Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
127 changes: 127 additions & 0 deletions cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,127 @@
= Setting Up an Outbound Private Link Connection

This document describes the steps to configure an outbound private link connection from CloudHub 2.0 private spaces.


== Before You Begin

. Provision a xref:ps-create-configure.adoc[private space] in CloudHub 2.0.
. Obtain a bearer token for calling APIs.
+
Make sure that the owner of the bearer token has permissions to manage private spaces.

== Configure the Outbound Connections

Follow these steps to set up an outbound private link connection from your CloudHub 2.0 private space:

. Gather private space availability zones (AZs) and AWS Account ID.
.. Retrieve information about availability zones for your private space.
+
[source,curl,linenums]
----
curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/azs -H "Authorization:$AUTHTOKEN"
----
+
.. Retrieve information about accounts associated with your private space.
+
[source,curl,linenums]
----
curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/accounts -H "Authorization:$AUTHTOKEN"
----
+
. Set up VPC endpoint services (if the endpoint services are self-hosted).
.. https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html[Create a service powered by AWS PrivateLink].
.. If the service is hosted in the same region as the private space, set up the services in the same availability zone as the private space (obtained in the first step of this section). For cross-region services, you don’t need AZ alignment.
+
[NOTE]
Validation for cross-region connectivity isn't yet complete; its success depends on the configuration.
+
. Share the VPC endpoint services with your CloudHub 2.0 private space.
.. https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html[Configure an endpoint service].
.. From VPC *Endpoint services*, select *Allow principals*.
... Add `arn:aws:iam::{accountId}:root` as principal.
+
The `{accountId}` is obtained in the first step of this section.
. Gather this information for the API:
.. Service Name: the endpoint service name.
+
For example, customer-hosted endpoint service: `com.amazonaws.vpce.us-east-1.vpce-svc-xxxxxxxxxxxxxxxx`.
+
For example, AWS hosted service: `com.amazonaws.us-west-2.s3`.
.. Service Region: the region where the VPC endpoint service is located.
.. Service Owner: the owner of the VPC endpoint service.
... Account ID of the endpoint service.
... “amazon”, if it’s an Amazon service.
.. Availability Zone IDs: the IDs of the availability zones where you want to establish the private link.
+
Make sure that the availability zone IDs are the ones used by the private space (obtained in the first step of this section), and that the VPC endpoint service is hosted in those availability zones.
. Create a VPC endpoint in CloudHub 2.0 via API:
+
[source,curl,linenums]
----
curl -XPOST https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/vpces -H "Authorization:$AUTHTOKEN" -H "Content-Type:application/json" -d '{
"name": "{any name}",
"serviceName": "{service name}",
"serviceRegion": "{service region}",
"serviceOwner": "{service owner}",
"azIds": [{aws-az-id1}, {aws-az-id2}]
}‘
----
+
If the VPC endpoint is successfully created, the API returns a `vpceId`.
. Get the VPC endpoint status in CloudHub 2.0 using API:
+
[source,curl,linenums]
----
curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/vpces/{vpceid} -H "Authorization:$AUTHTOKEN"
----
+
.. If successful, it returns the DNS names of the VPC endpoint.
.. It also returns the provisioning status:
... `Invalid`: VPCE creation failed.
... `Valid`: VPCE is being provisioned.
... `Available`
... `PendingAcceptance`
. Use this command to update a VPC endpoint:
+
[source,curl,linenums]
----
curl -XPATCH https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/vpces/{vpceId} -H "Authorization:$AUTHTOKEN" -H "Content-Type:application/json" -d '{
"name": "{any name}",
"serviceName": "{service name}",
"serviceRegion": "{service region}",
"serviceOwner": "{service owner}",
"azIds": [{aws-az-id1}, {aws-az-id2}]
}‘
----
+
. Use this command to delete a VPC endpoint:
[source,curl,linenums]
----
curl -XDELETE https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/vpces/{vpceid} -H "Authorization:$AUTHTOKEN"
----

== Entitlements

Each VPC endpoint consumes one network connection entitlement per availability zone.

[NOTE]
If you want to configure high availability, set up the private link connection with at least two availability zones. This consumes two network connection entitlements.


== Limitations
* Outbound connections have a contractual limit of 56.48 GB of data transferred per root organization per hour.
* This configuration supports interface endpoints only.
* This configuration doesn't support CloudHub VPCs.
* This configuration doesn't support CloudHub 2.0 private spaces that are xref:cloudhub::vpc-upgrade.adoc[upgraded from CloudHub VPCs].
* Network connections are subject to these limits:
** VPNs per private space: 10
** TGW per private space: 5
** VPC endpoints per private space: 20




== See Also
* xref:access-management::saml-bearer-token.adoc[]
* https://help.salesforce.com/s/articleView?id=001115323&type=1[How to generate your Authorization Bearer token for Anypoint Platform]