> ## Documentation Index
> Fetch the complete documentation index at: https://docs.streamnative.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Use AWS Inbound PrivateLink with StreamNative BYOC Clusters

[AWS PrivateLink](https://aws.amazon.com/privatelink/) enables secure, one-way connection access from your application VPC to a StreamNative Managed VPC in StreamNative Cloud, providing added protection against data exfiltration. This networking option is popular for its unique combination of security and simplicity.

The following diagram summarizes the AWS PrivateLink architecture between your application VPC and a StreamNative Managed VPC within your BYOC AWS account.

<img src="https://mintcdn.com/streamnative/SC0zqekRwf8nvf5H/media/aws-byoc-privatelink.svg?fit=max&auto=format&n=SC0zqekRwf8nvf5H&q=85&s=f12468a31f0d617fa67838c6476cf994" alt="AWS Inbound PrivateLink with StreamNative BYOC Clusters" width="1563" height="663" data-path="media/aws-byoc-privatelink.svg" />

To set up to use AWS Inbound PrivateLink with your BYOC Cluster, follow the instructions below.

1. Review the [requirements and considerations](#requirements-and-considerations) below.

2. Ensure you [provision a BYOC Cloud Environment with proper networking configuration](#provision-byoc-cloud-environment) at the time of provisioning.

3. [Get the VPC Endpoint Service Name](#get-vpc-endpoint-service-name) of your BYOC Cluster.

4. [Provision PrivateLink endpoints in your AWS account that runs your application](#provision-private-link-endpoints-in-aws).

## Requirements and considerations

Review the following requirements and considerations before you set up an Inbound PrivateLink in AWS with your BYOC Clusters:

* The AWS Inbound PrivateLink described in this document is only available for use with BYOC & BYOC Pro clusters.

* If you are using [OAuth2 authentication](/cloud/security/authentication/service-accounts/use-oauth/oauth-overview), your VPC must allow outbound internet connections to [Auth0](https://auth0.com/), StreamNative's OAuth2 service provider. [API Keys](/cloud/security/authentication/service-accounts/use-api-keys/api-keys-overview) authentication doesn't require this restriction.

* The default gateway type for BYOC [Cloud Environment](/cloud/clusters/byoc/create-cloud-environment) can be either public or private. But you can't switch the gateway type after the BYOC Cloud Environment is created. If you need to switch the gateway type, you have to re-provision a new BYOC Cloud Environment with the desired gateway type.

## Provision BYOC Cloud Environment

StreamNative Clusters are exposed to external networks through a gateway service. Each BYOC [Cloud Environment](/cloud/clusters/byoc/create-cloud-environment) is provisioned with a default gateway type, either public or private. You can't switch the gateway type after the Cloud Environment is created. If you need to switch the gateway type, you have to re-provision a new Cloud Environment with the desired gateway type.

So in order to set up AWS Inbound PrivateLink for your BYOC Cluster, you must provision a BYOC Cloud Environment with the right settings at the time of provisioning:

1. Set the default gateway type to **private**.
2. Add the AWS Account ID where your application VPC is located to the **allowed IDs list** of the private service.

<Tabs>
  <Tab title="Console">
    When [creating a BYOC Cloud Environment](/cloud/clusters/byoc/create-cloud-environment#create-a-cloud-environment-on-ui) on the StreamNative Cloud Console, make sure to select **private** as the **Default Gateway** type and input the AWS Account ID where your application VPC is located in the **Allowed IDs** field. See the screenshot below for reference.

    <img src="https://mintcdn.com/streamnative/StrsP_UqTvabul7-/media/cloud-environment-private-gateway.png?fit=max&auto=format&n=StrsP_UqTvabul7-&q=85&s=1255a5a9e3f786f5957e05722a56f870" alt="Configure Cloud Environment with Private Gateway" width="1722" height="1812" data-path="media/cloud-environment-private-gateway.png" />
  </Tab>

  <Tab title="snctl">
    When [creating a BYOC Cloud Environment](/cloud/clusters/byoc/create-cloud-environment#create-a-cloud-environment-with-snctl) with `snctl`, you need to set `spec.defaultGateway.access` to `private` and add the AWS Account ID where your application VPC is located to the `spec.defaultGateway.privateService.allowedIds` field when you prepare the YAML manifest file for the Cloud Environment. The example YAML manifest file is as follows:

    ```yaml theme={null}
    apiVersion: cloud.streamnative.io/v1alpha1
    kind: CloudEnvironment
    metadata:
      name: <your-cloud-environment-name>
      namespace: <your-namespace>
    spec:
      cloudConnectionName: <your-aws-connection-name>
      defaultGateway:
        # Set the default gateway type to private
        access: private
        privateService:
          # Add the AWS Account ID where your application VPC is located
          allowedIds:
            - <your-aws-account-id>
      network:
        cidr: <your-cidr>
      region: <your-region>
    # ...
    ```
  </Tab>

  <Tab title="Terraform">
    When [creating a BYOC Cloud Environment](/cloud/clusters/byoc/create-cloud-environment#create-a-cloud-environment-with-terraform) with Terraform, you need to set `default_gateway.access` to `private` and add the AWS Account ID where your application VPC is located to the `default_gateway.private_service.allowed_ids` field when you prepare the Terraform configuration file. The example Terraform configuration file is as follows:

    ```hcl theme={null}
    resource "streamnative_cloud_environment" "your_environment" {
        organization = <your-organization-id>
        region = <your-region>
        cloud_connection_name = <your-byoc-cloud-connection-name>
        environment_type = "production"

        network {
          cidr = <your-cidr>
        }
        default_gateway {
          access = "private"
          private_service {
            allowed_ids = [<your-aws-account-id>]
          }
        }
    }
    ```
  </Tab>
</Tabs>

## Get the VPC Endpoint Service Name

Before you can provision PrivateLink endpoints in your AWS account, you need to get the VPC Endpoint Service Name of your BYOC Cluster. You can get the **VPC Endpoint Service Name** from the StreamNative Cloud Console or `snctl`.

<Tabs>
  <Tab title="Console">
    1. Navigate to the **Cloud Environments** page in the StreamNative Cloud Console.

    2. Find the BYOC Cloud Environment that you want to set up PrivateLink for.

    3. You will find your **VPC Endpoint Service Name** under the column **Default gateway** and click the copy icon to copy the value.
  </Tab>

  <Tab title="snctl">
    You can get the **VPC Endpoint Service Name** of your BYOC Cluster by running the following `snctl` command:

    ```bash theme={null}
    snctl get cloudenvironment -O <your-organization-id> <your-cloud-environment-name> --output jsonpath='{.status.defaultGateway.privateServiceIds}'
    ```

    You will get the output like the following:

    ```
    [{"id":"<vpc-endpoint-service-name>"}]
    ```

    Copy the value of the `id` field, which is the **VPC Endpoint Service Name** of your BYOC Cluster.
  </Tab>
</Tabs>

## Provision PrivateLink endpoints in AWS

After your BYOC Cloud Environment is ready, you can create the StreamNative [Instance](/cloud/clusters/manage-instances/instance) and [Cluster](/cloud/clusters/manage-clusters/cluster). The cluster will expose its services through the private gateway. To access these services, you'll need to provision a VPC private endpoint in your application VPC within your AWS account. This endpoint will establish the AWS PrivateLink connection to your StreamNative BYOC cluster.

For the current process to create VPC private endpoints, refer to [Create a VPC endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html#create-interface-endpoint-aws).

<Note title="Note">
  StreamNative recommends using a [Terraform module](https://github.com/streamnative/terraform-managed-cloud/tree/main/modules/aws/private-link) for setting up Private Link endpoints. This configuration automates the manual steps described below.
</Note>

<Tabs>
  <Tab title="AWS Console">
    [AWS VPC dashboard](https://console.aws.amazon.com/vpc/home)

    1. Open the [AWS VPC Console](https://console.aws.amazon.com/vpc/home) and browse to the VPC you want to use for the PrivateLink connection.

    2. Verify subnet availability in your AWS VPC, and confirm the selected subnets match the availability zones of StreamNative BYOC Clusters that you created in the previous steps.

    <Note title="Important">
      The zones for the StreamNative BYOC VPC and cluster must match the zones of the VPC you want to make the AWS PrivateLink connections from. Have the matching subnets in your VPC for those zones so that IP addresses can be allocated fromthem.
    </Note>

    3. Verify that **Enable DNS resolution** and **Enable DNS hostnames** are enabled.

       If the settings are not enabled, click **Actions > VPC settings**, and enable **Enable DNS resolution** and **Enable DNS hostnames** settings.

    4. Create or edit a security group you want to use for the new VPC endpoint.

       * Add four inbound rules for each of ports `443`, `6651`, `9093`, and `8883` from your desired source (your VPC CIDR). The **Protocol** should be **TCP** for all four rules.

    5. Create a VPC endpoint.

       1. In the navigation menu under **Virtual Private Cloud**, click **Endpoints**.

       2. Click **Create endpoint**, and specify the following settings for the endpoint:

          * **Service category**: Select **Endpoint services that use NLBs and GWLBs**.

          * **Service settings**: Enter the **Service name** for your BYOC Cluster **VPC Endpoint service name**, that you noted in the step 1.

            Click **Verify service**. If you get an error, ensure that your account is allowed to create PrivateLink connections.

          * **VPC**: Select the VPC in which to create your endpoint.

          * **Subnets**: Select the subnet for the availability zones for your BYOC Cluster.

            Ensure that the desired subnet is selected for each zone. By default, a BYOC cluster is a regional cluster, which means it spans all availability zones in the region. Make sure to add all availability zones of that region to the subnets. Failure to add all zones of your BYOC cluster can cause connectivity issues to brokers in the omitted zones, resulting in an unusable cluster.

          * **Security groups**: Select the security group that you previously created or edited.

          * **Enable Private DNS name**: Make sure you check the box for **Enable Private DNS name**. This step is required to ensure that the private DNS name for the service resolves to the endpoint's private IP address. The private DNS name is automatically associated with the endpoint in your VPC.

       3. Click **Create endpoint**.

          Your VPC endpoint is created and displayed. Since your application AWS account is already whitelisted when creating your BYOC environment, the PrivateLink connection is automatically established.
  </Tab>

  <Tab title="Terraform">
    You can use the [Terraform module](https://github.com/streamnative/terraform-managed-cloud/tree/main/modules/aws/private-link) to set up Private Link endpoints.

    Before you start, make sure you already have the **VPC Endpoint Service Name** of your BYOC Cluster from the previous step.

    Below is an example Terraform configuration file:

    ```hcl theme={null}
    module "aws_private_link" {
      source = "github.com/streamnative/terraform-managed-cloud//modules/aws/private-link?ref=main"

      region       = "<the region of VPC Endpoint Service>"
      vpc_id       = "<the VPC ID where the PrivateLink endpoint will be created>"
      subnet_ids   = ["<the subnet IDs in which to create the network interface for this endpoint>"]
      service_name = "<the VPC Endpoint Service Name of your BYOC Cluster>"
    }
    ```
  </Tab>
</Tabs>

Till this point, your cluster is now ready to connect from your application VPC via PrivateLink. If you encounter any problem, you can reach out to [StreamNative Support](https://support.streamnative.io/) for help.