# Immuta SaaS Private Networking Over AWS PrivateLink

Immuta SaaS hosts AWS PrivateLink services that organizations can configure Amazon VPC endpoint connections to, which ensures that all traffic to Immuta SaaS only traverses private networks.

This feature is supported in most regions across Immuta's global segments (NA, EU, and AP); contact your Immuta representative if you have questions about availability.

{% hint style="warning" %}
This documentation is for configuring access *to* an Immuta SaaS tenant from an organization's network, not for configuring access *from* a tenant to an organization's data sources or APIs. For that, please see the documentation on [Data connection private networking](https://documentation.immuta.com/SaaS/configuration/application-configuration/how-to-guides/private-networking-support/..#data-connection-private-networking).
{% endhint %}

<figure><img src="https://1751699907-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlWBda5Pt4s8apEhzXGl7%2Fuploads%2Fgit-blob-d8c65817d189b08e37851e66200ed8ab518eb80b%2Fimage.png?alt=media" alt=""><figcaption><p>Overview of Immuta SaaS Private Networking over AWS PrivateLink</p></figcaption></figure>

## Configuring AWS PrivateLink connections to the Govern app

### Requirements

* You have an Immuta SaaS tenant.
* You have an Amazon VPC in one of the supported regions listed in the [global segment tables](#na-global-segment) below.
* Clients (users or services) can access the Amazon VPC network where the AWS PrivateLink endpoint will be created.

### Create PrivateLink endpoint

You will need to create an AWS PrivateLink endpoint to connect directly to your tenant over the Immuta SaaS network. Please refer to the [AWS PrivateLink documentation](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html) for instructions on creating an endpoint.

{% hint style="info" %}
Please note that the documentation uses connecting to an AWS service as an example, but you will want to configure your endpoint to connect to one of the PrivateLink service endpoints in the tables below.
{% endhint %}

Immuta has a set of [PrivateLink services](https://docs.aws.amazon.com/vpc/latest/privatelink/concepts.html#concepts-endpoint-services) that you can connect to in different global segments. When creating your endpoint, please choose the service in the same region as your tenant. If you do not know what region your tenant is in, please contact your Immuta representative.

#### NA global segment

<table data-full-width="true"><thead><tr><th align="center">Region</th><th>Endpoint service name</th><th>Availability zones</th></tr></thead><tbody><tr><td align="center"><strong><code>us-east-1</code></strong><br>US East (Virginia)</td><td><code>com.amazonaws.vpce.us-east-1.vpce-svc-0c33df1aaf78a8955</code></td><td><ul><li>use1-az2</li><li>use1-az4</li><li>use1-az6</li></ul></td></tr><tr><td align="center"><strong><code>us-west-2</code></strong><br>US West (Oregon)</td><td><code>com.amazonaws.vpce.us-west-2.vpce-svc-0e35fa96fd264e0a6</code></td><td><ul><li>usw2-az1</li><li>usw2-az2</li><li>usw2-az3</li></ul></td></tr></tbody></table>

#### EU global segment

<table data-full-width="true"><thead><tr><th align="center">Region</th><th>Endpoint service name</th><th>Availability zones</th></tr></thead><tbody><tr><td align="center"><strong><code>eu-central-1</code></strong><br>Europe (Frankfurt)</td><td><code>com.amazonaws.vpce.eu-central-1.vpce-svc-027e6fd0c1cf62c68</code></td><td><ul><li>euc1-az1</li><li>euc1-az2</li><li>euc1-az3</li></ul></td></tr><tr><td align="center"><strong><code>eu-west-1</code></strong><br>Europe (Ireland)</td><td><code>com.amazonaws.vpce.eu-west-1.vpce-svc-0bd003f6352dc5e58</code></td><td><ul><li>euw1-az1</li><li>euw1-az2</li><li>euw1-az3</li></ul></td></tr><tr><td align="center"><strong><code>eu-west-2</code></strong><br>Europe (London)</td><td><code>com.amazonaws.vpce.eu-west-2.vpce-svc-0cb6dcde93257e082</code></td><td><ul><li>euw2-az1</li><li>euw2-az2</li><li>euw2-az3</li></ul></td></tr></tbody></table>

#### AP global segment

<table data-full-width="true"><thead><tr><th align="center">Region</th><th>Endpoint service name</th><th>Availability zones</th></tr></thead><tbody><tr><td align="center"><strong><code>ap-northeast-1</code></strong><br>Asia Pacific (Tokyo)</td><td><code>com.amazonaws.vpce.ap-northeast-1.vpce-svc-056d170f71688f5f9</code></td><td><ul><li>apne1-az1</li><li>apne1-az2</li><li>apne1-az4</li></ul></td></tr><tr><td align="center"><strong><code>ap-southeast-2</code></strong><br>Asia Pacific (Sydney)</td><td><code>com.amazonaws.vpce.ap-southeast-2.vpce-svc-0f1fad760b7efc4d7</code></td><td><ul><li>apse2-az1</li><li>apse2-az2</li><li>apse2-az3</li></ul></td></tr></tbody></table>

#### Configuring security group access

VPC endpoints must be associated with at least one security group upon creation. Please ensure that traffic from your clients to port `443` is allowed.

### Configure `privatelink.immutacloud.com` DNS

In order to direct traffic to your PrivateLink endpoint for your tenant hostname, you will need to set up DNS resolution in your network for the `privatelink.immutacloud.com` domain. For instructions on how to do this, please refer to your internal DNS provider's documentation.

Once you have resolution for the domain configured, you will need to create a CNAME DNS record that resolves `<tenant name>.privatelink.immutacloud.com` to your newly-created VPC endpoint's DNS name.

For example, if your tenant's hostname is `example.hosted.immutacloud.com` and your VPC endpoint DNS name is `vpce-0d363d9ea82658bec-e4wo04x9.vpce-svc-0d12345ddd89101112.us-east-1.vpce.amazonaws.com`, you should create a CNAME record that resolves `example.privatelink.immutacloud.com` to your VPC endpoint DNS name.

The end result should be that, inside your network, DNS resolution for your tenant hostname will direct traffic to your VPC Endpoint.

### Have your connection request accepted

Once you have configured DNS, you will need to contact your Immuta representative with the following information in order to have your VPC endpoint connection request accepted and PrivateLink enabled for your tenant:

* Tenant name
* AWS region
* VPC endpoint ID

After the request is completed, **please continue to use your standard hostname** (e.g. `example.hosted.immutacloud.com`) to access your tenant. An Immuta-managed CNAME record will direct that traffic to your PrivateLink hostname (e.g. `example.privatelink.immutacloud.com`).

{% hint style="danger" %}
When Immuta completes this request, your tenant will no longer be publicly accessible. Traffic bound for your tenant hostname (e.g. `example.hosted.immutacloud.com`) will be directed to your PrivateLink hostname (e.g. `example.privatelink.immutacloud.com`).

Any services or data platforms that make requests to the Govern app API will need to route their traffic over your VPC endpoint as well. The integrations that require this connectivity are:

* [Starburst (Trino)](https://documentation.immuta.com/SaaS/configuration/integrations/starburst-trino)
* [Databricks Spark](https://documentation.immuta.com/SaaS/configuration/integrations/databricks/databricks-spark)
* [All SCIM Integrations](https://documentation.immuta.com/SaaS/configuration/people/section-contents/reference-guides/index)
  * If your Identity Provider only supports public SCIM endpoints, please see [this section](#configuring-scim-integrations-that-require-public-endpoints).

In order to prevent these integrations from becoming degraded, please ensure that they can send traffic to your PrivateLink endpoint.
{% endhint %}

### Configuring SCIM integrations that require public endpoints

Identity providers that support SCIM often require that the endpoints that they interact with are publicly accessible. In order to accommodate this traffic, Immuta can configure a separate, SCIM-only public traffic ingress for your tenant.

If needed, request a **public SCIM ingress** when you contact your Immuta representative to have Immuta SaaS private networking enabled.

### Configuring private networking for multiple tenants

If you have multiple Immuta SaaS tenants that you need to enable Immuta SaaS private networking for, you only need to configure **one endpoint per global segment**. For example, if all your tenants are in the EU global segment, you only need to create a VPC endpoint in one of the EU regions from the table above.

While having at least one is required, it is possible to configure multiple endpoints, either for redundancy or to support traffic to your tenants from distinct, isolated networks. **If you do create multiple VPC endpoints, please provide all the VPC endpoint IDs from your connection requests** to your Immuta representative.

You will still need to create a `privatelink.immutacloud.com` CNAME record for each tenant. Please ensure that, if you've created separate VPC endpoints per tenant, the CNAME record references the correct VPC endpoint DNS name.

## Configuring AWS PrivateLink connections to the Request app

### Requirements

* You have an Immuta SaaS tenant.
* You have an Amazon VPC in one of the supported regions listed in the [global segment tables](#na-global-segment) above.
* Clients (users or services) can access the Amazon VPC network where the AWS PrivateLink endpoint will be created.
* You have successfully configured [Immuta SaaS PrivateLink for the Govern app.](#configuring-aws-privatelink-connections-to-the-govern-app)

{% hint style="warning" %}
PrivateLink for the Request app is only supported if all your tenants reside in a single global segment. Having tenants in multiple global segments is very uncommon, so you are unlikely to be affected by this limitation.
{% endhint %}

### Configure Request app DNS <a href="#configure-privatelink.immutacloud.com-dns" id="configure-privatelink.immutacloud.com-dns"></a>

Immuta SaaS Private Networking for the Request app will use the same VPC endpoint as the one created for the Govern app, so the only required additional configuration is DNS-related.

In order to direct traffic to your PrivateLink endpoint for the Request app, you will need to set up DNS resolution in your network for the following domains:

* `app.immutacloud.com`
* `marketplace-fe.immutacloud.com`

For instructions on how to do this, refer to your internal DNS provider's documentation.

Once you have resolution for the domain configured, you will need to create a CNAME DNS record that resolves those domains to your PrivateLink VPC endpoint's DNS name (the same endpoints used for the Governance PrivateLink).

For example, if your VPC endpoint DNS name is `vpce-0d363d9ea82658bec-e4wo04x9.vpce-svc-0d12345ddd89101112.us-east-1.vpce.amazonaws.com`, you should create CNAME records that resolve `app.immutacloud.com` and `marketplace-fe.immutacloud.com` to your VPC endpoint DNS name.

The end result should be that, inside your network, DNS resolution to `app.immutacloud.com` and `marketplace-fe.immutacloud.com` will direct traffic to your VPC endpoint, and the Request app should be accessible along with your tenant.