Cloudera Docs

Creating Cloudera Private Links Network with Authorization option

Learn about how to create Cloudera Private Links Network using the Authorization option.

Required Role: EnvironmentCreator or PowerUser

You need to use the following CLI command to create the Cloudera Private Links Network using your own network automation:
cdp cloudprivatelinks authorize-private-link-service-access

This command is used to authorize access to the Private Link services for your cloud account.

The following parameters should be specified:
Parameter Description
cloudAccountId Your AWS account ID where the private endpoints are created. The account ID needs to be provided, because Cloudera needs to authorize the account for private link service access.
region Region of the Cloudera Control Plane.
serviceGroup Name of the Cloudera service group.
The following is an example command for creating Cloudera Private Links Network:
cdp cloudprivatelinks authorize-private-link-service-access --cli-input-json '{    
"cloudAccountId" : "112313717721", 
"region": "us-west-2",
"serviceGroup": "cdp-control-plane",
}'
The executed command performs the following sequence of steps:
  1. Identifying the appropriate VPC endpoint service for the request. Existing vpc-svcs are filtered for the requested Cloudera service component and region.
  2. Authorizing access to the VPC endpoint service is performed.
The command returns the Private Link service name, Cloudera service component and the authorization status as shown in the following example:
{
    "authorizePrivateLinkServiceAccessResults": [
        {
            "privateLinkService": "com.amazonaws.vpce.us-west-2.vpce-svc-0ce5a427a56d80603",
            "serviceComponent": "ccmv2",
            "authorizationStatus": "SUCCESS",
            "availabilityZoneList": "[usw2-az2, usw2-az1, usw2-az3]",
            "vpceClientTcpPortList": "[443]",
            "hostname": "[*.v2.ccm.cdp.mow-dev.cloudera.com]"
        },
    ]
}
After executing the command, you have to manually complete the following steps:
  1. Create a security group for the VPC endpoint with the returned ports.

    For more information about how to create security groups, see the AWS documentation.

  2. Create a VPC endpoint with the previously created security group and the VPC endpoint service filtered.

    For more information about how to create VPC endpoints, see the AWS documentation.

You can verify that the domains of the respective Cloudera service components are reachable and resolve to private IPs from your VPC using the following command with the returned tracking ID from creating private link endpoints:
cdp cloudprivatelinks list-private-link-endpoint-statuses
--tracking-id [***ID***]
You can also check this by accessing the Monitoring tab of the endpoints in the AWS Console.