Cloudplex Secure Connectivity

Cloudplex Secure Connectivity enables Environment Admins to configure a secure link between their Cloudplexes and the SnapLogic control plane.

The Secure Connectivity subscription feature supports SnapLogic's Cloudplex managed data plane solution. You can connect Cloudplexes to your AWS cloud and on-premises endpoints using an AWS PrivateLink. For setting up an AWS PrivateLink, refer to Create a service powered by AWS PrivateLink - Amazon Virtual Private Cloud.

Note: In most contexts, when configuring an AWS PrivateLink connection, the customer is the client. However, for Cloudplex Secure Connectivity, the customer acts as the server and the SnapLogic platform is the consumer reaching out to the VPC endpoint.

After you set up the VPC Endpoint Service URL, provide it in the Cloudplex Secure Connectivity wizard. Initiate the connection with your Endpoint Service. You will be provided an endpoint URL to use in the SnapLogic Accounts.

You can also use the Cloud Formation template to assist in the setup.

Important: Any fees associated with setting up VPC endpoint and AWS NLB (Network Load Balancer), along with ensuing throughput costs, are the customer's responsibility.

Features

  • The ability to create an AWS PrivateLink connection from your Cloudplexes to your endpoints
  • The capability to add a private link for your Snowflake endpoints
  • A connection wizard that offers an easy workflow for Admins to configure and manage connections
  • A dedicated page to manage connections and their statuses

General guidelines

  • Configuration is available in Admin Manager.
  • Supported Applications:
    • AWS PrivateLink
    • AWS Private Link with Snowflake
  • Both the Global and EMEA control planes support this feature.
  • Cloudplexes only support three connections currently. Contact your CSM if more connections are required.
  • The following Cloudplex regions are supported:
    • U.S. (us-west-2)
    • Ireland (eu-west-1)
    • London (eu-west-2)
    • Canada (ca-central-1)
  • The VPC endpoint that you create must be in the same global region as your Cloudplexes.
  • Ten ports, from 9070-9080, are supported to connect to AWS PrivateLink. You can use your AWS load balancer to redirect these ports. Contact your CSM for changing port assignments.
  • Make sure you supply the service name of your VPC endpoint - not the DNS name.

Workflow

Configure a Cloudplex for Secure Connectivity.

  1. Set up your AWS VPC:
    1. Configure an AWS NLB for your data source for each target subnet (availability zone).
    2. Create a VPC endpoint service configuration and specify the NLB.
  2. Select Cloudplex and configure the connection to the AWS VPC endpoint service.
  3. Optional. Add a Private Link with Snowflake.
  4. Check the status in the Cloudplex secure connectivity tab.
  5. Run pipelines on your Cloudplexes over the AWS PrivateLink.

Requirements for AWS Private Link Configuration

You configure the AWS PrivateLink in the Amazon VPC console. Refer to the following requirements:

  • Use the network load balancers.
  • For the VPC endpoint, you should associate a private DNS name that service consumers can use to access your service. Do not use the DNS name when configuring the secure connection in the wizard.
  • The Endpoint Service and its Network Load Balancer (NLB) must be enabled across all three Availability Zones (AZs) used by SnapLogic within a region.
  • Because the SnapLogic platform is the consumer, review AWS guidelines when making the endpoint service available to the Cloudplex Secure Connectivity feature.
  • Add the appropriate ARN to your Allow principals whitelist for SnapLogic to establish the PrivateLink connection.
    • Global Control Plane users - arn:aws:iam::868327748124:root
    • EMEA Control Plane users - arn:aws:iam::706565328972:root

Private DNS usage guidelines

  • You can leave the optional Snowflake input fields empty when enabling private DNS for a secure connection. If a private DNS entry is available for the endpoint for which the secure connection is created, SnapLogic will surface the value under the private DNS name header in the UI.
  • If you plan to enable private DNS for Snowflake, refer to Add a Private Link with Snowflake.

CloudFormation template

Note: The following template is an example. It assumes you have a load balancer set up in your AWS infrastructure. We recommend that you use the following values except where customization is required. Consult your CSM for additional details. 
    AWSTemplateFormatVersion: '2010-09-09'
   Description: Privatelink Endpoint services creation to communicate with Snaplogic
   Parameters:
     LoadBalancer:
     Type: String
     Description: Network LoadBalancer Arns. Loadbalancer should be configured to listen on ports between 9070-9080
     AcceptanceRequired:
     Default: "true"
     AllowedValues:
      -true
      -false
     Type: String
     Description: Is Acceptance Required for initiating the connection?

  Resources:
    EndpointService:
    Type: AWS::EC2::VPCEndpointService
    Properties:
      NetworkLoadBalancerArns:
      -Ref: LoadBalancer
    AcceptanceRequired:
      -Ref: AcceptanceRequired

 EndpointServicePermissions:
   Type: AWS::EC2::VPCEndpointServicePermissions
   Properties:
     AllowedPrincipals:
      -'arn:aws:iam::868327748124:root'
   ServiceId: !GetAtt EndpointService.ServiceId

 Outputs:
   ServiceUrl:
   Value: !Join ['.', ["com.amazonaws.vpce", !Ref AWS::Region, !GetAtt EndpointService.ServiceId]]