How to: Set up AWS PrivateLink

Estimated Reading Time:  9 minutes

Overview

As sensitive data travels from AWS to Unqork, it’s important to keep that data secure. Using AWS PrivateLink ensures your traffic isn't exposed to the public internet. AWS PrivateLink connects two virtual private clouds (VPCs) in different AWS accounts. The first is a VPC in your AWS account. And the second is the dedicated VPC where your Unqork environment lives.

You can think of AWS PrivateLink as a secure tunnel. It keeps your traffic safe without traversing the public internet. Typically, services communicate by traveling the internet from one public endpoint to another. With AWS PrivateLink, communication travels between your endpoint service to a VPC endpoint. This happens in your hosted Unqork environment. The endpoint service using PrivateLink works with a network load balancer (NLB). The endpoint service and NLB act as Unqork's entry point to your infrastructure. You don’t need to use any special hardware or software to make this happen since you create the VPC endpoint in AWS.

If your AWS resources are connected to on-premises networks, the Unqork services can also reach services in your data center. Similarly, Unqork services can reach services in your other VPCs if your VPCs are peered.

What You'll Learn

In this how-to guide, you’ll learn what AWS Private Link is, and how to setup and connect it to Unqork.

How AWS PrivateLink Works with Unqork

Unqork acts as the "service consumer." And your endpoint service acts as the "service owner." Unqork initiates the connection to a resource in your cloud account. After initiating the connection, the service provider can respond to requests from Unqork. You'll need to generate the private domain using Unqork. Then, you'll make an external service integration. Lastly, you'll use a Plug-In as with other external APIs. In AWS, in your VPC (in the same region as your Unqork environment) you’ll set up the endpoint service. That endpoint service is then configured to forward traffic to the NLB.

How to Set Up AWS PrivateLink

To set up AWS PrivateLink, you'll first configure settings in Unqork and AWS. Then, you’ll set up a Plug-In component in Unqork and connect to the service.

What You Need

In your AWS account, you need:

  • Identity and access management (IAM) role privileges to create and manage VPCs, endpoints, and endpoint services

  • A VPC in the same region as the Unqork environment

  • VPC subnets where the target resources reside

  • NLB configured for each subnet with cross-zone load balancing enabled

  • An endpoint service (the "PrivateLink")

  • The endpoint service name from AWS

In Unqork, you need:

  • 1 Initializer component

  • 1 Plug-In component

  • The Amazon Resource Name (ARN) from the Unqork Environment

Copy the Unqork ARN (In Unqork)

Before you start, copy the ARN from the Unqork environment. You'll need the ARN later to configure your NLB.

1. Open your Unqork environment.
2. In the top-right of the Unqork Designer Platform, click the Settings drop-down.
3. Click Administration.
4. Under Integration, select PrivateLink Administration.
5. Copy the entire ARN. This is the ARN of the Unqork Environment. In the Create the Endpoint Service section you'll allow traffic to originate from this ARN.

Create an Endpoint Service for Your AWS PrivateLink (In AWS)

Next, set everything up on the AWS side.

Configure the VPC Endpoint Service and NLB

First, set up your VPC endpoint service and NLB.

NOTE  The resource doesn’t need to be in the same region. If there are multiple resources in different regions, you’ll set up VPC Peering to the VPC in the same region as Unqork.

1. In AWS, select or create a VPC.
2. Configure the VPC to include subnets in each availability zone (AZ).
3. In the EC2 page of the AWS Console, select or create a load balancer.
4. Configure the NLB with the following settings:
Setting Value
Load balancer name

Enter a name for the load balancer.

NOTE  The name must be unique in your AWS account. You can't edit the name in the future.
Scheme Select Internal

VPC

Select the VPC you want to use from the drop-down.

Listeners and routing

Forward to: select or create a target group.

NOTE  Your internal load balancer must have a private subnet.

 
5. After you create your NLB, configure it with the following settings:
Setting Value
Cross-zone load balancing

Select Enabled.

NOTE  This setting is necessary so Unqork's network interfaces to connect with your resources, even if your subnets don't share AZs with Unqork.
Require acceptance for endpoint Select Acceptance required.

NOTE  Unqork recommends the Acceptance required setting for production use.

TIP  For more information on NLBs, see https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html.

Create the Endpoint Service

Now, create the endpoint service in AWS.

1. Under the Virtual Private Cloud (VPC) page of the AWS Console, go to Endpoint services.
2. Select the Allow principals tab.
3. Click Allow principals.
4. Paste the ARN you copied in the Copy the Unqork ARN section.
5. Click the Add principal button.
6. Click the Allow principals button.

NOTE  “Service name does not exist” error displays if Allow principals isn't clicked.

TIP  For more in-depth information on AWS PrivateLink endpoint service configuration, see https://docs.aws.amazon.com/vpc/latest/privatelink/endpoint-services-overview.html.

Copy the AWS Endpoint Service Name (In AWS) 

Next, copy the AWS endpoint service name that you created. You need this to set up the AWS PrivateLink connection.

NOTE  The endpoint service configuration makes the PrivateLink in AWS.

1. In AWS, go to Endpoint services.
2. Select the endpoint service that you created in the Configure the VPC Endpoint Service and NLB section.
3. Under Details, copy the Service name. This endpoint service acts as the AWS PrivateLink to the Unqork environment. You'll enter this service name in Unqork, in PrivateLink Administration.

Connecting to AWS PrivateLink from Unqork

Now you’re ready to start connecting Unqork to AWS PrivateLink. Here's a summary of the 4 steps you'll complete:

1. Add your AWS PrivateLink Service under PrivateLink Administration.
2. Finalize the PrivateLink Connection in AWS.
3. Create an AWS PrivateLink service in Services Administration.
4. Configure a Plug-In to call your AWS PrivateLink service.

Adding an AWS PrivateLink Service in PrivateLink Administration (In Unqork) 

Here you'll create the AWS PrivateLink service in Unqork. Your Unqork application connects to your AWS resource with AWS PrivateLink.

1. In the top-right of the Unqork Designer Platform, click the Settings drop-down.
2. Click Administration.
3. Under Integration, select PrivateLink Administration.
4. Click Add PrivateLink.
5. In the PrivateLink Service Name field, enter the service name you copied in the Copy the AWS Endpoint Service Name section. The entire service name is required.
6. Click Add PrivateLink.

NOTE  A success or failure banner message displays.

Accept the Endpoint Connection From Unqork (In AWS)

You've set up the AWS PrivateLink Connection in AWS and Unqork. Now you’ll complete a couple more steps so the connection can transfer traffic.

1. In AWS, go to Endpoint Services and select the endpoint you created in the Configure the VPC Endpoint Service and NLB section.
2. In Endpoint Connections, check the state. If the state is Pending, in the Actions drop-down, select Accept endpoint connection request.

Creating a Service Using AWS PrivateLink in Services Administration (In Unqork)

The AWS PrivateLink configuration makes a connection. But, you still need to reach the target resource or service. To do this, create a new integration under Services Administration.

1. In the top right of the Unqork Designer Platform, click the Settings drop-down.
2. Click Administration.
3. Under Integration, select Services Administration.
4. In the Service Title field, enter a title for your service. For example, myprivateapi.
5. In the Service Name field, enter a name for your service. For example, my-private-api.
6. In the Service protocol + host field, enter the DNS name. This is the URL under PrivateLink DNS Name in PrivateLink Administration. For example, https://vpce-000ca-000m.vpce-svc-000e2.us-east-2.vpce.amazonaws.com.
7. Click Add Service.
8. Click Check Status to confirm the service is reachable via the AWS PrivateLink connection.

Configuring a Plug-In to Call your AWS PrivateLink Service

Next, let’s look at how to use a Plug-In component to call your AWS PrivateLink Service. Here, you’ll have your Plug-In make an external API call. You’ll also set up an Initializer to trigger the Plug-In component.

How you choose to execute the Plug-In depends on your use case’s needs. Common approaches include:

  • Using a Button component to trigger the Plug-In on button-click.

  • Using an Initializer component to trigger the Plug-In on page-load. This is a common option when using a remote execute to trigger an API module.

What You Need

For this configuration, you need:

  • 1 Initializer component

  • 1 Plug-In component

Configure the Initializer Component

This Initializer component triggers the Plug-In component that you'll set up next.

1. Drag and drop an Initializer component onto your canvas.
2. Enter a Property ID and Canvas Label Text for your Initializer.
3. Select a Trigger Type.

TIP  The appropriate Trigger Type varies based on your use case needs. To trigger the Initializer on page-load, select New Submission or Edit Submission. New Submission triggers on page-load when no submission is present. Edit Submission triggers on page-load when a submission is present.

4. Complete the Outputs table as follows, using your Plug-In component's Property ID.
Property ID Type Value

{your Plug-In's Property ID}

Trigger

GO
5. Click Save.

Configure the Plug-In Component

Now, add a Plug-In component. This Plug-In makes the external API call that runs your AWS PrivateLink service.

1. Drag and drop a Plug-In component onto your canvas.
2. Enter a Property ID and Canvas Label Text for your Plug-In.
3. Leave the Trigger Type set to Manual.
4. Complete the Inputs table.

NOTE  Your Inputs table is based on your AWS resource.

TIP  To learn more about configuring a Plug-In component’s Inputs table, search Plug-In Component in our In-Product Help.

5. From the Service Type option, select External.
6. From the External Services drop-down, select your AWS PrivateLink service.
7. Select a Request Type.

NOTE  The Request Type is based on the action you're performing.

8. Complete the Data Source URL value based on the AWS resource.
9. Click Save.

TIP  To learn more about configuring an external API call, search External APIs in our In-Product Help.

Great! You successfully created an AWS PrivateLink connection between Unqork and your AWS resource.