Skip to main content
Loading

Using Aerospike Cloud with AWS PrivateLink

AWS PrivateLink is the secure, private, connection between virtual private clouds (VPCs), supported AWS services, and Aerospike Cloud. AWS PrivateLink shields your traffic from the public internet. Interface VPC endpoints, which are also powered by PrivateLink, securely connect your client applications with Aerospike Cloud.

Prerequisites

  • A running Aerospike Cloud instance.
  • A client application running on AWS with an associated VPC and subnet.

Procedure

  1. In the Aerospike Cloud console, navigate to the Configurations tab in your desired database.

    Configurations tab

    Confirm that there is a Service Name listed in the PrivateLink section of the page. This is an AWS VPC endpoint service that your database can use for PrivateLink connections.

  2. Create a connection from your client application to your Cloud database.

    In the AWS console, create a security group in the application VPC to allow traffic from the application server to your VPC endpoint service.

    Security group

  3. Create a VPC endpoint in your application's VPC to connect to the Aerospike Cloud PrivateLink endpoint service.

    Create endpoint

    After you create the VPC endpoint, it is in a Pending acceptance state.

    Create endpoint

    Copy the VPC endpoint ID for use in the next step.

  4. In the Aerospike Cloud console, click Create Consumer to create a PrivateLink Consumer with the VPC endpoint ID.

    Create consumer

    After you click Create Consumer, it takes a few seconds for the connection to be accepted. When it's ready, a new entry appears in the Consumers section of the Configurations page.

    Consumer ready

    In the AWS console, the VPC endpoint status updates from Pending to Available.

    Consumer ready

  5. Once the status shows Available, your client application can connect to your Cloud database through PrivateLink. In your application's connection code, you can specify any of the following as seed hostnames:

    • VPC endpoint DNS names.
    • VPC endpoint IP address.
    • DNS names created in either private or public hosted zones that resolve to either a VPC endpoint DNS name or its IP address.

    Final endpoint

note

HTTPS is enforced over the PrivateLink connections to the database. You must also set the ServerName property in your client TLS configuration to the original database host name. This is required for the host name verification. Your database host name is of the form <DATABASE_ID>.asdb.io. You can find your <DATABASE_ID> in the top panel of the Cloud console.

Code examples

Replace all placeholder and example values with the correct values for your application configuration.

clientPolicy := aerospike.NewClientPolicy()
clientPolicy.User = "<API_KEY_ID>"
clientPolicy.Password = "<API_KEY_SECRET>"

clientPolicy.TlsConfig = &tls.Config{
    ServerName: "6b45cfdc-7dec-44de-853c-9baed45a02a6.asdb.io", // Specify your original database host name. This is required for host name verification.
}

host := aerospike.NewHost("vpce-08e88a193c1d9b153-pjsjqv0h.vpce-svc-0048aba1429554bd8.us-east-1.vpce.amazonaws.com", 4000)

client, err := aerospike.NewProxyClientWithPolicyAndHost(clientPolicy, host)
if err != nil {
  // handle error
}