Creating private paths using AWS PrivateLink

Edit online

AWS PrivateLink is a highly available and scalable service that enables you to privately connect your VPC to AWS services and resources as though they reside within your own VPC. This connectivity does not require an internet gateway, NAT device, public IP addresses, AWS Direct Connect, or Site‑to‑Site VPN. As a result, traffic remains entirely within the AWS network, allowing you to precisely control which APIs, services, endpoints, and resources are accessible from your private subnets.

Availability: This feature is available only in AWS GovCloud (US) deployment.

Before you begin

  • You must have administrator access to your AWS GovCloud (US) account.
  • You must get the two endpoint service names (for example, example-endpoint-service-name-1 and example-endpoint-service-name-2) from IBM by submitting a support ticket, as these are required to configure the VPC endpoints.

Configuring first VPC endpoint

In your AWS GovCloud (US) account, create the first VPC endpoint using example-endpoint-service-name-1.

Creating first VPC endpoint
  1. Log into the AWS GovCloud (US) Console.
  2. Go to VPC.
  3. Select Endpoints .
  4. Click Create endpoint .
Configuring first endpoint details
In the Create endpoint window, provide the following details:
  1. Name:Enter a meaningful name.
  2. Type: Select PrivateLink Ready partner services.
  3. Service name: Paste the example-endpoint-service-name-1 that you got from IBM.
  4. VPC: Select your VPC.
  5. Subnets: Select your subnet.
  6. Subnet ID: Select it in your private network.
  7. Security groups: Select an existing security group, or create a new one if none exists.

    For outbound rules:

    • You can either leave the subnet open or
    • Restrict outbound traffic to HTTPS (port 443) within your VPC IP range
  8. Click Create endpoint .

Configuring second VPC endpoint

Repeat all the steps mentioned in Configuring first VPC endpoint by using example-endpoint-service-name-2.

When you configure the second endpoint details, in Service name, paste the example-endpoint-service-name-2 that you got from IBM.

Both the created VPC endpoints are pending for authorization from IBM.

Getting endpoints authorization

  1. Submit an IBM Support ticket notifying IBM that both VPC endpoints are created.
  2. Wait for confirmation from IBM that both endpoints are authorized.

Checking the status of endpoints

  • Go to AWS console > VPC > Endpoints.
  • Select each endpoint that you created.
  • Confirm that the Status is Available for both endpoints.

Enabling private DNS

You must enable private DNS for each endpoint individually. For each endpoint, do the following:

  1. Go to AWS console > VPC > Endpoints .
  2. Select the endpoint.
  3. Choose Actions > Modify private DNS name .
  4. Check Enable for this endpoint .
  5. Click Save changes.

Testing the PrivateLink connectivity

To validate that the PrivateLink connection is working:

  1. Open a browser from a system within the VPC network.
  2. Navigate to the following URL:

    https://private.us-gov-east-1.watson-orchestrate.ibmforusgov.com/.

  3. Your browser may display a certificate warning indicating that the site is not trusted which is expected.
  4. Accept the risk and continue.
  5. Successful display of watsonx Orchestrate login screen confirms the PrivateLink connectivity.