|
1 | | -= Private connectivity |
| 1 | += Private connectivity for {product} |
| 2 | +:navtitle: Private connectivity |
2 | 3 |
|
3 | | -To better protect your streaming connections, connect {product} to a private link service for <<inbound,inbound>> connectivity, or to a private endpoint for <<outbound,outbound>> connectivity. |
| 4 | +By default, {product} shared clusters and Streaming Capacity Units use secure connections over the public internet. |
4 | 5 |
|
5 | | -Private connections are only available within the same cloud provider and region as your {product} cluster. |
| 6 | +With Streaming Capacity Units, you have the option to connect your {product} clusters to a private link service for inbound connections or to a private endpoint for outbound connections. |
6 | 7 |
|
7 | | -== Enable private links |
| 8 | +== Private connection requirements |
8 | 9 |
|
9 | | -To enable a private link service or private endpoint for {product}, contact {support_url}[{company} Support]. |
10 | | -Be prepared to provide the <<credentials,credentials>> required for your cloud provider. |
| 10 | +* Private connections are only available for Streaming Capacity Units. |
| 11 | +This option isn't available for shared clusters. |
11 | 12 |
|
12 | | -== Inbound traffic |
| 13 | +* Your private link service or private endpoint must exist in the same cloud provider and region as your {product} cluster. |
| 14 | ++ |
| 15 | +If you want to use private connections for multiple clusters or tenants, you must prepare at least one private link service or private endpoint in each applicable cloud provider and region. |
13 | 16 |
|
14 | | -{product} supports inbound traffic flowing from your private endpoint to {product}. |
| 17 | +* {product} supports https://docs.aws.amazon.com/vpc/latest/privatelink/what-is-privatelink.html[AWS Private Link], https://learn.microsoft.com/en-us/azure/private-link/private-link-overview[Microsoft Azure Private Link], and https://cloud.google.com/vpc/docs/private-service-connect[Google Cloud Private Service Connect]. |
15 | 18 |
|
16 | | -The first inbound traffic pattern describes {pulsar-reg}, Apache Kafka(R), and RabbitMQ messaging traffic, as well as Prometheus metrics traffic, flowing from a user's private endpoint to {product}. |
| 19 | +== Enable private connections |
| 20 | + |
| 21 | +To use a private link service or private endpoint for {product}, do the following: |
| 22 | + |
| 23 | +. Get the name of the {product} clusters where you want to enable private connectivity. |
| 24 | ++ |
| 25 | +In the {astra-ui-link}, click *Streaming*, and then find cluster names in the *Tenants* list. |
| 26 | + |
| 27 | +. Get your cloud provider resource identifier: |
| 28 | ++ |
| 29 | +* https://docs.aws.amazon.com/vpc/latest/privatelink/what-is-privatelink.html[AWS Private Link]: AWS account numbers |
| 30 | +* https://learn.microsoft.com/en-us/azure/private-link/private-link-overview[Microsoft Azure Private Link]: Azure subscription IDs |
| 31 | +* https://cloud.google.com/vpc/docs/private-service-connect[Google Cloud Private Service Connect]: GCP project IDs |
| 32 | + |
| 33 | +. Contact {support_url}[{company} Support] to request private connectivity for {product}. |
| 34 | + |
| 35 | +=== Private connections for inbound traffic |
| 36 | + |
| 37 | +{product} supports private inbound traffic flowing from your private endpoint to {product}. |
| 38 | +Inbound traffic includes {pulsar-reg}, Apache Kafka(R), and RabbitMQ messaging traffic, as well as Prometheus metrics traffic. |
17 | 39 |
|
18 | 40 | You create a connection to the {company} private link service, and then {company} routes traffic to your {product} Streaming Capacity Units. |
| 41 | + |
19 | 42 | If you have multiple tenants, they can have different VPCs. |
20 | 43 | Each VPC will have the same private FQDN with different VNETs. |
21 | 44 | The traffic on separate private end point connections is isolated until it reaches the {company} load balancer. |
22 | 45 |
|
23 | | -The private link service pattern is the same across cloud providers, but the hostname depends on your cloud provider and region: |
| 46 | +The private link service pattern is the same across cloud providers, but the hostname depends on your {product} cluster's cloud provider and region: |
24 | 47 |
|
25 | | -[#inbound] |
26 | 48 | .Inbound private link service endpoints |
27 | 49 | [cols="1,3"] |
28 | 50 | |=== |
29 | 51 | |Service |Endpoint pattern |
30 | 52 |
|
31 | | -|{pulsar-short} Messaging |
32 | | -|`pulsar-azure-eastus.private.streaming.datastax.com:6651` |
| 53 | +|{pulsar-short} messaging |
| 54 | +|`pulsar-**PROVIDER**-**REGION**.private.streaming.datastax.com:6651` |
33 | 55 |
|
34 | | -|Kafka Messaging |
35 | | -|`kafka-azure-eastus.private.streaming.datastax.com:9093` |
| 56 | +|Kafka messaging |
| 57 | +|`kafka-**PROVIDER**-**REGION**.private.streaming.datastax.com:9093` |
36 | 58 |
|
37 | | -|RabbitMQ Messaging |
38 | | -|`rabbitmq-azure-eastus.private.streaming.datastax.com` |
| 59 | +|RabbitMQ messaging |
| 60 | +|`rabbitmq-**PROVIDER**-**REGION**.private.streaming.datastax.com` |
39 | 61 |
|
40 | | -|Prometheus Metrics |
41 | | -|`prometheus-azure-eastus.private.streaming.datastax.com` |
| 62 | +|Prometheus metrics |
| 63 | +|`prometheus-**PROVIDER**-**REGION**.private.streaming.datastax.com` |
42 | 64 | |=== |
43 | 65 |
|
44 | | -[#outbound] |
45 | | -== Outbound traffic |
| 66 | +=== Private connections for outbound traffic |
46 | 67 |
|
47 | | -On a case-by-case basis, {product} can support private outbound traffic flowing from {product} to your private endpoint. |
| 68 | +On a case-by-case basis, {product} can support private outbound traffic flowing from a {product} private endpoint to your private link service. |
48 | 69 |
|
49 | | -The outbound traffic pattern creates a private endpoint in {product} that connects to your private link service. |
50 | 70 | {company} opens a port on the tenant's firewall to allow connectors and functions running in a dedicated namespace on an {product} cluster to connect to your private network. |
51 | | -Each tenant has its own firewall. |
52 | | - |
53 | | -[#credentials] |
54 | | -== Cloud provider credentials |
55 | | - |
56 | | -Each cloud provider requires specific credentials to connect to a private endpoint. |
57 | | -For information about private link configuration and credentials, see your cloud provider's documentation. |
58 | | - |
59 | | -.Private link credentials and documentation |
60 | | -[cols="1,1,3"] |
61 | | -|=== |
62 | | -|Cloud provider |Credentials required |Documentation |
63 | | - |
64 | | -|AWS |
65 | | -|AWS account numbers |
66 | | -|https://docs.aws.amazon.com/vpc/latest/privatelink/endpoint-service.html[AWS Private Link] |
67 | | - |
68 | | -|Microsoft Azure |
69 | | -|Azure subscription IDs |
70 | | -|https://learn.microsoft.com/en-us/azure/private-link/create-private-endpoint-portal?tabs=dynamic-ip[Azure Private Link] |
71 | | - |
72 | | -|Google Cloud |
73 | | -|GCP project IDs |
74 | | -|https://console.cloud.google.com/net-services/psc/[Google Cloud Private Service Connect] |
75 | | -|=== |
| 71 | +Each tenant has its own firewall. |
0 commit comments