Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Immuta SaaS supports private connectivity to customer data platforms over both AWS PrivateLink and Azure Private Link. Customers with security and/or compliance requirements to ensure that their data platforms are not routable over the public internet (even with a firewall in place) can have private networking configured to ensure that their standards are met.
Although AWS PrivateLink and Azure Private Link differ in their implementation details, they are fundamentally similar offerings. Customers can expose private services on AWS or Azure networks that Immuta can establish a connection to. How this is done can vary significantly by both data platform and hosting cloud provider, which is why this documentation has been broken down into specific instructions for each combination in the support matrix below.
Snowflake
Databricks
Starburst (Trino)
Amazon Redshift
N/A
Amazon S3
N/A
Azure Synapse Analytics
N/A
Not Yet Supported
Over time, the breadth and depth of private networking support will continue to grow. If there are specific data platforms and/or cloud providers that you require, which are either not listed or not yet supported, please contact your Immuta representative.
Immuta SaaS's global network is divided into large geographic regions called global segments. All Immuta SaaS tenants are deployed into an AWS region inside their chosen segment.
Occasionally, customers require that they be able to connect to data sources outside of that region. To meet those needs, Immuta SaaS supports both cross-region and cross-global-segment connectivity.
This involves connecting to data sources in a different region within a given global segment.
Examples:
a tenant in us-east-1 needs to connect to a Snowflake account in AWS'sus-east-2 region.
a tenant in us-west-2 needs to connect to an Azure Databricks workspace in the westus2 region.
This involves connecting to data sources in a region outside of the tenant's global segment.
Examples:
a tenant in the EU Global Segment needs to connect to a Snowflake account in us-east-2.
a tenant in the AP Global Segment needs to connect to a Starburst instance hosted in Azure's eastus2 region.
AWS PrivateLink provides private connectivity from the Immuta SaaS platform to customer-managed Databricks accounts hosted on AWS. It ensures that all traffic to the configured endpoints only traverses private networks.
This front-end PrivateLink connection allows users to connect to the Databricks web application, REST API, and Databricks Connect API over a VPC interface endpoint. For details about AWS PrivateLink in Databricks and the network flow in a typical implementation, explore the Databricks documentation.
This feature is supported in most regions across Immuta's Global Segments (NA, EU, and AP); contact your Immuta account manager if you have questions about availability.
Ensure that your accounts meet the following requirements:
Your Databricks account is on the E2 version of the platform.
Your Databricks account is on the Enterprise pricing tier.
You have your Databricks account ID from the account console.
You have an Immuta SaaS tenant.
AWS PrivateLink for Databricks has been enabled.
Ensure that your workspace meets the following requirements:
Your workspace must be in an AWS region that supports the E2 version of the platform.
Your Databricks workspace must use Customer-managed VPC to add any PrivateLink connection.
Your workspaces must be configured with private_access_settings objects.
You cannot configure a connection to your workspace over the public internet if PrivateLink is enabled.
If you have PrivateLink configured on your workspace, Databricks will update the DNS records for that workspace URL to resolve to <region>.privatelink.cloud.databricks.com. Immuta SaaS uses these publicly-resolvable records to direct traffic to a PrivateLink endpoint on our network.
This means that if you have PrivateLink enabled on your workspace, you must follow these instructions to configure your integration. Even if your workspace is also publicly-routable, Databricks's DNS resolution forces the traffic over PrivateLink.
The two supported configurations are
A workspace with no PrivateLink configuration, which resolves to public IP addresses.
A workspace with PrivateLink configuration, which allows access from the Immuta SaaS regional endpoint (listed below).
Contact your Databricks representative to enable AWS PrivateLink on your account.
Register the Immuta VPC endpoint for the applicable AWS region with your Databricks workspaces. The Immuta VPC endpoint IDs are listed in the table below.
ap-northeast-1
Asia Pacific (Tokyo)
vpce-08cadda15f0f70462
ap-south-1
Asia Pacific (Mumbai)
vpce-0efef886a4fbd9532
ap-southeast-1
Asia Pacific (Singapore)
vpce-07e9890053f5084b2
ap-southeast-2
Asia Pacific (Sydney)
vpce-0d363d9ea82658bec
ca-central-1
Canada (Central)
vpce-01933bcf30ac4ed19
eu-central-1
Europe (Frankfurt)
vpce-0048e36edfb27d0aa
eu-west-1
Europe (Ireland)
vpce-0783d9412b046df1f
eu-west-2
Europe (London)
vpce-0f546cc413bf70baa
us-east-1
US East (Virginia)
vpce-0c6e8f337e0753aa9
us-east-2
US East (Ohio)
vpce-00ba42c4e2be20721
us-west-2
US West (Oregon)
vpce-029306c6a510f7b79
Identify your private access level (either ACCOUNT or ENDPOINT) and configure your Databricks workspace accordingly.
If the private_access_level on your private_access_settings object is set to ACCOUNT, no additional configuration is required.
If the private_access_level on your private_access_settings object is set to ENDPOINT, using the table above, you will need to add it to the allowed_vpc_endpoint_ids list inside your private_access_settings object in Databricks. For example,
Azure Private Link provides private connectivity from the Immuta SaaS platform, hosted on AWS, to customer-managed Azure Databricks accounts. It ensures that all traffic to the configured endpoints only traverses private networks over the Immuta Private Cloud Exchange.
This front-end Private Link connection allows users to connect to the Databricks web application, REST API, and Databricks Connect API over an Azure Private Endpoint. For details about Azure Private Link for Databricks and the network flow in a typical implementation, explore the Databricks documentation.
Support for Azure Private Link is available in all Databricks-supported Azure regions.
Ensure that your accounts meet the following requirements:
You have an Immuta SaaS tenant.
Your Azure Databricks workspace must be on the Premium or Enterprise pricing tier.
Azure Private Link for Databricks has been configured and enabled.
You have your Databricks account ID from the account console.
Contact your Immuta representative, and provide the following information for each Azure Databricks Workspace you wish to connect to:
Azure Region
Azure Databricks hostname
Azure Databricks Resource ID or Alias
Your representative will inform you when the two Azure Private Link connections have been made available. Accept them in your Azure Databricks workspace configuration.
Configure the Databricks Spark integration using your standard azuredatabricks.net URL.
Register your tables as Immuta data sources. Note that the privatelink-account-url from the JSON object in step one will be the Server when registering data sources.
provides private connectivity from the Immuta SaaS platform to customer-managed Snowflake accounts hosted on AWS. It ensures that all traffic to the configured endpoints only traverses private networks.
This feature is supported in most regions across Immuta's Global Segments (NA, EU, and AP); contact your Immuta account manager if you have questions about availability.
You have an Immuta SaaS tenant.
Your Snowflake account is hosted on AWS.
You have ACCOUNTADMIN role on your Snowflake account to configure the Private Link connection.
In your Snowflake environment, run the following SQL query, which will return a JSON object with the connection information you will need to include in your support ticket:
Note that the privatelink-account-url from the JSON object in step one will be the Server when registering data sources.
provides private connectivity from the Immuta SaaS platform, hosted on AWS, to customer-managed Snowflake Accounts on Azure. It ensures that all traffic to the configured endpoints only traverses private networks over the Immuta Private Cloud Exchange.
Support for Azure Private Link is available in .
You have an Immuta SaaS tenant.
Your Snowflake account is hosted on Azure.
You have ACCOUNTADMIN role on your Snowflake account to configure the Private Link connection.
In your Snowflake environment, run the following SQL query, which will return a JSON object with the connection information you will need to include in your support ticket:
Your Immuta representative will work with you to schedule a time in which to accept the connection in your Snowflake account. They will provide you with a SQL query to run using the ACCOUNTADMIN role. The SQL query will be in this format:
The query should return the following response: Private link access authorized.
This section contains information about private connectivity options for Databricks integrations.
The Immuta SaaS platform supports private connectivity to and the . This allows customers to meet security and compliance controls by ensuring that traffic to data sources from Immuta SaaS only traverses private networks, never the public internet.
Support for AWS PrivateLink is available in most regions across Immuta's Global Segments (NA, EU, and AP); contact your Immuta account manager if you have questions about availability.
Support for Azure Private Link is available in .
AWS PrivateLink provides private connectivity from the Immuta SaaS platform to customer-managed Starburst (Trino) Clusters hosted on AWS. It ensures that all traffic to the configured endpoints only traverses private networks.
This feature is supported in most regions across Immuta's Global Segments (NA, EU, and AP); contact your Immuta account manager if you have questions about availability.
You have an Immuta SaaS tenant.
Your Starburst (Trino) Cluster is hosted on AWS.
If you are using TLS, the presented certificate must have the Fully-Qualified Domain Name (FQDN) of your cluster as a Subject Alternative Name (SAN).
When creating the service, make sure that the Require Acceptance option is checked (this does not allow anyone to connect; all connections will be blocked until the Immuta Service Principal is added).
Only TCP connections over IPv4 are supported.
AWS Region
AWS Subnet Availability Zones IDs (e.g. use1-az3; these are not the account-specific identifiers like us-east-1a or eu-west-2c)
VPC Endpoint Service ID (e.g., vpce-0a02f54c1d339e98a)
DNS Hostname
Ports Used
This section contains information about private connectivity options for Starburst (Trino) integrations.
The Immuta SaaS platform supports private connectivity to Starburst (Trino) clusters hosted in both AWS and Azure. This allows customers to meet security and compliance controls by ensuring that traffic to data sources from Immuta SaaS only traverses private networks, never the public internet.
Support for AWS PrivateLink is available in most regions across Immuta's Global Segments (NA, EU, and AP); contact your Immuta account manager if you have questions about availability.
Support for Azure Private Link is available in .
AWS PrivateLink provides private connectivity from the Immuta SaaS platform to customer-managed Redshift Clusters hosted on AWS. It ensures that all traffic to the configured endpoints only traverses private networks.
This feature is supported in most regions across Immuta's Global Segments (NA, EU, and AP); contact your Immuta account manager if you have questions about availability.
You have an Immuta SaaS tenant.
If you are using TLS, the presented certificate must have the Fully-Qualified Domain Name (FQDN) of your cluster as a Subject Alternative Name (SAN).
When creating the service, make sure that the Require Acceptance option is checked (this does not allow anyone to connect, all connections will be blocked until the Immuta Service Principal is added).
AWS Region
AWS Subnet Availability Zones IDs (e.g. use1-az3; these are not the account-specific identifiers like us-east-1a or eu-west-2c)
VPC Endpoint Service ID (e.g., vpce-0a02f54c1d339e98a)
Ports Used
Private preview: This feature is only available to select accounts.
Azure Private Link provides private connectivity from the Immuta SaaS platform, hosted on AWS, to customer-managed Starburst (Trino) clusters on Azure. It ensures that all traffic to the configured endpoints only traverses private networks over the Immuta Private Cloud Exchange.
Support for Azure Private Link is available in .
You have an Immuta SaaS tenant.
Your Starburst (Trino) cluster is hosted on Azure.
Azure Region
Azure Private Link Service Resource ID or Alias
DNS Hostname
Once the Immuta Azure Subscription is authorized, inform your representative so that Immuta can complete Private Link Endpoint configuration.
This section contains information about private connectivity options for Snowflake integrations.
The Immuta SaaS platform supports private connectivity to Snowflake accounts hosted in both and . This allows customers to meet security and compliance controls by ensuring that traffic to data sources from Immuta SaaS only traverses private networks, never the public internet.
Support for AWS PrivateLink is available in most regions across Immuta's Global Segments (NA, EU, and AP); contact your Immuta account manager if you have questions about availability.
Support for Azure Private Link is available in .
Your Snowflake account is on the .
You have enabled .
Copy the returned JSON object into a support ticket with to request for the feature to be enabled on your Immuta SaaS tenant.
.
.
Your Snowflake account is on the .
Snowflake that an Azure temporary access token be used when configuring the Azure Private Link connection. Due to the constraint imposed by the 1-hour token expiration, your Immuta representative will ask for a time window in which you can accept the connection in your Snowflake account. During this window, the token will be generated by Immuta and provided to you when you're ready to run the following SQL query.
Copy the returned JSON object into a support ticket with to request for the feature to be enabled on your Immuta SaaS tenant.
.
. Note that the privatelink-account-url from the JSON object in step one will be the Server when registering data sources.
You have set up an for your Starburst Cluster endpoints.
If you have configured on your PrivateLink Service, the domain ownership must be verifiable via a public DNS zone. This means that you cannot use a Top-Level Domain (TLD) that is not publicly resolvable, e.g. starburst.mycompany.internal.
Open a support ticket with with the following information:
provided by your representative so that Immuta can complete the VPC Endpoint configuration.
.
.
You have set up an for your Redshift Cluster endpoints.
If you have configured on your PrivateLink Service, the domain ownership must be verifiable via a public DNS zone. This means that you cannot use a Top-Level Domain (TLD) that is not publicly resolvable, e.g. redshift.mycompany.internal.
Open a support ticket with with the following information:
provided by your representative so that Immuta can complete the VPC Endpoint configuration.
.
.
You have set up an for your Starburst cluster.
The Private Link Service's should be set to Restricted by Subscription.
Open a support ticket with with the following information:
Your Immuta representative will provide you with the Immuta Subscription ID that needs to be .
Your representative will inform you when the two Azure Private Link connections have been made available. Accept them in the .
.
.
