The ability to configure PrivateLinks is in beta and may not be available on all enrollments. Some functionality may change before this feature becomes generally available.
PrivateLink egress refers to connections that are made from the Palantir platform to another system that is hosted on the same cloud provider as the Palantir platform using private connectivity. This is only supported for AWS-hosted Palantir platform instances and customer services in the same region powered by AWS PrivateLink ↗️. If your target resource is in a different region, configure VPC peering ↗️ to the Palantir platform’s region, then create a PrivateLink.
This page outlines how PrivateLink egress is configured and managed in Control Panel, and how these created connections are used in the Palantir platform. PrivateLink egress supports private egress to AWS services, user-owned resources deployed on AWS, or third-party APIs deployed on AWS.
To increase these limits contact your Palantir administrator.
Navigate to the PrivateLinks tab in the Network egress page in Control Panel to manage PrivateLinks.
To successfully create a PrivateLink connection, do the following:
A list of PrivateLink compatible AWS services and their endpoint service names can be found in the AWS documentation ↗️. Creation of an endpoint service is not required for AWS services, the endpoint service name provided by AWS can be used. An example of an AWS service that supports private links is Amazon Bedrock ↗️.
For a user-owned resource deployed on AWS, create an endpoint service following the steps in the AWS documentation ↗️. An example of a user owned resource is databases powered by AWS RDS ↗️.
For user-owned third-party APIs deployed on AWS, create an endpoint service following the steps from the AWS documentation ↗️. If owned by another party, request their VPC endpoint service name. For example, Snowflake’s VPC endpoint service name can be requested as shown in the Snowflake documentation ↗️.
Additionally, request the private domains of third-party APIs if the service uses custom transport layer security (TLS) certificates that are not valid for the AWS-generated domain ↗️ of the PrivateLink. For example, Snowflake’s private domains can be found following the Snowflake documentation ↗️. Below is an example of a private third party domain:
abc.us-east-1.privatelink.snowflakecomputing.com
To access the target resource through a PrivateLink, allow the Palantir platform to access the resource. Add the Palantir platform’s AWS account in the allowed principal list of your endpoint service by following the AWS documentation ↗️. The allowed principal should look like the following:
arn:aws:iam::<palantir_platform_aws_account_id>:root
Navigate to Control Panel > Network Egress > PrivateLinks and select New PrivateLink to create a PrivateLink.
Enter the following details for your target resource for the PrivateLink:
Advanced settings:
CNAME
records for theses domains that map to the other end of the PrivateLink. Currently, only Snowflake private domains are allowed. To add other domains contact your Palantir administrator.The PrivateLink may have the following states:
If the PrivateLink is in the Failed state, one of the following errors have occurred:
After successful creation of a PrivateLink, create network egress policies to allow egress to the target resource.
Once the PrivateLink is in the Ready state and network egress policies are created, the PrivateLink can be used in the Palantir platform.
Possible actions on the PrivateLink are displayed under Actions in the PrivateLink details page, and in the PrivateLinks page for each item.
A PrivateLink’s Private domains and TCP ports can be updated by selecting Actions > Update.
PrivateLinks can be deleted by selecting Actions > Delete.
Share the created network egress policies with users who intend to egress to the target resource through the PrivateLink. On the domain or IP that is to be shared, select Actions > View network egress policy and navigate to the network policy page. On the network policy page select Actions > Manage sharing and add the intended user or user group to share the network egress policy.
In Data Connection, configure a source using the default domain or the third-party API domain, and attach the created network egress policies. After configuring, test connectivity by previewing or exploring the source and verifying that the source’s data is accurate.
To create a Snowflake source connected through a PrivateLink, follow these steps:
For the Palantir platform to create a PrivateLink to Snowflake, the Palantir platform’s account needs to be allowlisted in your Snowflake account. To do this follow these steps:
SYSTEM$AUTHORIZE_PRIVATELINK
cannot be used, since Palantir users do not have direct access to the underlying cloud provider infrastructure and are not provided with the required federated_token
.Once Snowflake has allowlisted the Palantir platform’s cloud provider account, continue to the next step.
Before creating a PrivateLink between the Palantir platform and Snowflake, retrieve the PrivateLink configuration from Snowflake by running the command, SYSTEM$GET_PRIVATELINK_CONFIG
↗️. This command outputs the required information to create a PrivateLink in the Palantir platform.
privatelink-vpce-id
from the output of SYSTEM$GET_PRIVATELINK_CONFIG
.SYSTEM$GET_PRIVATELINK_CONFIG
:
privatelink-account-url
privatelink-connection-ocsp-urls
privatelink-connection-urls
privatelink-ocsp-url
regionless-privatelink-account-url
regionless-snowsight-privatelink-url
snowsight-privatelink-url
443
and 80
as mentioned in the Snowflake documentation ↗️.Once configured, select Create to create the PrivateLink. When the PrivateLink is in the Ready state, continue to the next step.
Create network egress policies for all of the URLs output by the command SYSTEM$ALLOWLIST_PRIVATELINK
↗️. Additionally, create an S3 bucket policy for the STAGE
of the output as shown below:
For more information on Snowflake configuration refer to our Snowflake documentation.