Configuring a private connection to AWS

Use AWS PrivateLink to create interface VPC endpoints that connect to endpoint services hosted by Amazon Web Services, enabling a private connection to your API Connect Enterprise as a Service instance.

Note: This feature requires a Premium subscription in API Connect Enterprise as a Service.

You can configure private inbound connections and private outbound connections, or even both types of connections as needed. You do not have to configure the different connections in any particular sequence. When you configure a private connection, it is available for all catalogs in the API Connect Enterprise as a Service instance.

Note: Private Connectivity supports one inbound and up to three outbound connections per instance, allowing greater flexibility for complex networking setups.

Configuring an inbound private connection (connect AWS to your APIs)

  1. Log in to API Connect Enterprise as a Service.
  2. On the page banner, click API Connect Instance settings.
  3. On the Instance settings panel, click the Add next to the Private connectivity option.
  4. On the Create a private connectivity connection page, click Inbound.
  5. Type a custom name or the default name that is provided in the Name field.
  6. Click Next.
    Note: At this stage, the connection is created but not configured completely. If you close the configuration window without completing the configuration, you can continue the configuration from the data table in Instance setting panel. To continue configuration, click the options menu icon options icon next to the connection listed in the data table and then click Continue.
  7. On the Configure inbound connection page, create an AWS PrivateLink connection to allow private access to your APIs from your AWS account by working through the following steps:
    1. On the Account details page, enter your AWS account ARN in the Service consumer ARN field, and then click Next.

      The entity creating the VPC endpoint in the customer account must be preapproved to access the VPC endpoint service in the API Connect account. This can be a service role, a user role, or even the root ARN for the customer account. For more information, see Configure an endpoint service in the AWS documentation.

    2. On the infrastructure page, wait for the status to change to "Infrastructure complete", and then click Next.
    3. Copy values: On the Connectivity page, copy the Service name and the Private DNS name values for use in the next step, and then click Finish.
  8. In AWS, configure a VPC endpoint.
    1. Log in to your account on AWS.
    2. Open the VPC > Endpoints > Create endpoint page and complete the following settings:
      Field Value
      Endpoint settings: Name tag Optional. Provide a name tag that describes your new endpoint.
      Endpoint settings: Service category Select Other endpoint services.
      Service settings: Service name Paste the service name that you copied from the Service name field in the Connectivity page in API Connect.
    3. Click Create endpoint.
    4. Click Verify service.
    5. Open the Route53 > Hosted zones > Create hosted zone page and complete the following settings:
      Field Value
      Domain name Paste the private DNS value that you copied from the Private DNS name field in the Connectivity page in API Connect.
      Description Optional. Provide a description of the domain.
      Type Select Private hosted zone.
    6. Click Create hosted zone.
    7. Open the Route53 > Hosted zones > <your-private-dns-name> > Create record page and complete the following settings:
      Field Value
      Record name Paste the prefix from the private DNS name; for example, "api-ibm".
      Record type Select type A - Routes traffic to an IPv4 address and some AWS resources.
      Alias Enable the use of an alias.
      Route traffic to There are 2 fields to complete for this setting:
      • In the first field, select Alias to VPC endpoint.
      • In the second field, select your region; for example, US East (N. Virginia).
      Routing policy Select Simple routing.
      Evaluate target health Enable this setting (set it to Yes).
    8. Click Create record.

Configuring an outbound private connection (connect your APIs to AWS):

  1. Log in to API Connect Enterprise as a Service.
  2. On the page banner, click API Connect instance settings.
  3. On the Instance settings panel, click the Add next to the Private connectivity option.
  4. On the Create a private connectivity connection page, click Outbound.
  5. Type a custom name or the default name that is provided in the Name field.
  6. Click Next.
    Note: At this stage, the connection is created but not configured completely. If you close the configuration window without completing the configuration, you can continue the configuration from the data table in Instance setting panel. To continue configuration, click the options menu icon options icon next to the connection listed in the data table and then click Continue.
  7. On the Create private endpoint service page, click Guide to creating VPC endpoint service and complete the following steps:
    1. Use the wizard in AWS to create the private endpoint service. For more information, see Create an endpoint service in the AWS documentation.
    2. Copy value: Copy the service name of the new endpoint service, shown in the Name field on the Endpoint services page in the wizard. You will use this value in the next step.
    3. When the wizard finishes, return to the Create private endpoint service page in API Connect and click Next.
  8. On the Enter endpoint service details page, type or paste the VPC endpoint service name (which you copied from the wizard) in the Private endpoint service name field, and then click Next.
  9. On the Pre-authorize AWS principal page, complete the following steps to authorize AWS to access your APIC service:
    1. Copy value: Copy the value in the ARN for API Connect's AWS Principal field.
    2. Log in to your AWS account and navigate to the VPC > Endpoint services > <your-vpc-endpoint-service> page.
    3. Select the Allow principals tab.
    4. Paste the ARN that you copied into the ARN field in the "Principals to add" section of the page.
    5. Click Allow principals.
    6. Return to the Pre-authorize AWS principal page in API Connect and click Next.

    At this point, a connection request is generated by API Connect, and you must accept the request in AWS.

  10. In AWS, accept the connection request by completing the following steps:
    1. Still on the VPC > Endpoint services > <your-vpc-endpoint-service> page, select the Endpoint connections tab.
    2. Wait for the Connection state to display "Pending".
    3. In the Actions field, select Accept endpoint connection request.
    4. Wait for the Connection state to display "Available" as confirmation.

    Now that the connection is complete, return to API Connect to finish configuring the private connection for the catalog.

  11. On the Connection request page in API Connect, click Next to confirm that you accepted the connection request in AWS.
  12. Copy value: On the Connectivity page, copy the value from the VPC Endpoint Private DNS Name field and store it in a safe place; then click Finish.

    Use the VPC Endpoint Private DNS Name in your API ConnectAPI to connect to the application behind your VPC endpoint service.

Manage public connections:

You can now enable or disable public connectivity settings at the instance level and for individual catalogs also.

Note: Public connections are enabled by default.
  1. To disable public connections for the entire instance, do the following steps:
    1. On the Instance settings panel, set the toggle next to Public connections to No.
      Note: A data table is available in the instance panel, which lists all the catalogs and the corresponding status of public connections. This status shows whether the public connection is allowed or blocked. This data table is hidden, if public connections are disabled at the instance level.
  2. To disable public connections for specific catalogs, do the following steps:
    1. On the Instance settings panel, locate the data table in the Public connections section.
      Note: If public connections are disabled at the instance level, this data table is hidden and the catalog level settings for public connections are not visible.
    2. Select the catalogs, and then click Block.
    3. On the dialog box, click Block.