# PrivateLink

PrivateLink enables the proprietary network VPC where the EMQX Cloud deployment is located to establish a secure and stable private connection to services on the public cloud. It simplifies the network architecture, enables private access to services, and avoids the potential security risks associated with accessing services over the public network.

In the private connection, the EMQX Cloud deployment VPC acts as the service user and requests the VPC where the user's resources are located in the cloud service provider, i.e., the service provider.

# Before you begin

When creating Endpoint Service in AWS, the LB Availability Zone AZ ID (opens new window) created should be identical to that in the EMQX Cloud deployment. To get the AZ ID in EMQX cloud:

Login to EMQX Cloud Console (opens new window), go to the desired deployment creation details, and click the +PrivateLink button to get the deployment availability zone.


Before you can configure PrivateLink, you need to complete the following prerequisite steps on the AWS platform.

  1. Register an AWS account and enable the PrivateLink service

  2. Create an instance and VPC

  3. Create a target group for load balancing

    On Basic configuration, set the Target group name, Protocol (TCP) and Port.


    On Health checks, set the Override port, and for the rest, you can keep the default setting or set as your business needs. lb

    Then register target group and create instance. lb

  4. Create and configure the Load Balancer with the AZ ID you obtained from EMQX Cloud Console.

    Select the type of load balancing as Network Load Balancer. lb

    Select the schema type as internal to facilitate requests to private IP addresses. lb

    Select the TCP protocol, fill in the listening port and the corresponding target group. lb

    After creating the load balancer, check whether the listening port status of the target group is healthy. lb

  5. Create an endpoint service

    Find the Endpoint Services in the left menu bar of your AWS account and click Create. The load balancer type is Network, select the load balancer created in the previous step. endpoint service

    In the additional settings, select the IP address type as IPV4. endpoint service

    Once created, you will get the endpoint service name. endpoint service

    You can refer to AWS Help (opens new window) to complete the above configuration.

  1. After getting the AWS ARN where the deployment is located in EMQX Cloud console, add it to the allowed principals entry of your AWS Platform-Endpoint Service.


    Once added, click Allow principals and go to the next step.

  2. Locate the Endpoint service on your AWS platform, copy the service name, fill it to the EMQX Cloud Endpoint service name, and click Create PrivateLink.


  3. Once completed, find the Endpoint Service - Endpoint Connection in your AWS platform and click Accept Endpoint Connection Request.


  4. Wait for a while and check the status of the PrivateLink in the deployment details, running means it has been created successfully. Copy the Address for the next data integration-resource configuration.


  5. Click the Data Integration menu on the left, find the resource type, fill in the Server on the New Resource page with the private connection service connection domain and port, databse and user infomation,click Test, and the resource will be available.


To remove the private connection, you need to ensure that the PrivateLink status is running.

  • If you need to remove the PrivateLink service from your AWS platform, please remove the PrivateLink from EMQX Cloud console first, otherwise it will cause PrivateLink status of the deployment to be failed.
  • Please ensure that there are no associated resources in the deployment before removing the PrivateLink, otherwise it will lead to unpredictable risks.
  1. Go to Deployment Details

  2. Click on the Delete button to the right of the PrivateLink and click on Confirm to complete the deletion.


What’s on this page