Set up a Private Link

Zilliz Cloud offers private access to your databases through private links in case you do not want to have your database traffic go over the Internet.

Private link principle Private link principle

To have your application clients privately access the database instances on Zilliz Cloud, you need to create an endpoint in each of the subnets in your application VPC and register the VPC, subnets, and endpoints with Zilliz Cloud, so that Zilliz Cloud allocates a private link for you to set up a DNS record to map the private link to the endpoints.

Restrictions

This feature applies to the databases deployed in applicable AWS regions.

Zilliz Cloud offers you an intuitive wizard to create private links. On the Private Link tab in one of your databases or that tab on the Access and Security page in one of your projects, click Create Private Link to create one in the prompted dialog box.

Enter VPC ID and subnet IDs Enter VPC ID and subnet IDs

Select region

Currently, a private link applies to databases deployed in AWS US-West-2 and AWS US-East-2. Once you create a private link in a project, it applies to its member databases that have been deployed in the specified region. For those databases that undergo maintenance, such as scaling or patch-fixing, at that time, the private link applies after database maintenance.

In Region, select the region that accommodates the database you want to access privately.

Obtain VPC ID

Before creating a VPC endpoint, you need to have a VPC on your Amazon console. To view your VPCs, do as follows:

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. In the navigation pane, choose VPCs.
  3. Find the VPC of your desire and copy its ID.
  4. Enter this ID in VPC ID on Zilliz Cloud.

To create a VPC, refer to Create a VPC.

Obtain subnet ID

Subnets are sub-divisions of your VPC. You need to have a subnet that resides in the same region as the private link to be created. To view your subnets, do as follows:

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. Change the current region to the one specified for creating the private link.
  3. In the navigation pane, choose Subnets.
  4. Find the subnet of your desire and copy its ID.
  5. Enter this ID in Subnet IDs on Zilliz Cloud. To create a subnet, refer to Create a Subnet in Your VPC.

Obtain VPN endpoint ID

Copy the command generated at the bottom of the Create Private Link dialog box on Zilliz Cloud, and run this command in your Amazon CloudShell to create a VPC endpoint.

In the returned message, copy the ID and DNS name of the created VPC endpoint.

Then, enter the VPC endpoint ID in Your VPC Private Link ID and click Create.

Enter VPC endpoint ID Enter VPC endpoint ID

After verifying and accepting the VPC endpoint you have submitted, Zilliz Cloud allocates a private link for this endpoint. You can see it in the Database details tab of your database.

Set up DNS records

Before you can access your database via the private link allocated by Zilliz Cloud, it is necessary to create a CNAME record in your DNS zone to resolve the private link to the DNS name of your VPC endpoint.

Create a hosted zone using Amazon Route 53

Amazon Route 53 is a web-based DNS service. Create a hosted DNS zone so that you can add DNS records to it.

Run the following script in your AWS Cloushell to create a hosted DNS zone. Note that you need to set VPCE_DNS to the DNS name of your VPC endpoint and VPC_ID to the ID of your VPC.

# Variable for VPC ID
VPC_ID='vpc-xxxxxxxxxxxx'

ROOT_DNS='vectordb.zillizcloud.com'

# Variable for AWS Region
REGION_ID='us-west-2'

# Create a private Route 53 hosted zone
aws route53 create-hosted-zone \
  --name ${ROOT_DNS} \
  --vpc VPCRegion=${REGION_ID},VPCId=${VPC_ID} \
  --caller-reference $(date +"%s")

Create a CNAME record in the hosted zone

A CNAME record is a type of DNS record that maps an alias name to a true or canonical domain name. Create a CNAME record to map the private link allocated by Zilliz Cloud to the DNS name of your VPC endpoint. Then you can use the private link to access your database privately.

Run the following script in your AWS Cloushell to create a CNAME record in the hosted DNS zone. Note that you need to set ZONE_ID to the ID of the hosted DNS zone created in the previous step and SFC_PL_Data_DNS to the private link listed on the Database Details tab of your database instance.

# Variable for the DNS address returned in the output for the VPC endpoint
VPCE_DNS=xxxxxxxx.vpce.amazonaws.com

# Variable for the hosted zone ID returned in the output for the Route 53 zone
ZONE_ID='/hostedzone/xxxxxx'

# Variable for PrivateLink DNS hostname.
# Such as https://in01-c057c4623dd1203-privatelink.ap-southeast-1.vectordb.zillizcloud.com
SFC_PL_Data_DNS='in01-xxxx-privatelink.${REGION_ID}.vectordb.zillizcloud.com '

# Create CNAME records for PrivateLink DNS and then modify the Route 53 zone to use it.
dns_record='{
  "Comment": "Create CNAME records for PrivateLink",
  "Changes": [
    {
      "Action": "CREATE",
      "ResourceRecordSet": {
        "Name": "'${SFC_PL_Data_DNS}'",
        "Type": "CNAME",
        "TTL": 300,
        "ResourceRecords": [
          {
            "Value": "'${VPCE_DNS}'"
          }
        ]
      }
    }
  ]
}'

aws route53 change-resource-record-sets \
  --hosted-zone-id ${ZONE_ID} \
  --change-batch "${dns_record}"

Verify the connection

Once you complete the preceding steps, you can verify the connection as follows:

Verify the connection Verify the connection

  1. On the Database Details tab of a database in concern, click Private Link in the Cloud Endpoint area.
  2. Copy the private link, then click View the guides to connect your database via endpoint.

Next steps