AWS Endpoint Services

Creating an endpoint service

👍

Prerequisites

Make sure you have reviewed the AWS PrivateLink documentation first and that you meet the requirements for using PrivateLink.

About

For AWS resources (e.g., EC2 instances, load balancers, etc.) that are not publicly accessible and/or that you would like to connect to privately from the Monte Carlo Platform as if they were in the same VPC, you can create an endpoint service powered by AWS PrivateLink. See details here.

Steps

You can follow the example below to get started with creating an endpoint service via the AWS console. If you prefer, you can also use the AWS API, CLI, or any other tool of your choice to manage and update any configuration.

👍

Check the region of your resource!

Endpoint services are only available within an AWS region, so make sure you are in the correct region and that it is supported by Monte Carlo before getting started.

  1. Create a Target Group
    Navigate to the Target Groups subsection of the EC2 console and select "Create target group." Follow the wizard and then register the targets.

    1. Target type - This depends on where your service (integration) is running. Select instance, IP address, or load balancer as applicable. This also defines what you will register
    2. Target group name - Give the group a name.
    3. Protocol : Port - This depends on the type.
    4. IP address type - IPv4
    5. VPC - Select either the VPC your resource is deployed in or another VPC that has connectivity to your resource.
  2. Create a Network Load Balancer (NLB)
    Navigate to the Load Balancers subsection of the EC2 console and select "Create load balancer." Choose Network Load Balancer and proceed with the creation. Then follow the wizard:

    1. Load balancer name - Give the load balancer a name.
    2. Scheme - Internal.
    3. Load balancer IP address type - IPv4.
    4. VPC - Select the same VPC in which you deployed the target group from Step 1.
    5. Mappings - Select one or more private subnets.
    6. Security groups - Select a security group, if applicable. Generally, this group should be allowed access to the resource.
    7. Listeners - Select the target group, protocol, and port from Step 1.
  3. Verify the target group is healthy
    After the load balancer from Step 2 has finished creating (i.e., is active), navigate back to the target group created in Step 1. Select the target and review the health status. It should be listed as "Healthy."

    AWS Console Example

    AWS Console Example

    If your target is "Unhealthy," please ensure that the security group for your resource allows access from the NLB and that the health check is using the correct protocol and port. For additional status information, you can refer to this AWS documentation.

  4. Enable cross-zone load balancing
    If you selected more than one subnet (availability zone) when creating the NLB in Step 2, please navigate back to the Load Balancer, then select Actions -> Edit load balancer attributes. From this page, select "Enable cross-zone load balancing" and save your changes.

    AWS Console Example

    AWS Console Example

  5. Create a VPC Endpoint Service
    Navigate to the VPC console, select "Endpoint services," and choose "Create endpoint service." Then follow the wizard:

    1. Name - Give the service a name.
    2. Load balancer type - Network.
    3. Available load balancers - Select the NLB created in Step 2.
    4. Require acceptance for endpoint - Yes (enable acceptance required).
    5. Enable private DNS name - No
    6. Supported IP address types - IPv4
  6. Allow the Monte Carlo Principal

    After the endpoint service finishes creating, navigate to the "Allow principals" section and select "Allow principals." Add the following account: arn:aws:iam::590183797493:role/mcd-platform-services

    AWS Console Example

    AWS Console Example

  7. Save VPC Endpoint Service Details
    Navigate to the Details tab of the endpoint service created in Step 5 and save the "Service name" and the AWS Account ID/Region where the service is deployed. You can retrieve the region and account ID from the Network Load Balancer's ARN found in the same section.

  8. Request PrivateLink Establishment
    Contact us at [email protected] to request the establishment of a VPC endpoint for AWS.
    Be sure to include the following information in your message:

    1. Monte Carlo Account ID (can be found here)
    2. Integration type (e.g., Redshift Serverless, Tableau, etc)
    3. VPC Endpoint service name
    4. Original host
    5. Port
    6. AWS Region
    7. AWS Account ID

🕒

Note: Do not proceed until you receive confirmation from Monte Carlo that the endpoint has been created.

Typically, you will receive a response within 24-48 hours (US business days).

  1. Accept the Endpoint
    Navigate back to the endpoint service created in Step 5. Select "Endpoint connections," then select the requested endpoint. Choose "Actions" and finally accept the applicable "endpoint connection request."

    The state should change from Pending to Available within 1-2 minutes.

    AWS Console Example

    AWS Console Example

  2. Update the Security Group for the NLB
    Navigate to the EC2 console and select the NLB you created in Step 2. From the Security tab for this NLB, select the relevant security group. Update the inbound settings to include the private IP addresses as the source that Monte Carlo provided to you in Step 8. The port should be the same as what you provided when setting up the NLB/target group.

  3. Contact Monte Carlo
    Reply to your message from [email protected] to let us know that steps 9 and 10 have been completed. Monte Carlo will then notify you once the process is complete and when you can continue.

🕒

Note: Do not proceed until you receive confirmation from Monte Carlo.

Typically, you will receive a response within 24-48 hours (US business days).

  1. Continue Onboarding
    Refer back to your relevant guide to continue the onboarding process.