> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cognite.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure outbound AWS PrivateLink

> Set up outbound AWS PrivateLink for Cognite Data Fusion (CDF) to make private connections to your AWS resources.

Outbound [AWS PrivateLink](https://docs.aws.amazon.com/vpc/latest/privatelink/what-is-privatelink.html)
enables CDF to make outbound connections to your subscriptions over a **private link**. Traffic between your virtual network and the CDF services uses the AWS backbone network and isn't exposed to the public internet.

Currently, the feature is limited to outbound connections from hosted extractors in CDF to MQTT brokers in your account.

<a id="before-you-start" />

## Before you start

To configure an outbound AWS PrivateLink for CDF, you need:

* An active AWS PrivateLink subscription.
* A network administrator or infrastructure-as-code automation with permission to create AWS PrivateLink service resources.

<a id="step-1" />

## Step 1: Set up the PrivateLink service and share the service name with Cognite

<Steps>
  <Step title="Create a PrivateLink service">
    Follow the [AWS documentation](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html) to create a PrivateLink service.
  </Step>

  <Step title="Share the name with Cognite">
    Share the [PrivateLink service name](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html#share-endpoint-service) with Cognite.

    <Frame>
      <img src="https://apps-cdn.cogniteapp.com/@cognite/docs-portal-images/1.0.0/images/cdf/access/AWS_outbound_private_link-customer-endoint_service.png" alt="Connection alias" width="80%" />
    </Frame>

    If you use AWS IoT Core as your MQTT broker, you don't need to set up a PrivateLink service, but share the AWS IoT Core `iot:Data-ATS` endpoint domain with Cognite. This will have the format `<id>-ats.iot.<region>.amazonaws.com`, or will be a custom domain that you have configured.

    <Warning>
      Make sure that you exchange confidential information through a secret and encrypted channel, for example via [Yopass](https://yopass.cogheim.net).
    </Warning>
  </Step>
</Steps>

<a id="step-2" />

## Step 2: Approve the VPC endpoint connection request

<Steps>
  <Step title="Receive the Cognite endpoint setup">
    Cognite sets up a VPC endpoint for the PrivateLink service, and provides you with the **VPC Endpoint ID** and the **Private IP Address(es)** of the VPC endpoint interfaces.
  </Step>

  <Step title="Verify the PrivateLink Service connection">
    In the [AWS VPC Portal](https://console.aws.amazon.com/vpc), use the **VPC Endpoint ID** to verify the incoming PrivateLink Service connection, and [accept the connection request](https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#accept-reject-connection-requests).

    <Frame>
      <img src="https://apps-cdn.cogniteapp.com/@cognite/docs-portal-images/1.0.0/images/cdf/access/AWS_private_link-customer-connection-accept.png" alt="Connection alias" width="80%" />
    </Frame>

    If you use AWS IoT Core as your MQTT broker, you will not need to accept a connection request. However, Cognite will still need to share VPC endpoint IP adresses to set up DNS in Step 3.
  </Step>
</Steps>

<a id="step-3" />

## Step 3: Set up DNS and TLS and share the hostname with Cognite

<Steps>
  <Step title="Create a DNS entry">
    Create a DNS entry for the **Private IP Addresses** provided by Cognite and configure TLS.
  </Step>

  <Step title="Share the hostname with Cognite">
    The hosted extractors in CDF use the hostname to connect to the MQTT broker with the default MQTT ports.

    If you are using AWS IoT Core with a custom domain, follow the [AWS documentation](https://docs.aws.amazon.com/iot/latest/developerguide/iot-custom-endpoints-configurable-custom.html) to configure your custom domain, including setting up a `CNAME` record from your custom domain to your AWS IoT endpoint.
  </Step>
</Steps>
