PrivateLink
Expose your deployment as a VPC endpoint service for private connectivity on AWS
AWS PrivateLink lets you expose your LaserData Managed deployment as a VPC endpoint service. Consumers in your AWS account (or other authorized accounts) create interface VPC endpoints to connect privately — traffic stays within the AWS network and never touches the public internet.
PrivateLink is available for Managed deployments on AWS only. BYOC deployments run in your VPC and do not need PrivateLink. Requires the Pro or Enterprise plan.
Why PrivateLink
PrivateLink is the opposite of VPC Peering. Instead of connecting two VPCs, the deployment is exposed as a service that consumers connect to through endpoints in their own VPCs:
- No VPC CIDR coordination — no need to worry about overlapping IP ranges
- Cross-account access — authorize other AWS accounts to connect without sharing VPCs
- Unidirectional — consumers connect to your deployment, but the deployment cannot reach into consumer VPCs
- Scalable — multiple consumers can connect independently
How It Works
- You create an endpoint service on your LaserData deployment
- LaserData provisions an AWS VPC Endpoint Service backed by the deployment's Network Load Balancer
- Consumers create interface VPC endpoints in their own VPCs, pointing to the service name
- Traffic flows privately from consumer VPCs to the deployment through the AWS network
Prerequisites
- A running Managed deployment on AWS with a Network Load Balancer
- Pro or Enterprise plan
Creating an Endpoint Service
From the Console
- Navigate to your deployment and open the Networking tab
- Click Add PrivateLink
- Enter a name for the endpoint service (must be unique within the deployment)
- Choose whether acceptance is required — when enabled (default), new endpoint connections must be manually approved before traffic can flow. Disable this only if you trust all allowed principals.
- Optionally add allowed principals — AWS IAM ARNs (e.g.
arn:aws:iam::123456789012:root) that are permitted to create endpoints against this service. If left empty, any AWS account can discover and request a connection. - Click Create
LaserData provisions the AWS VPC Endpoint Service and returns the service name (e.g. com.amazonaws.vpce.us-east-1.vpce-svc-0abc123def...). Consumers use this service name to create their endpoints.
What Gets Created
When you create an endpoint service, LaserData automatically:
- Creates an AWS VPC Endpoint Service linked to the deployment's Network Load Balancer
- Configures the acceptance policy and allowed principals
- Returns the service name that consumers need
Connecting as a Consumer
Once the endpoint service is created, consumers create interface VPC endpoints in their own AWS account:
Step 1 — Create the VPC Endpoint
- Open the AWS VPC Console in the consumer account
- Go to Endpoints → Create Endpoint
- Select Other endpoint services
- Enter the service name provided by the endpoint service owner
- Click Verify service to confirm the name resolves
- Select the VPC, subnets, and security groups for the endpoint
Step 2 — Accept the Connection (if required)
If acceptance_required is enabled on the endpoint service, the connection must be accepted:
- The endpoint service owner sees pending connections in the Console
- Accept the connection to allow traffic to flow
Step 3 — Connect
Once the endpoint is active, applications in the consumer VPC can reach the deployment through the endpoint's private DNS name or ENI IP addresses. No internet gateway or NAT is required.
Managing Endpoint Services
From the Networking tab, you can view all PrivateLink endpoint services for the deployment, including:
- AWS service name
- Acceptance policy
- Allowed principals
- Connected endpoints and their status
Deleting an endpoint service removes the underlying AWS VPC Endpoint Service. Any active VPC endpoints connected to it will stop working — consumers will need to clean up their side.
Plan Limits
| Resource | Basic | Pro | Enterprise |
|---|---|---|---|
| Endpoint services per deployment | — | 1 | 5 |
| Private networking | — | Available | Available |
Audit
All PrivateLink operations are recorded in the audit log:
- Endpoint service created — who created it, configuration details
- Endpoint service deleted — who removed it and when
API Reference
For programmatic access via API keys, the following endpoints are available.
Required permission: DeploymentNetworkManage (create, delete) or DeploymentNetworkRead (list)
Create an Endpoint Service
curl -X POST {supervisor_url}/deployments/{deployment_id}/network/private_link \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "iggy-endpoint-service",
"acceptance_required": true,
"allowed_principals": [
"arn:aws:iam::123456789012:root"
],
"remarks": "PrivateLink for production consumers"
}'List Endpoint Services
curl {supervisor_url}/deployments/{deployment_id}/network/private_link \
-H "ld-api-key: YOUR_API_KEY"[
{
"id": 1,
"name": "iggy-endpoint-service",
"vpc_endpoint_service_id": "vpce-svc-0abc123def456789a",
"service_name": "com.amazonaws.vpce.us-east-1.vpce-svc-0abc123def456789a",
"acceptance_required": true,
"allowed_principals": ["arn:aws:iam::123456789012:root"],
"state": "available",
"remarks": "PrivateLink for production consumers",
"created_at": "2025-01-15T10:30:00Z",
"updated_at": "2025-01-15T10:30:00Z"
}
]Delete an Endpoint Service
curl -X DELETE {supervisor_url}/deployments/{deployment_id}/network/private_link/{service_id} \
-H "ld-api-key: YOUR_API_KEY"