Canada (ca-central-1)
- The VPC endpoint that you create must be in the same global region as your Cloudplexes.
- Ten ports, from 9070-9080, are supported to connect to AWS PrivateLink. You can use your AWS load balancer to redirect these ports. Contact your CSM for changing port assignments.
- Make sure you supply the service name of your VPC endpoint - not the DNS name.
Prerequisites
- Cloudplexes in your Environment.
- Familiarity with AWS PrivateLink.
- Your Cloudplex and service URL for your AWS PrivateLink must be in the same AWS region.
Architecture
The following diagram shows the architecture for Cloudplex secured connections.
Workflow
Configure a Cloudplex for Secure Connectivity.
- Set up your AWS VPC
- Configure an AWS NLB for your data source for each target subnet (availability zone).
- Create a VPC endpoint service configuration and specify the NLB.
- Select Cloudplex and configure the connection to the AWS VPC endpoint service.
- Check the status in the Cloudplex secure connectivity page.
- Run pipelines on your Cloudplexes over the AWS PrivateLink.
AWS PrivateLink Setup Requirements
You can configure your AWS PrivateLink in the Amazon VPC console. Consider the following:
- Use the network load balancers.
- For the VPC endpoint, you should associate a private DNS name that service consumers can use to access your service. Do not use the DNS name when configuring the secure connection in the wizard.
- Because the SnapLogic platform is the consumer, review AWS guidelines when making the endpoint service available to the Cloudplex Secure Connectivity feature.
- Add the appropriate ARN to your Allow principles whitelist for SnapLogic to establish the PrivateLink connection.
- Global Control Plane users -
arn:aws:iam::868327748124:root
- EMEA Control Plane users -
arn:aws:iam::706565328972:root
- Global Control Plane users -
CloudFormation Template
AWSTemplateFormatVersion: '2010-09-09'
Description: Privatelink Endpoint services creation to communicate with Snaplogic
Parameters:
LoadBalancer:
Type: String
Description: Network LoadBalancer Arns. Loadbalancer should be configured to listen on ports between 9070-9080
AcceptanceRequired:
Default: "true"
AllowedValues:
-true
-false
Type: String
Description: Is Acceptance Required for initiating the connection?
Resources:
EndpointService:
Type: AWS::EC2::VPCEndpointService
Properties:
NetworkLoadBalancerArns:
-Ref: LoadBalancer
AcceptanceRequired:
-Ref: AcceptanceRequired
EndpointServicePermissions:
Type: AWS::EC2::VPCEndpointServicePermissions
Properties:
AllowedPrincipals:
-'arn:aws:iam::868327748124:root'
ServiceId: !GetAtt EndpointService.ServiceId
Outputs:
ServiceUrl:
Value: !Join ['.', ["com.amazonaws.vpce", !Ref AWS::Region, !GetAtt EndpointService.ServiceId]]