Before you start
To configure an outbound AWS PrivateLink for CDF, you need:- An active AWS PrivateLink subscription.
- A network administrator or infrastructure-as-code automation with permission to create AWS PrivateLink service resources.
Step 1: Set up the PrivateLink service and share the service name with Cognite
1
Create a PrivateLink service
Follow the AWS documentation to create a PrivateLink service.
2
Share the name with Cognite
Share the PrivateLink service name with Cognite.
If you use AWS IoT Core as your MQTT broker, you don’t need to set up a PrivateLink service, but share the AWS IoT Core
iot:Data-ATS endpoint domain with Cognite. This will have the format <id>-ats.iot.<region>.amazonaws.com, or will be a custom domain that you have configured.Step 2: Approve the VPC endpoint connection request
1
Receive the Cognite endpoint setup
Cognite sets up a VPC endpoint for the PrivateLink service, and provides you with the VPC Endpoint ID and the Private IP Address(es) of the VPC endpoint interfaces.
2
Verify the PrivateLink Service connection
In the AWS VPC Portal, use the VPC Endpoint ID to verify the incoming PrivateLink Service connection, and accept the connection request.
If you use AWS IoT Core as your MQTT broker, you will not need to accept a connection request. However, Cognite will still need to share VPC endpoint IP adresses to set up DNS in Step 3.
Step 3: Set up DNS and TLS and share the hostname with Cognite
1
Create a DNS entry
Create a DNS entry for the Private IP Addresses provided by Cognite and configure TLS.
2
Share the hostname with Cognite
The hosted extractors in CDF use the hostname to connect to the MQTT broker with the default MQTT ports.If you are using AWS IoT Core with a custom domain, follow the AWS documentation to configure your custom domain, including setting up a
CNAME record from your custom domain to your AWS IoT endpoint.