github.com/treeverse/lakefs@v1.24.1-0.20240520134607-95648127bfb0/docs/howto/private-link.md

github.com/treeverse/lakefs@v1.24.1-0.20240520134607-95648127bfb0/docs/howto/private-link.md (about)

     1  ---
     2  title: Private Link
     3  description: Private Link enables lakeFS Cloud to interact with your infrastructure using private networking.
     4  parent: How-To
     5  redirect_from:
     6    - /cloud/private-link.html
     7  ---
     8  
     9  # Private Link
    10  {: .d-inline-block }
    11  lakeFS Cloud
    12  {: .label .label-green }
    13  
    14  Private Link enables lakeFS Cloud to interact with your infrastructure using private networking.
    15  
    16  {% include toc.html %}
    17  
    18  ## Supported Vendors
    19  
    20  At the moment, we support Private-Link with **AWS** and **Azure**. If you are looking for Private Link for GCP please [contact us](mailto:support@treeverse.io).
    21  
    22  <div class="tabs">
    23    <ul>
    24      <li><a href="#aws">AWS</a></li>
    25      <li><a href="#azure">Azure</a></li>
    26    </ul> 
    27    <div markdown="1" id="aws">
    28  ## Access Methods
    29  
    30  There are two types of Private Link implementation:
    31  
    32  * **Front-End Access** refers to API and UI access. Use this option if you'd like your lakeFS application to be exposed only to your infrastructure and not to the whole internet.
    33  
    34  * **Back-End Access** refers to the network communication between the lakeFS clusters we host, and your infrastructure. Use this option if you'd like lakeFS to communicate with your servers privately and not over the internet.
    35  
    36  The two types of access are not mutually exclusive nor are they dependent on each other.
    37  
    38  ## Setting up Private Link
    39  
    40  ### Front-End Access
    41  
    42  Prerequisites:
    43  * Administrator access to your AWS account
    44  * In order for us to communicate with your account privately, we'll need to create a service endpoint on our end first.
    45  
    46  Steps:
    47  1. Login to your AWS account
    48  2. Go to AWS VPC Service
    49  3. Filter the relevant VPC & Navigate to **Endpoints**
    50  4. Click **Create endpoint**
    51  5. Fill in the following:
    52      * **Name**: lakefs-cloud
    53      * **Service category**: Other endpoint services
    54      * **Service name**: input from Treeverse team (see prerequisites)
    55      * Click **Verify service**
    56      * Pick the VPC you'd like to expose this service to.
    57      * Click **Create endpoint**
    58  
    59  Now you can access your infrastructure privately using the endpoint DNS name. If you would like to change the DNS name to a friendly one please contact [support@treeverse.io](mailto:support@treeverse.io).
    60  
    61  ### Back-End Access
    62  
    63  Prerequisites:
    64  * Administrator access to your AWS account
    65  
    66  Steps:
    67  1. Login to your AWS account
    68  2. Go to AWS VPC Service
    69  3. Filter the relevant VPC & Navigate to **Endpoints**
    70  4. Click **endpoint service**
    71  5. Fill in the following:
    72      * **Name**: lakefs-cloud
    73      * **Load Balancer Type**: Network
    74      * **Available load balancers**: pick the load balancer you'd like lakefs-cloud to send events to.
    75      * Click **Create**
    76  6. Pick the newly created **Endpoint Service** from within the **Endpoint Services** page.
    77  7. Navigate to the **Allow principals** tab.
    78  8. Click **Allow principals**
    79  9. Fill in the following ARN: `arn:aws:iam::924819537486:root`
    80  10. Click **Allow principals**
    81  
    82  That's it on your end! Now, we'll need the **service name** you've just created in order to associate it with our infrastructure, once we do, we'll be ready to use the back-end access privately.
    83   </div>
    84  
    85  <div markdown="1" id="azure">
    86  [Azure Private Link](https://learn.microsoft.com/en-us/azure/private-link/private-link-overview) enables secure access to Azure services from a private endpoint within your virtual network.
    87  By using Azure Private Link with lakeFS, you can securely access lakeFS services without exposing traffic to the public internet.
    88  In this manual, we will guide you through the steps to enable Azure Private Link to your lakeFS instance.
    89  
    90  ## Register your Azure subscription
    91  
    92  To automatically approve private endpoint connections to the lakeFS network, please provide us with your subscription. If required, you can register multiple subscriptions.
    93  
    94  ## Create an Azure Private Link connection to lakeFS Cloud
    95  
    96  Once your subscription is in our trusted subscriptions navigate to the Azure portal and do the following steps:
    97  1. Navigate to the private endpoint
    98  2. Click Create
    99  3. On the first step (basics):
   100     - Select your subscription
   101     - Specify the desired resource group used to access lakeFS
   102     - Provide a name for your private endpoint instance
   103     - Specify the region of your lakeFS instance
   104  4. On the second step (Resource)
   105     - In connection method select `connect to an Azure resource by resource ID or alias`
   106     - Insert the alias provided by us into the Resource ID or alias
   107     - No need to add a request message
   108  5. Continue with the steps and run Review + Create
   109  
   110  ## Create a DNS entry for your private endpoint
   111  
   112  Update your DNS server to resolve your account URL (which will be provided by us) to the Private Link IP address.
   113  You can add the DNS entry to your on-premises DNS server or private DNS on your VNet, to access lakeFS services.
   114   </div>
   115   </div>