Creating Cloudera Private Links Network with VPC option

Learn about how to create Cloudera Private Links Network using the VPC option.

Required Role: EnvironmentCreator or PowerUser

You need to use the following CDP CLI command to create the Cloudera Private Links Network with VPC option:
cdp cloudprivatelinks create-private-link-endpoint

This command is used to create a private link endpoint in your workload VPC. This establishes the private link connectivity between the VPC endpoint created and the respective VPC endpoint service present in the Cloudera Control Plane. The private link will be created for all supported components.

The following parameters should be specified:
Parameter Description
enablePrivateDns Specifies whether private DNS needs to be enabled on the VPC endpoint.
awsAccountDetails This should have the following fields
  • cloudAccountId - Your AWS account ID where the private endpoints are created. The account ID needs to be provided, because Cloudera needs to authorize the account for private link service access.
  • crossAccountRoleDetails or credentialCrn - The crossAccountRoleDetails can be provided with explicit crossAccountRole and externalId. You can also use credentialCrn that is configured with default policy or reduced access policy for provisioning the VPC endpoint.
  • region - You can provide the AWS region where the private endpoint needs to be created.
  • vpcId - The VPC ID in which private endpoint needs to be createdsubnetIds - IDs of the private subnets in which a private endpoint needs to be created
  • subnetIds - It is recommended to provide the private subnet from each of the available zones. Without a specific subnet, there is no way to associate the private endpoint with your VPC resources. This is also required for fault tolerance and high availability.
The following is an example command for creating Cloudera Private Links Network:
cdp cloudprivatelinks create-private-link-endpoint --cloud-service-provider aws
 --cli-input-json '{
  "enablePrivateDns": true,
  "awsAccountDetails": {
  "cloudAccountId": "112313717721"
    "crossAccountRoleDetails": {
      "crossAccountRole":
"arn:aws:iam::112313717721:role/test-privatelinkservice-xaccount-role",
      "externalId": "51962fcf-4205-495d-ab4a-c82c5613a99f"
    },
    "region": "us-west-2",
    "vpcId": "vpc-0d006493309f23c3",
    "subnetIds": [
      "subnet-0e5812d895de60c47"]
  }
}'
The executed command performs the following sequence of steps:
  1. Identifying the appropriate VPC endpoint service for the request. Existing vpc-svcs are filtered for the requested Cloudera service component and region.
  2. Authorizing access to the VPC endpoint service is performed.
  3. Creating a security group for the VPC endpoint with the provided ports.
  4. Creating a VPC endpoint with the security group created and the VPC endpoint service filtered.
The command returns a trackingId, which can be used to verify that the domains of the respective Cloudera service components are reachable and resolve to private IPs from your VPC using the following command with the returned tracking ID from creating private link endpoints:
cdp cloudprivatelinks list-private-link-endpoint-statuses
--tracking-id [***ID***]
You can also check this by accessing the Monitoring tab of the endpoints in the AWS Console.