Cloudplex Secure Connectivity

Cloudplex Secure Connectivity enables Environment Admins to configure a secure link between their Cloudplexes and the SnapLogic control plane.

The Secure Connectivity subscription feature supports SnapLogic's Cloudplex managed data plane solution. You can connect Cloudplexes to your AWS cloud and on-premises endpoints using an AWS PrivateLink. For setting up an AWS PrivateLink, refer to Create a service powered by AWS PrivateLink - Amazon Virtual Private Cloud.

Note: In most contexts, when configuring an AWS PrivateLink connection, the customer is the client. However, for Cloudplex Secure Connectivity, the customer acts as the server and the SnapLogic platform is the consumer reaching out to the VPC endpoint.

After you set up the VPC Endpoint Service URL, provide it in the Cloudplex Secure Connectivity wizard. Initiate the connection with your Endpoint Service. You will be provided an endpoint URL to use in the SnapLogic Accounts.

You can also use the Cloud Formation template to assist in the setup.

Important: Any fees associated with setting up VPC endpoint and AWS NLB (Network Load Balancer), along with ensuing throughput costs, are the customer's responsibility.

Features

  • The ability to create an AWS PrivateLink connection from your Cloudplexes to your endpoints
  • The capability to add a private link for your Snowflake endpoints
  • A connection wizard that offers an easy workflow for Admins to configure and manage connections
  • A dedicated page to manage connections and their statuses

Support and limitations

  • This feature is only available in Admin Manager.
  • Supported Applications:
    • AWS PrivateLink
    • AWS Private Link with Snowflake
  • Both the Global and EMEA control planes support this feature.
  • Cloudplexes only support three connections currently. Contact your CSM if more connections are required.
  • The following Cloudplex regions are supported:
    • U.S. (us-west-2)
    • Ireland (eu-west-1)
    • London (eu-west-2)
    • Canada (ca-central-1)
  • The VPC endpoint that you create must be in the same global region as your Cloudplexes.
  • Ten ports, from 9070-9080, are supported to connect to AWS PrivateLink. You can use your AWS load balancer to redirect these ports. Contact your CSM for changing port assignments.
  • Make sure you supply the service name of your VPC endpoint - not the DNS name.

Prerequisites

  • Cloudplexes in your Environment.
  • Familiarity with AWS PrivateLink.
  • Your Cloudplex and service URL for your AWS PrivateLink must be in the same AWS region.

Architecture

The following diagram shows the architecture for Cloudplex secured connections.


This diagram shows the client contacting the Control plane, communicating with the Cloudplex, which communicates with an endpoint over a private link.

Workflow

Configure a Cloudplex for Secure Connectivity.

  1. Set up your AWS VPC
    1. Configure an AWS NLB for your data source for each target subnet (availability zone).
    2. Create a VPC endpoint service configuration and specify the NLB.
  2. Select Cloudplex and configure the connection to the AWS VPC endpoint service.
  3. Check the status in the Cloudplex secure connectivity page.
  4. Run pipelines on your Cloudplexes over the AWS PrivateLink.

AWS PrivateLink setup requirements

You can configure your AWS PrivateLink in the Amazon VPC console. Consider the following:

  • Use the network load balancers.
  • For the VPC endpoint, you should associate a private DNS name that service consumers can use to access your service. Do not use the DNS name when configuring the secure connection in the wizard.
  • Because the SnapLogic platform is the consumer, review AWS guidelines when making the endpoint service available to the Cloudplex Secure Connectivity feature.
  • Add the appropriate ARN to your Allow principles whitelist for SnapLogic to establish the PrivateLink connection.
    • Global Control Plane users - arn:aws:iam::868327748124:root
    • EMEA Control Plane users - arn:aws:iam::706565328972:root

Private DNS usage guidelines

  • You can leave the optional Snowflake input fields empty when enabling private DNS for a secure connection. If a private DNS entry is available for the endpoint for which the secure connection is created, SnapLogic will surface the value under the private DNS name header in the UI.
  • If you plan to enable private DNS for Snowflake, refer to Add a Private Link with Snowflake.

CloudFormation template

Note: The following template is an example. It assumes you have a load balancer set up in your AWS infrastructure. We recommend that you use the following values except where customization is required. Consult your CSM for additional details. 
    AWSTemplateFormatVersion: '2010-09-09'
   Description: Privatelink Endpoint services creation to communicate with Snaplogic
   Parameters:
     LoadBalancer:
     Type: String
     Description: Network LoadBalancer Arns. Loadbalancer should be configured to listen on ports between 9070-9080
     AcceptanceRequired:
     Default: "true"
     AllowedValues:
      -true
      -false
     Type: String
     Description: Is Acceptance Required for initiating the connection?

  Resources:
    EndpointService:
    Type: AWS::EC2::VPCEndpointService
    Properties:
      NetworkLoadBalancerArns:
      -Ref: LoadBalancer
    AcceptanceRequired:
      -Ref: AcceptanceRequired

 EndpointServicePermissions:
   Type: AWS::EC2::VPCEndpointServicePermissions
   Properties:
     AllowedPrincipals:
      -'arn:aws:iam::868327748124:root'
   ServiceId: !GetAtt EndpointService.ServiceId

 Outputs:
   ServiceUrl:
   Value: !Join ['.', ["com.amazonaws.vpce", !Ref AWS::Region, !GetAtt EndpointService.ServiceId]]