Security and Encryption
- All connections are automatically encrypted using TLS/SSL
- For AWS PrivateLink connections:
- Data in transit is encrypted using AWS internal network encryption
- Any data stored in S3 is encrypted at rest using AWS default encryption keys
- EBS volumes are encrypted using KMS managed keys with automatic key rotation
Prerequisites
When setting up AWS PrivateLink services, do not use the AWS account root user. Always use IAM users or roles with appropriate permissions following AWS security best practices.
- See Choose a project plan for more information. Please note that Trial projects do not support PrivateLink connections.
- The VPC you want to connect to and your project must be in the same region. If your preferred region is not available when creating a project, contact our support team or sales team.
- For AWS, see Share your services through AWS PrivateLink.
- For GCP, see GCP Published services.
- For Azure, see Azure Private Link services.
Create PrivateLink connection
- Go to the Project page and select the project you want to connect the VPC to.
- Select PrivateLink tab, and click Create PrivateLink.
- For Name, enter a descriptive name for the connection.
-
For Endpoint service name or Service attachment or Private link service resource ID:
If you choose AWS as the platform, enter the service name of the endpoint service.
You can find it in the Amazon VPC Console → Endpoint services → Service name section.
If you choose GCP as the platform, enter the server target URL of the service attachment.
You can find it in the Google Cloud Console → Network services → Private Service Connect.
If you choose Azure as the platform, enter the Private link service resource ID.
You can find it in the Azure Portal → Private link service section.
- Click Confirm to create the connection.
For inquiries about PrivateLink for Confluent private Kafka clusters, please reach out to our support team first. We will handle these manual steps:
- Before provisioning a RisingWave PrivateLink, ensure the cluster’s Availability Zones (AZs) are a subset of the AZs offered by RisingWave.
- Manually add DNS records after provisioning the PrivateLink.
Create source/sink with PrivateLink
Now, you can create a source or sink with the PrivateLink connection using SQL. For details on how to use the VPC endpoint to create a source with the PrivateLink connection, see Create source with PrivateLink connection; for creating a sink, see Create sink with PrivateLink connection.Drop PrivateLink connection
When you no longer need a connection:- Go to the Connection page and click Create PrivateLink.
- Hover over the connection you want to drop and click the delete button, then confirm the deletion.