While AWS PrivateLink is applicable to VPCs in a same AWS region only, you can
enable multi-regional use case by implementing cross-regional VPC peering, also refered as
inter-region VPC peering in AWS documentation.
This implementation empowers you to leverage Talend services even from regions not yet covered while still keeping a strong security posture.
This page from AWS documentation explains how VPC
peering and Privatelink connections work with AWS. These explanations could help you draw a
global picture about the operations presented in this section.
Procedure
-
If not done yet, create an AWS VPC in the region where Talend
operates. This VPC can be empty, because it is used as a proxy to route traffic
unaltered to Talend Cloud
from your VPC in regions not yet covered by Talend.
-
As described in this AWS documentation about creating a VPC peering connection
with a VPC in a different region, enable VPC peering to this proxy VPC (illustrated
as Consumer VPC 2 in the following diagram).
Example
-
Use either of the following approaches to configure DNS for VPC peering. For
technical details of this configuration, contact the network administration team of
your organization.
-
- In Amazon Route 53, create a private hosted zone overlapping Talend cloud domains, <env>.cloud.talend.com. For example, name your
private hosted zone as eu.cloud.talend.com. This
is the destination domain to which you need to route traffic.
- Associate this zone to your VPCs in the regions not covered. The
following image presents an example of the creation of this private
hosted zone.
- In this private hosted zone, create a wildcard (*) record of type A
(meaning an Alias record) to match all the hostnames of a given Talend environment, for example, the record name could be
*.eu.cloud.talend.com.
- In the field for the resource you want to route traffic to, specify the
private IP address for PrivateLink.
This AWS documentation about an AWS private hosted zone
explains each of the operations above.
-
Use a Route 53 Resolver to direct the traffic over the PrivateLink connections,
that is to say, add the destination endpoint of the traffic to this resolver,
for example, add *.eu.cloud.talend.com.
When creating a VPC, a Route 53 Resolver is always automatically created on
this VPC. This resolver allows you to add destination endpoint to answer DNS
queries.
In the current example, the VPC to be connected cross-regionally to Talend is located in the Europe (Ireland) [eu-west-1] Amazon region. Once adding
*.eu.cloud.talend.com to its resolver, the DNS
queries will be forwarded to the proxy VPC in the EU Central region, to which
Talend Cloud is connected via PrivateLink.
For further information about a Route 53 Resolver, see https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html from AWS documentation.
-
Proceed to the following section to eventually activate PrivateLink
connections.