Use Tecton with PrivateLink
Tecton supports private networking on AWS with cross-VPC endpoints. In order to configure private cross-VPC (PrivateLink) connections, you will create an internal VPC endpoint that peers with your Tecton control-plane’s VPC endpoint service. With this configuration in place, all requests between your VPC and Tecton will be peered via PrivateLink.
Setup​
During Tecton setup, a VPC endpoint service can be created & exposed to your
private VPC(s). Tecton restricts connections to this VPC endpoint service with a
service principal allowlist, so you will need to specify the service principal
of your connecting VPC (usually arn:aws:iam::<aws-account-id>:root
, where
<aws-account-id>
is the account ID that owns the VPC endpoint that will be
connecting). This configuration can be done in the AWS console, or with Tecton’s
provided
Terraform module.
Configuring PrivateLink through the AWS Console​
- Open a Support Ticket and provide your Service Principal ARN. We will then provide you with a VPC endpoint service name that you can connect to.
- Create a VPC endpoint (AWS Console → VPC → Endpoints → Create VPC Endpoint),
AWS Docs
- Navigate to VPC → Endpoints
- Click
Create endpoint
- Set the following options for the new endpoint:
Service Category
- Other endpoint servicesService name
- VPC endpoint service name for your Tecton deployment. This will be provided by Tecton.VPC
- The internal VPC that you will be accessing Tecton from.
Configuring PrivateLink through Terraform​
-
Open a Support Ticket and provide your Service Principal ARN. We will then provide you with a VPC endpoint service name that you can connect to.
-
From the Terraform module, create an instance of the module as follows:
module "privatelink" {
providers = {
aws = aws
}
source = "git@github.com:tecton-ai/tecton-terraform-setup.git//privatelink/cross_vpc"
vpc_endpoint_service_name = "<vpce-service-name>" # Provided by Tecton
vpc_id = "<vpc-id>" # Your internal VPC id to create the endpoint in
vpc_endpoint_subnet_ids = ["<subnet-ids>"] # Your internal subnets to connect to the endpoint service
enable_vpc_endpoint_private_dns = true
}