How to Set Up AWS PrivateLink
Securely connect your AWS-deployed services to RudderStack using AWS PrivateLink.
AWS PrivateLink lets you securely connect your AWS-deployed services to RudderStack over the AWS backbone network, without exposing traffic to the public internet. This means you can restrict public access to your services while keeping your data private.
RudderStack supports PrivateLink connections for the following integrations:
Prerequisites
- You have a RudderStack Enterprise plan
- Your AWS service is deployed in a region that supports PrivateLink connectivity
Supported integrations
This section lists the integrations that support AWS PrivateLink.
Snowflake
Snowflake natively supports AWS PrivateLink, letting RudderStack connect to your Snowflake account without routing traffic over the public internet.
Requirements:
- Your Snowflake account must be on the Business Critical plan or higher.
For more information, see the Snowflake PrivateLink documentation.
Redshift
Amazon Redshift offers managed PrivateLink through Redshift-managed VPC endpoints, supporting both provisioned clusters and Redshift Serverless workgroups.
Requirements:
Your Redshift cluster or workgroup must be deployed in any AWS region where Redshift-managed VPC endpoints are available. For
lowest latency and cost, match your RudderStack workspace region (us-east-1, eu-central-1, or ap-south-1). Cross-region access is supported.
For provisioned clusters:
- The cluster must use the RA3 or RG node type (DC2 is not supported).
- Cluster relocation must be enabled (Multi-AZ clusters have this on by default).
Redshift Serverless workgroups are supported with no additional configuration.
Databricks
Databricks supports frontend PrivateLink, which secures the connection between RudderStack and your Databricks workspace control plane.
Databricks front-end PrivateLink is distinct from back-end PrivateLink, which secures the connection between the Databricks control plane and a compute plane running in your AWS VPCs.
Requirements:
Your Databricks workspace must be deployed in one of the following AWS regions:
us-east-1us-west-2eu-west-1ap-south-1ap-southeast-2
For more information, see the Databricks PrivateLink documentation.
ElastiCache
AWS doesn’t offer native PrivateLink support for ElastiCache. To connect RudderStack to your ElastiCache deployment, expose your cluster through a Network Load Balancer (NLB) fronted by a VPC Endpoint Service in your AWS account.
This setup requires additional infrastructure on your end. For architecture recommendations and guidance, contact
RudderStack Support.
Requirements
- Your VPC Endpoint Service should be in the same AWS region as your RudderStack workspace (
us-east-1, eu-central-1, or ap-south-1) for the lowest latency and cost. Cross-region access is supported but not recommended. - The Endpoint Service must allow RudderStack’s AWS account as an allowed principal (provided by RudderStack Support).
- Redis cluster-mode-enabled deployments need one NLB target group per shard, or a proxy in front of the cluster — discuss the topology with RudderStack Support before building.
What to share with RudderStack Support
- VPC Endpoint Service name (
com.amazonaws.vpce.<region>.vpce-svc-xxxxxxxx) and region - Engine and mode (Redis cluster-mode-enabled / cluster-mode-disabled / Memcached)
- Whether TLS is enabled
Get started
To set up AWS PrivateLink for any of the supported integrations, contact RudderStack Support with the following details:
- The integration you want to connect (Snowflake, Redshift, Databricks, or ElastiCache)
- The AWS region where your service is deployed
- Any relevant account or endpoint identifiers
The RudderStack team will coordinate the PrivateLink setup and provide you with the necessary configuration steps.
Questions? We're here to help.
Join the RudderStack Slack community or email us for support
