Skip to main content
Skip to main content
Edit this page

AWS PrivateLink for ClickPipes

You can use AWS PrivateLink to establish secure connectivity between VPCs, AWS services, your on-premises systems, and ClickHouse Cloud without exposing traffic to the public Internet.

This document outlines the ClickPipes reverse private endpoint functionality that allows setting up an AWS PrivateLink VPC endpoint.

Supported ClickPipes data sources

ClickPipes reverse private endpoint functionality is limited to the following data source types:

  • Kafka
  • Postgres
  • MySQL

ClickPipes reverse private endpoint can be configured with one of the following AWS PrivateLink approaches:

VPC resource

Your VPC resources can be accessed in ClickPipes using PrivateLink. This approach doesn't require setting up a load balancer in front of your data source.

Resource configuration can be targeted with a specific host or RDS cluster ARN. Cross-region is not supported.

It's the preferred choice for Postgres CDC ingesting data from an RDS cluster.

To set up PrivateLink with VPC resource:

  1. Create a resource gateway
  2. Create a resource configuration
  3. Create a resource share

Create a resource gateway

Resource gateway is the point that receives traffic for specified resources in your VPC.

Note

Your resource gateway attached subnets are recommended to have sufficient IP addresses available. It's recommended to have at least /26 subnet mask for each subnet.

For each VPC endpoint (each Reverse Private Endpoint), AWS requires a consecutive block of 16 IP addresses per subnet. (/28 subnet mask) If this requirement is not met, Reverse Private Endpoint will transition to a failed state.

You can create a resource gateway from the AWS console or with the following command:

aws vpc-lattice create-resource-gateway \
    --vpc-identifier <VPC_ID> \
    --subnet-ids <SUBNET_IDS> \
    --security-group-ids <SG_IDs> \
    --name <RESOURCE_GATEWAY_NAME>

The output will contain a resource gateway id, which you will need for the next step.

Before you can proceed, you'll need to wait for the resource gateway to enter into an Active state. You can check the state by running the following command:

aws vpc-lattice get-resource-gateway \
    --resource-gateway-identifier <RESOURCE_GATEWAY_ID>

Create a VPC Resource-Configuration

Resource-Configuration is associated with resource gateway to make your resource accessible.

You can create a Resource-Configuration from the AWS console or with the following command:

aws vpc-lattice create-resource-configuration \
    --resource-gateway-identifier <RESOURCE_GATEWAY_ID> \
    --type <RESOURCE_CONFIGURATION_TYPE> \
    --resource-configuration-definition <RESOURCE_CONFIGURATION_DEFINITION> \
    --name <RESOURCE_CONFIGURATION_NAME>

The simplest resource configuration type is a single Resource-Configuration. You can configure with the ARN directly, or share an IP address or a domain name that is publicly resolvable.

For example, to configure with the ARN of an RDS Cluster:

aws vpc-lattice create-resource-configuration \
    --name my-rds-cluster-config \
    --type ARN \
    --resource-gateway-identifier rgw-0bba03f3d56060135 \
    --resource-configuration-definition 'arnResource={arn=arn:aws:rds:us-east-1:123456789012:cluster:my-rds-cluster}'
Note

You can't create a resource configuration for a publicly accessible cluster. If your cluster is publicly accessible, you must modify the cluster to make it private before creating the resource configuration or use IP allow list instead. For more information, see the AWS documentation.

The output will contain a Resource-Configuration ARN, which you will need for the next step. It will also contain a Resource-Configuration ID, which you will need to set up a ClickPipe connection with VPC resource.

Create a Resource-Share

Sharing your resource requires a Resource-Share. This is facilitated through the Resource Access Manager (RAM).

You can put the Resource-Configuration into the Resource-Share through AWS console or by running the following command with ClickPipes account ID 072088201116 (arn:aws:iam::072088201116:root):

aws ram create-resource-share \
    --principals 072088201116 \
    --resource-arns <RESOURCE_CONFIGURATION_ARN> \
    --name <RESOURCE_SHARE_NAME>

The output will contain a Resource-Share ARN, which you will need to set up a ClickPipe connection with VPC resource.

You are ready to create a ClickPipe with Reverse private endpoint using VPC resource. You will need to:

  • Set VPC endpoint type to VPC Resource.
  • Set Resource configuration ID to the ID of the Resource-Configuration created in step 2.
  • Set Resource share ARN to the ARN of the Resource-Share created in step 3.

For more details on PrivateLink with VPC resource, see AWS documentation.

MSK multi-VPC connectivity

The Multi-VPC connectivity is a built-in feature of AWS MSK that allows you to connect multiple VPCs to a single MSK cluster. Private DNS support is out of the box and does not require any additional configuration. Cross-region is not supported.

It is a recommended option for ClickPipes for MSK. See the getting started guide for more details.

Info

Update your MSK cluster policy and add 072088201116 to the allowed principals to your MSK cluster. See AWS guide for attaching a cluster policy for more details.

Follow our MSK setup guide for ClickPipes to learn how to set up the connection.

VPC endpoint service

VPC endpoint service is another approach to share your data source with ClickPipes. It requires setting up a NLB (Network Load Balancer) in front of your data source and configuring the VPC endpoint service to use the NLB.

VPC endpoint service can be configured with a private DNS, that will be accessible in a ClickPipes VPC.

It's a preferred choice for:

  • Any on-premise Kafka setup that requires private DNS support
  • Cross-region connectivity for Postgres CDC
  • Cross-region connectivity for MSK cluster. Please reach out to the ClickHouse support team for assistance.

See the getting started guide for more details.

Info

Add ClickPipes account ID 072088201116 to the allowed principals to your VPC endpoint service. See AWS guide for managing permissions for more details.

Info

Cross-region access can be configured for ClickPipes. Add your ClickPipe region to the allowed regions in your VPC endpoint service.

Creating a ClickPipe with reverse private endpoint

Access the SQL Console for your ClickHouse Cloud Service.