Private service endpoints

Connect clusters to applications using a private link service

A private service endpoint (PSE) is used to connect a YugabyteDB Managed cluster that is deployed in a Virtual Private Cloud (VPC) with other services on the same cloud provider - typically a VPC hosting the application that you want to access your cluster. The PSE on your cluster connects to an endpoint on the VPC hosting your application over a private connection, referred to as a private link.

VPC network using PSE


While cloud providers refer to the components of a private link service in different ways, these components serve the same purposes.

YBM AWS PrivateLink Azure Private Link Description
VPC VPC VNet Secure virtual network created on a cloud provider.
PSE Endpoint service Private Link service The endpoints on your cluster that you make available to the private link.
Application VPC endpoint Interface VPC endpoint Private endpoint The endpoints on the application VPC corresponding to the PSEs on your cluster.
Security principal AWS principal (ARN) Subscription ID Cloud provider account with permissions to manage endpoints.
Service name Service name Alias Identifies the PSE to the application VPC endpoint. You provide the service name when creating the application VPC endpoint.

Setting up a private link to connect your cluster to your application VPC involves the following tasks:

  1. Deploy your cluster in a VPC. You must create a VPC and deploy your cluster before you can configure the PSE.

  2. Create a PSE in each region of your cluster. The PSE is an endpoint service, and you activate it by granting access to a security principal on your application VPC.

    In the case of AWS, a security principal is an AWS principal, in the form of Amazon resource names (ARNs).

    For Azure, a security principal is a subscription ID of the service you want to have access.

  3. On the cloud provider, create an interface VPC endpoint (AWS) or a private endpoint (Azure) on the VPC (VNet) hosting your application. You create an endpoint for each region in your cluster, providing the service name of the corresponding PSE on your cluster.



Before you can create a PSE, you need to do the following:

  1. Create a VPC. Refer to Create a VPC. Make sure your VPC is in the same region as the application VPC to which you will connect your endpoint.
  2. Deploy a YugabyteDB cluster in the VPC. Refer to Create a cluster.

In addition, if you want to use ybm CLI to create PSEs, you need to do the following:

Note that, unlike VPC peering, when connected to an application VPC using a private link, you do not need to add an IP allow list to your cluster.

Get started

Set up an AWS PrivateLink
Add PSEs to your cluster and create interface endpoints on your application VPC in AWS.
Set up an Azure Private Link
Add a PSE to your cluster and create a private endpoint on your application VNet in Azure.