Pular para o conteúdo principal

Configure outbound AWS PrivateLink for CDF

Outbound AWS PrivateLink enables Cognite Data Fusion (CDF) to make outbound connections to your subscriptions over a private link. Traffic between your virtual network and the CDF services uses the AWS backbone network and isn't exposed to the public internet.

Currently, the feature is limited to outbound connections from hosted extractors in CDF to MQTT brokers in your account.

Follow the steps in this article to enable outbound PrivateLink for your CDF project and set up a PrivateLink service for your MQTT broker.

Prerequisites

To configure an outbound AWS PrivateLink for CDF, you need:

  1. An active AWS PrivateLink subscription.

  2. A network administrator or infrastructure-as-code automation with permission to create AWS PrivateLink service resources.

  1. Follow the AWS documentation to create a PrivateLink service.

  2. Share the PrivateLink service name with Cognite.

    Connection alias

If you use AWS IoT Core as your MQTT broker, you don't need to set up a PrivateLink service, but share the AWS IoT Core iot:Data-ATS endpoint domain with Cognite. This will have the format <id>-ats.iot.<region>.amazonaws.com, or will be a custom domain that you have configured.

cuidado

Make sure that you exchange confidential information through a secret and encrypted channel, for example via Yopass.

Step 2: approve the VPC endpoint connection request

  1. Cognite sets up a VPC endpoint for the PrivateLink service, and provides you with the VPC Endpoint ID and the Private IP Address(es) of the VPC endpoint interface(s).

  2. In the AWS VPC Portal, use the VPC Endpoint ID to verify the incoming PrivateLink Service connection, and accept the connection request.

    Connection alias

If you use AWS IoT Core as your MQTT broker, you will not need to accept a connection request. However Cognite will still need to share VPC endpoint IP adress(es) to set up DNS in Step 3.

Step 3: set up DNS and TLS and share the hostname with Cognite

  1. Create a DNS entry for the Private IP Address(es) provided by Cognite and configure TLS.
  2. Share the hostname with Cognite. The hosted extractors in CDF use the hostname to connect to the MQTT broker with the default MQTT ports.

If you are using AWS IoT Core with a custom domain, follow the AWS documentation to configure your custom domain, including setting up a CNAME record from your custom domain to your AWS IoT endpoint.

Última atualização em em por