Documentation
Deployment
Cube Cloud
BYOC
AWS
Private Connectivity

Private Connectivity with AWS PrivateLink

Cube Cloud BYOC deployments on AWS support private connectivity for Cube API endpoints using AWS PrivateLink. This enables secure, private access to your Cube deployment without exposing endpoints to the public internet.

Private connectivity via AWS PrivateLink is available in Cube Cloud on the Enterprise Premier (opens in a new tab) product tier with BYOC deployments. Contact us (opens in a new tab) for details.

Overview

In a private setup, Cube Cloud BYOC deployments can be configured to:

  • Keep HTTP and SQL load balancers private within the BYOC VPC
  • Expose API endpoints through AWS PrivateLink services
  • Enable secure connectivity from your VPCs and corporate networks

This approach ensures that all traffic between your applications and Cube Cloud remains within the AWS network backbone, never traversing the public internet.

Architecture

With private connectivity enabled, Cube Cloud exposes two AWS PrivateLink services:

  • HTTP API Service: For REST API and GraphQL endpoints
  • SQL API Service: For PostgreSQL-compatible SQL interface connections

Your Cube deployment APIs are available on dedicated hostnames following this pattern:

  • HTTP API: <deployment-id>.<byoc-region>.cubecloudapp.dev
  • SQL API: <deployment-id>.sql.<byoc-region>.cubecloudapp.dev

Setting up PrivateLink connections

Step 1: Obtain PrivateLink service details

Contact Cube Cloud support to obtain the PrivateLink service details for your BYOC deployment. You'll receive:

  • HTTP NLB PrivateLink service name
  • SQL NLB PrivateLink service name
  • Your deployment ID and infrastructure region

Step 2: Create VPC endpoints

In your AWS account, create two VPC endpoints for the Cube Cloud services:

  1. Navigate to AWS ConsoleVPCEndpoints
  2. Click Create Endpoint
  3. For the HTTP API endpoint:
    • Service category: Other endpoint services
    • Service name: Enter the HTTP NLB service name provided by Cube support
    • VPC: Select your target VPC
    • Subnets: Select appropriate subnets
    • Security Group: Create or select a security group allowing HTTPS traffic (port 443)
  4. Repeat for the SQL API endpoint:
    • Use the SQL NLB service name
    • Configure security group to allow PostgreSQL traffic (port 5432)

Step 3: Configure DNS resolution

To enable proper hostname resolution, create a private Route 53 hosted zone:

  1. Navigate to AWS ConsoleRoute 53Hosted zones

  2. Click Create hosted zone

  3. Configure the zone:

    • Domain name: <byoc-region>.cubecloudapp.dev
    • Type: Private hosted zone
    • VPCs: Associate with your target VPC(s)

  4. Create the following DNS records in the zone:

    Record NameTypeValue
    *.<byoc-region>.cubecloudapp.devAAlias to HTTP VPC endpoint
    *.sql.<byoc-region>.cubecloudapp.devAAlias to SQL VPC endpoint
    sql.<byoc-region>.cubecloudapp.devAAlias to SQL VPC endpoint

Step 4: Verify connectivity

To test the connection from within your VPC, obtain the test connection commands from the Cube Cloud UI:

  1. Navigate to your deployment in Cube Cloud
  2. Access the connection details section
  3. Use the provided commands to verify HTTP API and SQL connectivity

Enabling Cube Cloud UI access

The Cube Cloud web interface requires access to live Cube APIs to function properly. In a private setup, these APIs aren't accessible from user browsers by default, which would limit Cube Cloud functionality.

Solution: Corporate network integration

To enable full Cube Cloud UI functionality, you need to establish PrivateLink endpoints within your corporate network:

  1. Create PrivateLink endpoints in your corporate VPC: Follow the same process as above, but create the endpoints in a VPC that's accessible from your corporate network
  2. Configure DNS resolution: Choose one of these approaches:
    • Cube-hosted DNS: We can host the PrivateLink endpoint IPs in our public DNS records (contact Cube support)
    • Corporate DNS override: If you control DNS resolution within your corporate network, create private DNS overrides similar to the Route 53 configuration

Limitations

No custom domain support

Cube Cloud's custom domains feature is not compatible with PrivateLink connectivity. This limitation exists because:

  • Custom domains require automatic SSL certificate provisioning via Let's Encrypt
  • Let's Encrypt uses HTTP-01 challenges that require public internet accessibility
  • PrivateLink endpoints are not accessible from the public internet

If you require custom domains, consider using Cube Cloud's standard public endpoints with appropriate security controls.

Troubleshooting

Common issues

DNS resolution failures

  • Verify Route 53 hosted zone is associated with the correct VPC
  • Check that DNS records point to the correct VPC endpoints
  • Test resolution using nslookup or dig from within the VPC

Connection timeouts

  • Verify security groups allow traffic on required ports (443 for HTTP, 5432 for SQL)
  • Check that VPC endpoints are in "Available" state
  • Ensure network ACLs aren't blocking traffic

Certificate errors

  • Cube Cloud uses valid SSL certificates for *.cubecloudapp.dev domains
  • Ensure your client trusts standard certificate authorities
  • For SQL connections, configure your client to use SSL/TLS

Getting help

For assistance with PrivateLink setup:

  1. Gather the following information:
    • VPC endpoint IDs
    • Security group configurations
    • DNS test results (nslookup output)
    • Any error messages from connection attempts
  2. Contact Cube Cloud support with your deployment ID and collected information
DeploymentAzure