Cloudera Docs

Cloudera Private Link Network for AWS

Cloudera Private Link Network enables you to connect privately and securely to the CDP Control Plane without traversing the internet. Utilizing the AWS Private Links and Transit Gateways, you can use Cloudera Private Link Network for end-to-end encryption of your workloads between CDP Control Plane and AWS VPC endpoints.

This documentation provides the following details and steps about Cloudera Private Link Network:
  • High-level options of VPC endpoint placement
  • Configuration options and other considerations for DNS overrides
  • Cloudera Private Link Network deployment process
  • Instructions of how to set up both Private Link options:
    • VPC: Setup of Cloudera Private Link Network for a workload VPC through CDP CLI
    • Authorization: Authorization with CDP CLI to enable the setup of Cloudera Private Link Network through your automation tools
  • References for proxy profile configuration and considerations, and Cloudera Private Link Network commands

Comparison of connectivity setup without and with Cloudera Private Link Network

Without Cloudera Private Link Network, your workload environment communicates with the CDP Control Plane through the internet. This traffic may optionally flow through a managed egress proxy. The following two diagrams illustrate this:
Figure 1. Connectivity from workload environment to CDP Control Plane via internet
Figure 2. Connectivity from workload Environment to CDP Control Plane via internet and egress proxy

With Cloudera Private Link Network, the CDP Control Plane is accessed as if the Control Plane would be on your network. This means that IP addresses are assigned to the CDP Control Plane services from your network, and DNS lookups will return your local IP addresses.

To ensure private connectivity through network ingress between the workload environment and CDP Control Plane, VPC endpoints can be added. The following illustration details the scenario where the VPC endpoints are in the same VPC as your workload environment. In this case, the VPC endpoints receive IPs from the workload environment VPC subnets:
Figure 3. VPC endpoint in workload environment VPC

The following options are available for DNS overrides:

  • DNS is a per-VPC view: Deploying a VPC endpoint with private DNS option enabled will automatically install the DNS overrides in the local VPC.
  • DNS is a regional or global view: Installing overrides at a regional or global scope will impact DNS resolution for other VPCs, other VPCs will attempt to use the VPC endpoints of the local VPC.

This section does not include an exhaustive list of design options, but should cover most cases. For more information about more advanced use cases, see the Additional VPC scenarios section.

Cloudera Private Link Network creates an additional layer of security with Private Links, security groups with inbound rule, and AWS Transit Gateway. If security groups are already present in your network, they will be updated with an inbound rule for safe HTTPs traffic. As inbound rules are created or updated within setting up the Cloudera Private Link Network, outbound rules can be removed.

DNS overrides

The DNS hostnames for CDP services remain the same, whether the services are accessed through the internet or through VPC endpoints. DNS resolution in the customer networks perform DNS lookups against the public internet. Responses will contain the public internet IP addresses for the CDP services. DNS override records must be set up in your DNS infrastructure, and the hostnames need to be repointed to the VPC endpoint or IP addresses. For more information, see Setting up DNS overrides.