Immuta SaaS Private Networking Over AWS PrivateLink

Public preview: This feature is available to select accounts. Contact your Immuta representative for details.

Immuta SaaS hosts AWS PrivateLink services that organizations can configure Amazon VPC endpoint connections to, which ensures that all traffic to Immuta SaaS only traverses private networks.

This feature is supported in most regions across Immuta's global segments (NA, EU, and AP); contact your Immuta representative if you have questions about availability.

Overview of Immuta SaaS Private Networking over AWS PrivateLink

Requirements

  • You have an Immuta SaaS tenant.

  • You have an Amazon VPC in one of the supported regions listed in the global segment tables below.

  • Clients (users or services) can access the Amazon VPC network where the AWS PrivateLink endpoint will be created.

You will need to create an AWS PrivateLink endpoint to connect directly to your tenant over the Immuta SaaS network. Please refer to the AWS PrivateLink documentation for instructions on creating an endpoint.

Please note that the documentation uses connecting to an AWS service as an example, but you will want to configure your endpoint to connect to one of the PrivateLink service endpoints in the tables below.

Immuta has a set of PrivateLink services that you can connect to in different global segments. When creating your endpoint, please choose the service in the same region as your tenant. If you do not know what region your tenant is in, please contact your Immuta representative.

NA global segment

Region
Endpoint service name
Availability zones

us-east-1 US East (Virginia)

com.amazonaws.vpce.us-east-1.vpce-svc-0c33df1aaf78a8955

  • use1-az2

  • use1-az4

  • use1-az6

us-west-2 US West (Oregon)

com.amazonaws.vpce.us-west-2.vpce-svc-0e35fa96fd264e0a6

  • usw2-az1

  • usw2-az2

  • usw2-az3

EU global segment

Region
Endpoint service name
Availability zones

eu-central-1 Europe (Frankfurt)

com.amazonaws.vpce.eu-central-1.vpce-svc-027e6fd0c1cf62c68

  • euc1-az1

  • euc1-az2

  • euc1-az3

eu-west-1 Europe (Ireland)

com.amazonaws.vpce.eu-west-1.vpce-svc-0bd003f6352dc5e58

  • euw1-az1

  • euw1-az2

  • euw1-az3

eu-west-2 Europe (London)

com.amazonaws.vpce.eu-west-2.vpce-svc-0cb6dcde93257e082

  • euw2-az1

  • euw2-az2

  • euw2-az3

AP global segment

Region
Endpoint service name
Availability zones

ap-northeast-1 Asia Pacific (Tokyo)

com.amazonaws.vpce.ap-northeast-1.vpce-svc-056d170f71688f5f9

  • apne1-az1

  • apne1-az2

  • apne1-az4

ap-southeast-2 Asia Pacific (Sydney)

com.amazonaws.vpce.ap-southeast-2.vpce-svc-0f1fad760b7efc4d7

  • apse2-az1

  • apse2-az2

  • apse2-az3

Configuring security group access

VPC endpoints must be associated with at least one security group upon creation. Please ensure that traffic from your clients to port 443 is allowed.

Configure privatelink.immutacloud.com DNS

In order to direct traffic to your PrivateLink endpoint for your tenant hostname, you will need to set up DNS resolution in your network for the privatelink.immutacloud.com domain. You will need to create a private zone with your internal DNS provider where records for this domain can be created. For instructions on how to do this, please refer to your internal DNS provider's documentation.

Once you have resolution for the domain configured, you will need to create a CNAME DNS record in the zone that resolves <tenant name>.privatelink.immutacloud.com to your newly-created VPC endpoint's DNS name.

For example, if your tenant's hostname is example.hosted.immutacloud.com and your VPC endpoint DNS name is vpce-0d363d9ea82658bec-e4wo04x9.vpce-svc-0d12345ddd89101112.us-east-1.vpce.amazonaws.com, you should create a CNAME record that resolves example.privatelink.immutacloud.com to your VPC endpoint DNS name.

The end result should be that, inside your network, DNS resolution for your tenant hostname will direct traffic to your VPC Endpoint.

Have your connection request accepted

Once you have configured DNS, you will need to contact your Immuta representative with the following information in order to have your VPC endpoint connection request accepted and PrivateLink enabled for your tenant:

  • Tenant name

  • AWS region

  • VPC endpoint ID

After the request is completed, please continue to use your standard hostname (e.g. example.hosted.immutacloud.com) to access your tenant. An Immuta-managed CNAME record will direct that traffic to your PrivateLink hostname (e.g. example.privatelink.immutacloud.com).

Configuring SCIM integrations that require public endpoints

Identity providers that support SCIM often require that the endpoints that they interact with are publicly accessible. In order to accommodate this traffic, Immuta can configure a separate, SCIM-only public traffic ingress for your tenant.

If needed, request a public SCIM ingress when you contact your Immuta representative to have Immuta SaaS private networking enabled.

Configuring private networking for multiple tenants

If you have multiple Immuta SaaS tenants that you need to enable Immuta SaaS private networking for, you only need to configure one endpoint per global segment. For example, if all your tenants are in the EU global segment, you only need to create a VPC endpoint in one of the EU regions from the table above.

While having at least one is required, it is possible to configure multiple endpoints, either for redundancy or to support traffic to your tenants from distinct, isolated networks. If you do create multiple VPC endpoints, please provide all the VPC endpoint IDs from your connection requests to your Immuta representative.

You will still need to create a privatelink.immutacloud.com CNAME record for each tenant. Please ensure that, if you've created separate VPC endpoints per tenant, the CNAME record references the correct VPC endpoint DNS name.

Last updated

Was this helpful?