Add an AWS PrivateLink Connection

  • how-to

    To use AWS PrivateLink with Capella, add an AWS PrivateLink Connection.


    Before attempting to add an AWS PrivateLink Connection, make sure your environment conforms to all of the following requirements:

    • You have a project in your organization.

      For more information about projects, see Projects Overview.

    • You have a database in your project that:

      • Has 44 nodes or less.

      • Has multiple availability zones configured.

      • Uses the Developer Pro or Enterprise plan.

      For more information about how to create a database, see Create a Database.

    • You have the Project Owner role assigned to your user account.

      For more information about project roles, see Project Roles.

    • You have the AWS Command Line Interface installed and configured on your computer.

    • You have your VPC ID. You also have the Subnet ID of each of your subnets.


    The procedure for adding an AWS PrivateLink Connection involves user activity with the Capella UI, the AWS command line interface, and the AWS VPC console. Make sure you have all these tools available, before you begin.

    Proceed as follows:

    1. After you log into Capella, select the project that contains the database where you want to add an AWS PrivateLink.

    2. On the Databases tab, select the database name. When the screen for the database appears, click on the Settings tab, near the upper right:

      The Settings tab.
    3. Click on the Private Endpoint tab, in the Networking section of the left-hand navigation panel.

      The Private Endpoint tab.
    4. When the Private Endpoints screen appears, click on the Enable Private Endpoint button.

      The Enable Private Endpoint button.

      After you have clicked on the Enable Private Endpoint button, endpoints are enabled by Capella. This process might take several minutes. When the process is concluded, the screen appears as follows:

      The Add Private Endpoint screen.
    5. Click on the Add Private Endpoint button.

      The Add Private Endpoint button.

      The display now changes, to allow you to enter a VPC ID and Subnet IDs:

      The Add Private Endpoint details dialog.
    6. In the VPC ID field, enter your VPC ID. In the Subnet IDs field, enter each of your Subnet IDs, hitting return after each entry.

      When you have entered your IDs, the display appears as follows:

      The Add Private Endpoint details dialog, completed.
    7. Click on the Next button.

      The Next Button

      The Complete Connection screen now appears:

      The Complete Connection Screen
    8. Copy the command that is displayed in the Run this command field. Open a terminal window on your desktop, paste the command into the terminal against the prompt, and run the command. Output appears as follows:

        "VpcEndpoint": {
          "VpcEndpointId": "vpce-06da68c605432752f",
          "VpcEndpointType": "Interface",
          "VpcId": "vpc-08bf9fdbf7174a563",
          "ServiceName": "",
          "State": "pendingAcceptance",
          "RouteTableIds": [],
          "SubnetIds": [
          "Groups": [
              "GroupId": "sg-01505951c7752141d",
              "GroupName": "default"
          "PrivateDnsEnabled": false,
          "RequesterManaged": false,
          "NetworkInterfaceIds": [
          "DnsEntries": [
              "DnsName": "",
              "HostedZoneId": "Z1YSA3EXCYUU9Z"
              "DnsName": "",
              "HostedZoneId": "Z1YSA3EXCYUU9Z"
              "DnsName": "",
              "HostedZoneId": "Z1YSA3EXCYUU9Z"
          "CreationTimestamp": "2022-11-15T18:50:45.062000+00:00",
          "OwnerId": "429712224361"
    9. Copy the value of VpcEndpointId, which is in the second line of the output (here, vpce-06da68c605432752f). Then, return to the Capella UI.

    10. Paste the VPC Endpoint ID into the Endpoint ID field:

      The Enter Endpoint ID field, completed
    11. Click on the Finish button:

      The Finish Button

      After a few minutes, you are returned to the Private Endpoints screen, which now shows the private endpoint that you have added:

      Endpoint Pending
    12. Bring up your AWS VPC console. Access your list of VPC endpoints:

      AWS VPC Endpoint List Display

      Select the row for the endpoint.

    13. Enable private DNS names for this endpoint. Access the Actions menu, located near the upper right; and select the Modify private DNS name option:

      AWS VPC Modify private DNS name

    14. When the Modify private DNS name screen appears, make sure that the Enable for this endpoint checkbox is checked:

      AWS VPC Modify private DNS name screen

      Then, click on the Save Changes button.

    15. Access the AWS VPC dashboard, and from the Actions menu, access Edit VPC settings:

      AWS VPC Edit VPC settings
    16. When the Edit VPC settings dialog is displayed, enable DNS resolution and DNS hostnames, by checking the respective checkboxes:

      AWS VPC Enable VPC Settings

      Then, save. This completes enablement of DNS private names for this endpoint.

    17. To add an Ingress Rule for the private endpoint, first, return to the VPC dashboard:

      AWS VPC Dashboard

      Make a note of the value displayed for IPV4 CIDR, which here is You will enter this value on subsequent screens.

    18. Modify the endpoint’s Security Group. First, click on Endpoints, in the VPC dashboard. When the Endpoints screen is displayed, select the endpoint for which you are configuring the Ingress Rule:

      AWS VPC Endpoints Display

      In the Security groups panel, near the bottom of the screen, click on the link that appears under Group ID (this is your default VPC security group). The corresponding Inbound Rules panel is now displayed:

      AWS Security Groups display
    19. Click on the Edit Inbound Rules button. The Edit inbound rules dialog now appears:

      AWS VPC Edit Inbound Rules

      Add the IPv4 CIDR that you previously noted. Then click on the Save Rules button. This concludes configuration of Ingress Rules.

    20. To configure Network ACLs, first, return to the VPC dashboard.

      AWS VPC Dashboard for Network ACLs
    21. Click on Network ACLs, in the left-hand navigation panel. This brings up the Network ACLs screen:

      AWS VPC Network ACLs Screen

      Select the Network ACL associated with your VPC. Then, access the Action menu, and select Edit inbound rules.

    22. When the Edit inbound rules screen appears, add a new inbound rule, by entering the IPv4 CIDR you previously noted into the appropriate field of the Source column:

      AWS VPC Add Inbound Rule

      Then click on the Save Changes button.

    23. Add an outbound rule, by following steps equivalent to the ones you used to add your inbound rule: access the Network ACLs screen from the VPC dashboard, and select Edit outbound rules from the Action menu. The Edit outbound rules screen now appears:

      AWS VPC Add Outbound Rule

      For the new rule, specify Custom TCP in the Type column, and 1024-65535 in the Port range column. Then specify your IPv4 CIDR value in the Source column. Finally, click on Save Changes.

    24. Return to the Private Endpoints screen, in the Capella console. For several minutes, the display for the interface endpoint shows a Pending status:

      Endpoint Pending

      Eventually, the status changes to Linked:

      Endpoint Linked

    This concludes the procedure: the AWS PrivateLink Connection has now been established.