How to: Set up AWS PrivateLink

Overview

As sensitive data travels from AWS (Amazon Web Services) to Unqork, it’s important to keep that data secure. Using AWS PrivateLink ensures your traffic is not exposed publicly. AWS PrivateLink connects two virtual private clouds (VPCs) in different AWS accounts. The first is a VPC in your AWS account. And the second is the dedicated VPC where your Unqork environment exists.

Think of AWS PrivateLink as a secure tunnel, keeping your traffic safe without traversing the public internet. Typically, services communicate from one endpoint to another. With AWS PrivateLink, communication travels from your endpoint service to a VPC endpoint in your hosted Unqork environment. The endpoint service using PrivateLink works with a network load balancer (NLB), acting as an entry point to your infrastructure. Because you create the VPC endpoint in AWS, you don’t need any other hardware or software.

If your AWS resources are connected to on-premises networks, the Unqork services can also interact with services in your data center. Similarly, Unqork services can interact with services in your other VPCs if they are peered.

What You'll Learn

In this how-to guide, you’ll learn about AWS PrivateLink and how to set it up and connect it to Unqork.

How AWS PrivateLink Works in Unqork

Unqork acts as the service consumer. And your endpoint service acts as the service owner. Unqork initiates the connection to a resource in your cloud account. After initiating the connection, the service provider can respond to requests from Unqork. You'll need to generate the private domain using Unqork and set up an external service integration. In your VPC (the same region as your Unqork environment), you’ll set up the endpoint service. That endpoint service is then configured in a Plug-In component to forward traffic to the NLB.

How to Set Up AWS PrivateLink

To set up AWS PrivateLink, you'll first configure settings in Unqork and AWS. Then, you’ll set up a Plug-In component in Unqork and connect to the service.

What You Need

In your AWS account, you need:

  • Identity and access management (IAM) role privileges to create and manage VPCs, endpoints, and endpoint services.

  • A VPC in the same region as your Unqork environment.

  • VPC subnets where the target resources reside.

  • NLB configured for each subnet, with cross-zone load balancing enabled.

  • An endpoint service, or the PrivateLink.

  • The endpoint service name from AWS.

In Unqork, you need:

  • 1 Initializer component.

  • 1 Plug-In component.

  • The Amazon Resource Name (ARN) from your Unqork Environment.

Copy the Unqork ARN (In Unqork)

Before you start, copy the ARN from your Unqork environment. You'll need the ARN later to configure your NLB.

1. Open your Unqork environment.
1. At the top right of the Unqork Designer Platform, click Settings ▾.
2. Click Administration.
3. Under Integration, select PrivateLink Administration.
4. Copy the ARN of your environment.

You'll allow traffic to originate from this ARN in the Create the Endpoint Service section of this article.

Create an Endpoint Service for Your AWS PrivateLink (In AWS)

Next, set you'll set up your endpoint service and NLB in AWS.

Configure the VPC Endpoint Service and NLB

First, set up your VPC endpoint service and NLB.

The resource doesn’t need to be in the same region. If there are multiple resources in different regions, you’ll set up VPC Peering to the VPC in the same region as Unqork.

1. In AWS, select or create a VPC.
2. Configure the VPC to include subnets in each availability zone (AZ).
3. On the AWS Console's EC2 page, select or create a load balancer.
4. Configure the NLB with the following settings:
Setting Value

Load Balancer Name

Enter a name for the load balancer.

The name must be unique. Once created, you cannot edit the name.

Scheme

Select Internal.

VPC

From the drop-down, select the VPC you want to use.

Listeners and Routing

Forward to: select or create a target group.

Your internal load balancer must have a private subnet.

 
5. After you create your NLB, configure it with the following settings:
Setting Value

Cross-Zone Load Balancing

Select Enabled.

This setting is necessary so Unqork's network interfaces connect with your resources. Enable this setting even if your subnets do not share AZs with Unqork.

Require Acceptance for Endpoint

Select Acceptance Required. We recommend this setting for production use.

For more information on NLBs, view the AWS documentation: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html.

Create the Endpoint Service

Now, create the endpoint service in AWS.

1. Under the AWS Console's Virtual Private Cloud (VPC) page, go to Endpoint Services.
2. Select the Allow Principals tab.
3. Click Allow Principals.
4. Paste the ARN you copied in the Copy the Unqork ARN section of this article.
5. Click Add Principal.
6. Click Allow Principals.

The Service name does not exist error displays if you do not select Allow Principals.

To learn more about AWS PrivateLink endpoint service configuration, view the AWS documentation: https://docs.aws.amazon.com/vpc/latest/privatelink/endpoint-services-overview.html.

Copy the AWS Endpoint Service Name (In AWS) 

Next, copy the AWS endpoint service name that you created to set up the AWS PrivateLink connection.

The endpoint service configuration makes the PrivateLink in AWS.

1. In AWS, go to Endpoint Services.
2. Select the endpoint service that you created in the Configure the VPC Endpoint Service and NLB section of this article.
3. Under Details, copy the Service Name. This endpoint service acts as the AWS PrivateLink in your Unqork environment. You'll enter this service name in Unqork's PrivateLink Administration.

Connecting to AWS PrivateLink in Unqork

Now you’re ready to start connecting Unqork to AWS PrivateLink. Here's a summary of the four steps you'll complete:

1. Add your AWS PrivateLink Service in PrivateLink Administration.
2. Finalize the PrivateLink Connection in AWS.
3. Create an AWS PrivateLink service in Services Administration.
4. Configure a Plug-In component to call your AWS PrivateLink service.

Adding an AWS PrivateLink Service in PrivateLink Administration (In Unqork) 

First, you'll create the AWS PrivateLink service in Unqork. Your Unqork application connects to your AWS resource with AWS PrivateLink.

1. At the top right of the Unqork Designer Platform, click Settings.
2. Select Administration.
3. Under Integration, click PrivateLink Administration.
4. Click Add PrivateLink.
5. In the PrivateLink Service Name field, enter the service name you copied in the Copy the AWS Endpoint Service Name section of this article. The entire service name is required.
6. Click Add PrivateLink.
7. Reload the PrivateLink Administration page to confirm it added successfully.

Accept the Endpoint Connection From Unqork (In AWS)

You've set up the AWS PrivateLink Connection in AWS and Unqork. Next, you’ll set up the connection to transfer traffic.

1. In AWS, go to Endpoint Services.
2. Select the endpoint you created in the Configure the VPC Endpoint Service and NLB section of this article.
3. In Endpoint Connections, confirm the connection's state. If Pending, select Accept Endpoint Connection Request from the Actions drop-down.

Creating a Service Using AWS PrivateLink in Services Administration (In Unqork)

With the connection set, you must create a new integration in Services Administration to reach the target resource or service.

1. At the top right of the Unqork Designer Platform, click Settings ▾.
2. Click Administration.
3. Under Integration, select Services Administration.
4. Click + Add a Service. The Create New Service modal A modal is a window that appears on top of the content you are currently viewing. displays.
5. In the Service Title* field, enter a title for your service. For example, myprivateapi.
6. In the Service Name* field, enter a name for your service. For example, my-private-api.
7. Click Next.
8. Under Share to, select Environment.
9. Click Create.
10. Back on the Services Administration page, locate your new service and click Manage ▾.
11. Select Open.
12. At the top right, click  Edit.
13. In the Service Protocol + Host* field, enter the DNS name. If the target resource uses HTTP, use the URL under PrivateLink DNS Name in PrivateLink Administration. For example, http://vpce-000ca-000m.vpce-svc-000e2.us-east-2.vpce.amazonaws.com.

If the target resource uses HTTPS, see the Enabling Private DNS in AWS section of this article. and use the URL configured in your VPC Endpoint Service.

14. Click Save Changes.
15. Back on the Services Administration page, locate your new service and click Manage ▾.
16. Select Check Status to confirm the service is reachable by the AWS PrivateLink connection.
17. After confirming the connection works, click Okay to close the modal.

Enabling Private DNS in AWS

To use HTTPS to communicate with an  AWS target resource, you must enable Private DNS on your AWS PrivateLink.

1. You must associate a Private DNS Name with your VPC Endpoint Service using the following documentation: https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#associate-private-dns-name.
2. Navigate to Unqork's PrivateLink Administration.
3. Next to the relevant PrivateLink, click Enable Private DNS.

Configuring a Plug-In Component to Call the AWS PrivateLink Service

Next, you'll configure a Plug-In component to call your AWS PrivateLink service. You’ll also set up an Initializer component to trigger the Plug-In component.

How you execute the Plug-In component depends on your use case’s needs. Common approaches include:

What You Need

For this configuration, you need:

Configure the Plug-In Component

This Plug-In component will make an external API call to run your AWS PrivateLink service.

1. In the Module Builder, drag and drop a Plug-In component onto the canvas.
2. In the Property ID A Property ID is the unique field ID used by Unqork to track and link components in your module. and Canvas Label Text Canvas Label Text indicates the purpose of the corresponding field or component. For non-input components, the Canvas Label Text isn't end-user facing, and only appears in the . fields, enter values of your choosing.
3. Set the Service Type as External.
4. From the External Services drop-down, select your AWS PrivateLink service.
5. Complete the Data Source URL value based on the AWS resource.
6. Select the Request Type that meets your use case needs.

The Request Type is dependent on the action you want to perform.

7. In the Inputs table, enter values that meet your use case needs.

Your Inputs table values are based on your AWS resource.

8. Click Save.

To learn more about configuring an external API call, view our External APIs article.

Configure the Initializer Component

This Initializer component will trigger your the Plug-In component.

1. Drag and drop an Radio Button component icon Initializer component onto your canvas, placing it above your Plug-In component.
2. In the Property ID A Property ID is the unique field ID used by Unqork to track and link components in your module. and Canvas Label Text Canvas Label Text indicates the purpose of the corresponding field or component. For non-input components, the Canvas Label Text isn't end-user facing, and only appears in the . fields, enter values of your choosing.
3. Select a Trigger Type.

The appropriate Trigger Type varies based on your use case needs. To trigger the Initializer on page-load, select New Submission or Edit Submission. New Submission triggers on page-load when no submission is present. Edit Submission triggers on page-load when a submission is present.

4. In the Outputs table, enter the following:
Property ID Type Value

{your Plug-In component's Property ID}

trigger

GO

5. Click Save & Close.
6. Save your module.

You successfully created an AWS PrivateLink connection between Unqork and your AWS resource.