Private Networking Support

Immuta SaaS supports two different kinds of private networking:

• Data connection private networking: Enables private connectivity from the Immuta SaaS network and a user's data platforms or private APIs over either AWS PrivateLink or Azure Private Link. This is useful for organizations with security and compliance policies that require that their data platforms and APIs are not routable over the public internet (even with a firewall in place).

• Governance private networking (): Enables private connectivity from a user's network to an Immuta tenant for the Governance app. It will require Governance users to connect over a private endpoint. This is useful for organizations with security and compliance policies that require that the SaaS applications they use are not publicly accessible.

A simple way to understand the difference between these two features: Data connection private networking is outbound from Immuta to an organization's data sources, where the organization creates the private service endpoint for Immuta SaaS to connect to. Governance private networking is inbound to Immuta from organization's networks, where Immuta creates the private service endpoint for users to connect to.

Data connection private networking

Although AWS PrivateLink and Azure Private Link differ in their implementation details, they are fundamentally similar offerings. Organizations can expose private services on AWS or Azure networks that Immuta SaaS can establish a connection to. How this is done can vary significantly by both data platform and hosting cloud provider, which is why this documentation has been broken down into specific instructions for each combination in the support matrix below.

Over time, the breadth and depth of private networking support will continue to grow. If there are specific data platforms and/or cloud providers that you require, which are either not listed or not yet supported, please contact your Immuta representative.

Private networking across regions and global segments

Occasionally, it may be required to connect to data sources outside of a specific region. To meet those needs, Immuta SaaS supports both cross-region and cross-global-segment connectivity.

Cross-region private networking

This involves connecting to data sources in a different region within a given global segment.

Examples

• a tenant in us-east-1 needs to connect to a Snowflake account in AWS'sus-east-2 region.

• a tenant in us-west-2 needs to connect to an Azure Databricks workspace in the westus2 region.

Cross-global-segment private networking

This involves connecting to data sources in a region outside of the tenant's global segment.

Examples

• a tenant in the EU Global Segment needs to connect to a Snowflake account in us-east-2.

• a tenant in the AP Global Segment needs to connect to a Starburst instance hosted in Azure's eastus2 region.

Governance private networking

The fundamental mechanism that underlies governance private networking is an Immuta SaaS private endpoint service (e.g. an Amazon VPC endpoint Service) which organizations can establish a connection to via a private endpoint (e.g. an Amazon VPC endpoint).

Once the endpoint-service connection is established, organizations then configure DNS resolution in their network to resolve their governance private FQDN (e.g.<tenant>.privatelink.immutacloud.com) to their private endpoint. Organizations can continue to access their Immuta SaaS tenants using their standard governance FQDN (e.g. <tenant>.hosted.immutacloud.com), which will now automatically resolve to their private FQDN.

As with data connection private networking the specifics of configuring governance private networking can vary by the cloud provider the source network is hosted on. Please consult the support matrix below for specific instructions.