Governance Private Networking Over AWS PrivateLink
Last updated
Was this helpful?
Last updated
Was this helpful?
Immuta SaaS hosts AWS PrivateLink services that organizations can configure Amazon VPC endpoint connections to, which ensures that all traffic to the SaaS tenants for the Governance app only traverses private networks.
This feature is supported in most regions across Immuta's global segments (NA, EU, and AP); contact your Immuta representative if you have questions about availability.
This documentation is for configuring access to an Immuta SaaS tenant with the Governance app from an organization's network, not for configuring access from a tenant to an organization's data sources or APIs. For that, please see the documentation on .
You have an Immuta SaaS tenant.
You have an Amazon VPC in one of the supported regions listed in the global segment tables below.
Clients (users or services) can access the Amazon VPC network where the AWS PrivateLink endpoint will be created.
You will need to create an AWS PrivateLink endpoint to connect directly to your tenant over the Immuta SaaS network. Please refer to the AWS PrivateLink documentation for instructions on creating an endpoint.
Immuta has a set of PrivateLink services that you can connect to in different global segments. When creating your endpoint, please choose the service in the same region as your tenant. If you do not know what region your tenant is in, please contact your Immuta representative.
us-east-1
US East (Virginia)
com.amazonaws.vpce.us-east-1.vpce-svc-0c33df1aaf78a8955
use1-az2
use1-az4
use1-az6
us-west-2
US West (Oregon)
com.amazonaws.vpce.us-west-2.vpce-svc-0e35fa96fd264e0a6
usw2-az1
usw2-az2
usw2-az3
eu-central-1
Europe (Frankfurt)
com.amazonaws.vpce.eu-central-1.vpce-svc-027e6fd0c1cf62c68
euc1-az1
euc1-az2
euc1-az3
eu-west-1
Europe (Ireland)
com.amazonaws.vpce.eu-west-1.vpce-svc-0bd003f6352dc5e58
euw1-az1
euw1-az2
euw1-az3
eu-west-2
Europe (London)
com.amazonaws.vpce.eu-west-2.vpce-svc-0cb6dcde93257e082
euw2-az1
euw2-az2
euw2-az3
ap-northeast-1
Asia Pacific (Tokyo)
com.amazonaws.vpce.ap-northeast-1.vpce-svc-056d170f71688f5f9
apne1-az1
apne1-az2
apne1-az4
ap-southeast-2
Asia Pacific (Sydney)
com.amazonaws.vpce.ap-southeast-2.vpce-svc-0f1fad760b7efc4d7
apse2-az1
apse2-az2
apse2-az3
VPC endpoints must be associated with at least one security group upon creation. Please ensure that traffic from your clients to port 443 is allowed.
privatelink.immutacloud.com DNSIn order to direct traffic to your PrivateLink endpoint for your tenant hostname, you will need to set up DNS resolution in your network for the privatelink.immutacloud.com domain. You will need to create a private zone with your internal DNS provider where records for this domain can be created. For instructions on how to do this, please refer to your internal DNS provider's documentation.
Once you have resolution for the domain configured, you will need to create a CNAME DNS record in the zone that resolves <tenant name>.privatelink.immutacloud.com to your newly-created VPC endpoint's DNS name.
For example, if your tenant's hostname is example.hosted.immutacloud.com and your VPC endpoint DNS name is vpce-0d363d9ea82658bec-e4wo04x9.vpce-svc-0d12345ddd89101112.us-east-1.vpce.amazonaws.com, you should create a CNAME record that resolves example.privatelink.immutacloud.com to your VPC endpoint DNS name.
The end result should be that, inside your network, DNS resolution for your tenant hostname will direct traffic to your VPC Endpoint.
Once you have configured DNS, you will need to contact your Immuta representative with the following information in order to have your VPC endpoint connection request accepted and PrivateLink enabled for your tenant:
Tenant name
AWS region
VPC endpoint ID
After the request is completed, please continue to use your standard hostname (e.g. example.hosted.immutacloud.com) to access your tenant. An Immuta-managed CNAME record will direct that traffic to your PrivateLink hostname (e.g. example.privatelink.immutacloud.com).
When Immuta completes this request, your tenant will no longer be publicly accessible. Traffic bound for your tenant hostname (e.g. example.hosted.immutacloud.com) will be directed to your PrivateLink hostname (e.g. example.privatelink.immutacloud.com).
Any services or data platforms that make requests to the Governance app API will need to route their traffic over your VPC endpoint as well. The integrations that require this connectivity are:
In order to prevent these integrations from becoming degraded, please ensure that they can send traffic to your PrivateLink endpoint.
