# AWS PrivateLink for PostgreSQL

AWS PrivateLink provides private connectivity from the Immuta SaaS platform to PostgreSQL database engines hosted on Amazon Aurora and Amazon RDS. It ensures that all traffic to the configured endpoints only traverses private networks.

This feature is supported in most regions across Immuta's global segments (NA, EU, and AP); contact your Immuta representative if you have questions about availability.

<figure><img src="https://1751699907-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlWBda5Pt4s8apEhzXGl7%2Fuploads%2Fgit-blob-bb7994c3e5c7501dc508c0b60e46ce4e3b8cb4da%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

## Requirements

* You have an Immuta SaaS tenant.
* You have set up an [AWS PrivateLink Service](https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-share-your-services.html) for your Amazon Aurora/Amazon RDS endpoints.
  * When creating the service, make sure that the **Require Acceptance** option is checked (this does not allow anyone to connect, all connections will be blocked until the Immuta service principal is added).

{% hint style="warning" %}
Like all data connection private networking integrations that Immuta offers for AWS, the Amazon Aurora/Amazon RDS PrivateLink integration relies on a Network Load Balancer (NLB) that targets a private IP address - in this case, the private IP address of the Aurora/RDS instance. In a Multi-AZ configuration, the primary instance's private IP address changes during a failover event.

The NLB will not automatically detect this new IP address. Consequently, after an RDS failover, **Immuta will be unable to connect to the database until the NLB's target group is updated with the new primary instance's private IP address.**

To avoid the need for manual updates to your NLB configuration, you must implement an automated solution. A common approach is to use an AWS Lambda function that listens for RDS failover events and automatically updates the NLB target group with the new IP address. For a detailed guide on this automation, refer to the AWS blog post: [Access Amazon RDS across VPCs using AWS PrivateLink and Network Load Balancer](https://aws.amazon.com/blogs/database/access-amazon-rds-across-vpcs-using-aws-privatelink-and-network-load-balancer/).
{% endhint %}

## Configure PostgreSQL with AWS PrivateLink

1. Open a support ticket with [Immuta Support](https://support.immuta.com) with the following information:
   * AWS region
   * AWS subnet availability zones IDs (e.g. `use1-az3`; these are **not** the account-specific identifiers like `us-east-1a` or `eu-west-2c`)
   * VPC endpoint service ID (e.g., `vpce-0a02f54c1d339e98a`)
   * Ports used
2. [Authorize the service principal](https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#add-remove-permissions) provided by your representative so that Immuta can complete the VPC endpoint configuration.
3. [Register the PostgreSQL connection](https://documentation.immuta.com/SaaS/configuration/integrations/postgresql/register-a-postgresql-connection).