Skip to main content
Version: 0.8

Use Tecton with PrivateLink

Tecton supports private networking on AWS with cross-VPC endpoints. In order to configure private cross-VPC (PrivateLink) connections, you will create an internal VPC endpoint that peers with your Tecton control-plane’s VPC endpoint service. With this configuration in place, all requests between your VPC and Tecton will be peered via PrivateLink.

Setup​

During Tecton setup, a VPC endpoint service can be created & exposed to your private VPC(s). Tecton restricts connections to this VPC endpoint service with a service principal allowlist, so you will need to specify the service principal of your connecting VPC (usually arn:aws:iam::<aws-account-id>:root, where <aws-account-id> is the account ID that owns the VPC endpoint that will be connecting). This configuration can be done in the AWS console, or with Tecton’s provided Terraform module.

  1. Open a Support Ticket and provide your Service Principal ARN. We will then provide you with a VPC endpoint service name that you can connect to.
  2. Create a VPC endpoint (AWS Console → VPC → Endpoints → Create VPC Endpoint), AWS Docs
    1. Navigate to VPC → Endpoints
    2. Click Create endpoint
    3. Set the following options for the new endpoint:
      1. Service Category - Other endpoint services
      2. Service name - VPC endpoint service name for your Tecton deployment. This will be provided by Tecton.
      3. VPC - The internal VPC that you will be accessing Tecton from.
  1. Open a Support Ticket and provide your Service Principal ARN. We will then provide you with a VPC endpoint service name that you can connect to.

  2. From the Terraform module, create an instance of the module as follows:

    module "privatelink" {
    providers = {
    aws = aws
    }
    source = "git@github.com:tecton-ai/tecton-terraform-setup.git//privatelink/cross_vpc"

    vpc_endpoint_service_name = "<vpce-service-name>" # Provided by Tecton
    vpc_id = "<vpc-id>" # Your internal VPC id to create the endpoint in
    vpc_endpoint_subnet_ids = ["<subnet-ids>"] # Your internal subnets to connect to the endpoint service
    enable_vpc_endpoint_private_dns = true
    }

Was this page helpful?