Skip to main content
Skip to main content
Edit this page

AWS PrivateLink for ClickPipes

You can use AWS PrivateLink to establish secure connectivity between VPCs, AWS services, your on-premises systems, and ClickHouse Cloud without exposing traffic to the public Internet.

This document outlines the ClickPipes reverse private endpoint functionality that allows setting up an AWS PrivateLink VPC endpoint.

ClickPipes reverse private endpoint can be configured with one of the following AWS PrivateLink approaches:

VPC resource

Your VPC resources can be accessed in ClickPipes using PrivateLink and AWS VPC Lattice. This approach doesn't require setting up a load balancer in front of your data source.

Resource configuration can be targeted with a specific host or RDS cluster ARN. Cross-region is not supported.

It's the preferred choice for Postgres CDC ingesting data from an RDS cluster.

To set up PrivateLink with VPC resource:

  1. Create a resource gateway
  2. Create a resource configuration
  3. Create a resource share

1. Create a Resource-Gateway

Resource-Gateway is the point that receives traffic for specified resources in your VPC.

You can create a Resource-Gateway from the AWS console or with the following command:

The output will contain a Resource-Gateway id, which you will need for the next step.

Before you can proceed, you'll need to wait for the Resource-Gateway to enter into an Active state. You can check the state by running the following command:

2. Create a VPC Resource-Configuration

Resource-Configuration is associated with Resource-Gateway to make your resource accessible.

You can create a Resource-Configuration from the AWS console or with the following command:

The simplest resource configuration type is a single Resource-Configuration. You can configure with the ARN directly, or share an IP address or a domain name that is publicly resolvable.

For example, to configure with the ARN of an RDS Cluster:

The output will contain a Resource-Configuration ARN, which you will need for the next step. It will also contain a Resource-Configuration ID, which you will need to set up a ClickPipe connection with VPC resource.

3. Create a Resource-Share

Sharing your resource requires a Resource-Share. This is facilitated through the Resource Access Manager (RAM).

You can put the Resource-Configuration into the Resource-Share through AWS console or by running the following command with ClickPipes account ID 072088201116:

The output will contain a Resource-Share ARN, which you will need to set up a ClickPipe connection with VPC resource.

You are ready to create a ClickPipe with Reverse private endpoint using VPC resource. You will need to:

  • Set VPC endpoint type to VPC Resource.
  • Set Resource configuration ID to the ID of the Resource-Configuration created in step 2.
  • Set Resource share ARN to the ARN of the Resource-Share created in step 3.

For more details on PrivateLink with VPC resource, see AWS documentation.

MSK multi-VPC connectivity

The Multi-VPC connectivity is a built-in feature of AWS MSK that allows you to connect multiple VPCs to a single MSK cluster. Private DNS support is out of the box and does not require any additional configuration. Cross-region is not supported.

It is a recommended option for ClickPipes for MSK. See the getting started guide for more details.

info

Update your MSK cluster policy and add 072088201116 to the allowed principals to your MSK cluster. See AWS guide for attaching a cluster policy for more details.

Follow our MSK setup guide for ClickPipes to learn how to set up the connection.

VPC endpoint service

VPC endpoint service is another approach to share your data source with ClickPipes. It requires setting up a NLB (Network Load Balancer) in front of your data source and configuring the VPC endpoint service to use the NLB.

VPC endpoint service can be configured with a private DNS, that will be accessible in a ClickPipes VPC.

It's a preferred choice for:

  • Any on-premise Kafka setup that requires private DNS support
  • Cross-region connectivity for Postgres CDC
  • Cross-region connectivity for MSK cluster. Please reach out to the ClickHouse support team for assistance.

See the getting started guide for more details.

info

Add ClickPipes account ID 072088201116 to the allowed principals to your VPC endpoint service. See AWS guide for managing permissions for more details.

info

Cross-region access can be configured for ClickPipes. Add your ClickPipe region to the allowed regions in your VPC endpoint service.

Creating a ClickPipe with reverse private endpoint

  1. Access the SQL Console for your ClickHouse Cloud Service.
  1. Select the Data Sources button on the left-side menu and click on "Set up a ClickPipe"
  1. Select either Kafka or Postgres as a data source.
  1. Select the Reverse private endpoint option.
  1. Select any of existing reverse private endpoints or create a new one.
info

If cross-region access is required for RDS, you need to create a VPC endpoint service and this guide should provide a good starting point to set it up.

For same-region access, creating a VPC Resource is the recommended approach.

  1. Provide the required parameters for the selected endpoint type.
  • For VPC resource, provide the configuration share ARN and configuration ID.
  • For MSK multi-VPC, provide the cluster ARN and authentication method used with a created endpoint.
  • For VPC endpoint service, provide the service name.

  1. Click on Create and wait for the reverse private endpoint to be ready.

    If you are creating a new endpoint, it will take some time to set up the endpoint. The page will refresh automatically once the endpoint is ready. VPC endpoint service might require accepting the connection request in your AWS console.

  1. Once the endpoint is ready, you can use a DNS name to connect to the data source.

    On a list of endpoints, you can see the DNS name for the available endpoint. It can be either an internally ClickPipes provisioned DNS name or a private DNS name supplied by a PrivateLink service. DNS name is not a complete network address. Add the port according to the data source.

    MSK connection string can be accessed in the AWS console.

    To see a full list of DNS names, access it in the cloud service settings.

Managing existing reverse private endpoints

You can manage existing reverse private endpoints in the ClickHouse Cloud service settings:

  1. On a sidebar find the Settings button and click on it.
  1. Click on Reverse private endpoints in a ClickPipe reverse private endpoints section.

Reverse private endpoint extended information is shown in the flyout.

Endpoint can be removed from here. It will affect any ClickPipes using this endpoint.

The following AWS regions are supported for AWS PrivateLink:

  • us-east-1 - for ClickHouse services running in us-east-1 region
  • eu-central-1 for ClickHouse services running in EU regions
  • us-east-2 - for ClickHouse services running everywhere else

This restriction does not apply to PrivateLink VPC endpoint service type since it supports cross-region connectivity.

Limitations

AWS PrivateLink endpoints for ClickPipes created in ClickHouse Cloud are not guaranteed to be created in the same AWS region as the ClickHouse Cloud service.

Currently, only VPC endpoint service supports cross-region connectivity.

Private endpoints are linked to a specific ClickHouse service and are not transferable between services. Multiple ClickPipes for a single ClickHouse service can reuse the same endpoint.