Immuta SaaS Private Networking Over AWS PrivateLink
Currently, Immuta SaaS private networking only supports the Governance app. Support for private networking to the Marketplace app is coming soon.
Immuta SaaS hosts AWS PrivateLink services that organizations can configure Amazon VPC endpoint connections to, which ensures that all traffic to Immuta SaaS only traverses private networks.
This feature is supported in most regions across Immuta's global segments (NA, EU, and AP); contact your Immuta representative if you have questions about availability.
This documentation is for configuring access to an Immuta SaaS tenant from an organization's network, not for configuring access from a tenant to an organization's data sources or APIs. For that, please see the documentation on Data connection private networking.
Configuring AWS PrivateLink connections to the Governance app
Requirements
You have an Immuta SaaS tenant.
You have an Amazon VPC in one of the supported regions listed in the global segment tables below.
Clients (users or services) can access the Amazon VPC network where the AWS PrivateLink endpoint will be created.
Create PrivateLink endpoint
You will need to create an AWS PrivateLink endpoint to connect directly to your tenant over the Immuta SaaS network. Please refer to the AWS PrivateLink documentation for instructions on creating an endpoint.
Immuta has a set of PrivateLink services that you can connect to in different global segments. When creating your endpoint, please choose the service in the same region as your tenant. If you do not know what region your tenant is in, please contact your Immuta representative.
NA global segment
us-east-1
US East (Virginia)
com.amazonaws.vpce.us-east-1.vpce-svc-0c33df1aaf78a8955
use1-az2
use1-az4
use1-az6
us-west-2
US West (Oregon)
com.amazonaws.vpce.us-west-2.vpce-svc-0e35fa96fd264e0a6
usw2-az1
usw2-az2
usw2-az3
EU global segment
eu-central-1
Europe (Frankfurt)
com.amazonaws.vpce.eu-central-1.vpce-svc-027e6fd0c1cf62c68
euc1-az1
euc1-az2
euc1-az3
eu-west-1
Europe (Ireland)
com.amazonaws.vpce.eu-west-1.vpce-svc-0bd003f6352dc5e58
euw1-az1
euw1-az2
euw1-az3
eu-west-2
Europe (London)
com.amazonaws.vpce.eu-west-2.vpce-svc-0cb6dcde93257e082
euw2-az1
euw2-az2
euw2-az3
AP global segment
ap-northeast-1
Asia Pacific (Tokyo)
com.amazonaws.vpce.ap-northeast-1.vpce-svc-056d170f71688f5f9
apne1-az1
apne1-az2
apne1-az4
ap-southeast-2
Asia Pacific (Sydney)
com.amazonaws.vpce.ap-southeast-2.vpce-svc-0f1fad760b7efc4d7
apse2-az1
apse2-az2
apse2-az3
Configuring security group access
VPC endpoints must be associated with at least one security group upon creation. Please ensure that traffic from your clients to port 443 is allowed.
Configure privatelink.immutacloud.com DNS
privatelink.immutacloud.com DNSIn order to direct traffic to your PrivateLink endpoint for your tenant hostname, you will need to set up DNS resolution in your network for the privatelink.immutacloud.com domain. You will need to create a private zone with your internal DNS provider where records for this domain can be created. For instructions on how to do this, please refer to your internal DNS provider's documentation.
Once you have resolution for the domain configured, you will need to create a CNAME DNS record in the zone that resolves <tenant name>.privatelink.immutacloud.com to your newly-created VPC endpoint's DNS name.
For example, if your tenant's hostname is example.hosted.immutacloud.com and your VPC endpoint DNS name is vpce-0d363d9ea82658bec-e4wo04x9.vpce-svc-0d12345ddd89101112.us-east-1.vpce.amazonaws.com, you should create a CNAME record that resolves example.privatelink.immutacloud.com to your VPC endpoint DNS name.
The end result should be that, inside your network, DNS resolution for your tenant hostname will direct traffic to your VPC Endpoint.
Have your connection request accepted
Once you have configured DNS, you will need to contact your Immuta representative with the following information in order to have your VPC endpoint connection request accepted and PrivateLink enabled for your tenant:
Tenant name
AWS region
VPC endpoint ID
After the request is completed, please continue to use your standard hostname (e.g. example.hosted.immutacloud.com) to access your tenant. An Immuta-managed CNAME record will direct that traffic to your PrivateLink hostname (e.g. example.privatelink.immutacloud.com).
When Immuta completes this request, your tenant will no longer be publicly accessible. Traffic bound for your tenant hostname (e.g. example.hosted.immutacloud.com) will be directed to your PrivateLink hostname (e.g. example.privatelink.immutacloud.com).
Any services or data platforms that make requests to the Governance app API will need to route their traffic over your VPC endpoint as well. The integrations that require this connectivity are:
If your Identity Provider only supports public SCIM endpoints, please see this section.
In order to prevent these integrations from becoming degraded, please ensure that they can send traffic to your PrivateLink endpoint.
Configuring SCIM integrations that require public endpoints
Identity providers that support SCIM often require that the endpoints that they interact with are publicly accessible. In order to accommodate this traffic, Immuta can configure a separate, SCIM-only public traffic ingress for your tenant.
If needed, request a public SCIM ingress when you contact your Immuta representative to have Immuta SaaS private networking enabled.
Configuring private networking for multiple tenants
If you have multiple Immuta SaaS tenants that you need to enable Immuta SaaS private networking for, you only need to configure one endpoint per global segment. For example, if all your tenants are in the EU global segment, you only need to create a VPC endpoint in one of the EU regions from the table above.
While having at least one is required, it is possible to configure multiple endpoints, either for redundancy or to support traffic to your tenants from distinct, isolated networks. If you do create multiple VPC endpoints, please provide all the VPC endpoint IDs from your connection requests to your Immuta representative.
You will still need to create a privatelink.immutacloud.com CNAME record for each tenant. Please ensure that, if you've created separate VPC endpoints per tenant, the CNAME record references the correct VPC endpoint DNS name.
Last updated
Was this helpful?