Skip to main content
AWS PrivateLink is a secure and scalable networking technology that enables private connectivity between Virtual Private Clouds (VPCs), AWS services, and on-premises applications—without exposing traffic to the public internet. By leveraging PrivateLink, organizations can simplify their network architecture, reduce data exposure risks, and ensure secure communication between services. With PrivateLink, services are exposed as private endpoints within a VPC, allowing consumers to connect to them using private IP addresses. This minimizes the need for complex networking configurations like VPC peering or VPNs, and reduces the risk of data leakage by keeping traffic within the AWS network. In the context of our integration, AWS PrivateLink enables Elementary Cloud to securely and privately communicate with supported services, ensuring data privacy, compliance, and a streamlined user experience. We support cross-region PrivateLink and can connect to any region where your cloud is hosted, using VPC peering to link different regions to our production environment securely. Elementary Data maintains a global network of regional VPCs designed for PrivateLink, with strict security controls.

Architecture overview

Elementary’s PrivateLink setup consists generally from two parts:
  1. AWS PrivateLink connection -
    1. Provider side (Customer / 3rd party) - A VPC endpoint service is set up at the customer’s AWS account (or a 3rd party AWS account in the case of Snowflake). This provides access to a particular service in that account.
    2. Consumer side (Elementary) - Elementary sets up a dedicated VPC interface that will connect to the integrated service, in the same AWS region as the service. This is done through a dedicated regional VPC created for this purpose.
  2. AWS VPC Peering:
    1. Elementary’s production servers are located in the eu-central-1 (Frankfurt) region. For us to be able to access the service exposed through PrivateLink, we connect our main production VPC with the regional VPC mentioned above.

Supported integrations

Snowflake

Snowflake has support for connecting to AWS-hosted Snowflake accounts via PrivateLink. This setup is entirely managed by Snowflake, so Elementary connects with an endpoint service hosted on Snowflake’s AWS account for this purpose. In order to set up a PrivateLink connection with Snowflake, please follow the steps below:
  1. Open a support case to Snowflake Support
    1. Ask to authorize Elementary’s AWS account for PrivateLink access.
    2. Provide Elementary’s account ID in the request - 743289191656
  2. Obtain the PrivateLink configuration
    1. Once Snowflake’s support team approves the request, obtain the PrivateLink configuration by invoking the following commands (admin access is required): 
      USE ROLE ACCOUNTADMIN;
SELECT SYSTEM$GET_PRIVATELINK_CONFIG();
  3. Provide Elementary with the configuration obtained in the previous step.
    1. Elementary will then setup the required infrastructure to connect to Snowflake via PrivateLink.
  4. Add a Snowflake environment in Elementary
    1. Follow the instructions here to set up a Snowflake environment in Elementary.
      1. When supplying the account, use <account_identifier>.privatelink , where the account identifier is the result of the following query: 
        SELECT CURRENT_ORGANIZATION_NAME() || '-' || CURRENT_ACCOUNT_NAME();
      2. In the Snowflake instructions, under the Add the Elementary IP to allowlist section, please add the following private subnets instead of the IP mentioned there:
        • 10.0.1.x
        • 10.0.2.x
        • 10.0.3.x

Databricks

Databricks has support for connecting to AWS-hosted Databricks workspaces via PrivateLink. This setup is entirely managed by Databricks, so Elementary connects with an endpoint service hosted on Databrick’s AWS account for this purpose. Note:
  1. You must be a Databricks account admin to perform this setup.
  2. Your databricks workspace must be deployed on a customer-managed VPC. PrivateLink is not supported with Databricks-managed VPCs.
In order to set up a PrivateLink connection with Databricks, please follow the steps below:
  1. Please provide Elementary with the following details:
    • Your databricks workspace URL.
    • Your AWS account ID.
    • Your AWS region.
    Elementary will then provide you with a VPC Endpoint ID that will be used in the next step.
  2. Register your VPC endpoint In the account management portal (not your workspace), go to Security -> Networking -> VPC Endpoints, then click on the “Register VPC Endpoint” button. You should fill in:
    1. A name for the VPC endpoint - e.g. “Elementary”.
    2. Your AWS region.
    3. The VPC Endpoint ID provided to you by Elementary.
    Register VPC Endpoint
  3. Configure a private access setting Go to Security -> Private Access Settings.
    • If you’ve set up private link with your Databricks instance before, you should already have a private access setting configured. In that case, please ensure that the endpoint allows access to the VPC endpoint created in step (2).
    • If this is the first time you are setting PrivateLink for your databricks workspace:
      • Click on “Add private access config”.
      • Please fill in the following details:
        • A name for your setting: e.g. “Privatelink settings”
        • Your AWS region
        • Whether or not to allow public access - only set this as False if all your systems and users access your Databricks workspace through privatelink.
        • Private access level - either leave as “Account”, or allow-list specific VPCs including the Elementary VPC created in the previous step.
    Configure Private Access
  4. Add the private access setting to your Databricks workspace Note: If you have already set up Privatelink with Databricks in the past, you can skip this step. Under the Databricks account management portal, go to Workspaces, click on your workspace and then on “Update Workspace”. Then go to “Advanced Configurations”, and under “Private Link”, please attach the setting created in the previous step.
  5. Add a Databricks environment in Elementary After all the previous steps are completed, please reach out to the Elementary team to verify that your Databricks cluster is accessible via PrivateLink. Once verified, please add a Databricks environment to Elementary by following this guide. Under the Add the Elementary IP to allowlist section, please add the following private subnets instead of the IP mentioned there:
    • 10.0.1.x
    • 10.0.2.x
    • 10.0.3.x

Github Enterprise Server

Coming soon!