PrivateLink egress [Beta]

Beta

The ability to configure PrivateLinks is in beta and may not be available on all enrollments. Some functionality may change before this feature becomes generally available.

PrivateLink egress refers to connections that are made from the Palantir platform to another system that is hosted on the same cloud provider as the Palantir platform using private connectivity. This is only supported for AWS-hosted Palantir platform instances and customer services in the same region powered by AWS PrivateLink ↗️. If your target resource is in a different region, configure VPC peering ↗️ to the Palantir platform’s region, then create a PrivateLink.

This page outlines how PrivateLink egress is configured and managed in Control Panel, and how these created connections are used in the Palantir platform. PrivateLink egress supports private egress to AWS services, user-owned resources deployed on AWS, or third-party APIs deployed on AWS.

Limits

  • 20 PrivateLinks are allowed per enrollment.
  • 10 private domains are allowed per PrivateLink.

To increase these limits contact your Palantir administrator.

Navigate to the PrivateLinks tab in the Network egress page in Control Panel to manage PrivateLinks.

The Control Panel page for managing PrivateLinks.

To successfully create a PrivateLink connection, do the following:

  1. Create an endpoint service for your target resource.
  2. Allow the Palantir platform to access the target resource.
  3. Provide the target resource endpoint service name.
  4. Create network egress policies.

Create an endpoint service for your target resource

AWS services

A list of PrivateLink compatible AWS services and their endpoint service names can be found in the AWS documentation ↗️. Creation of an endpoint service is not required for AWS services, the endpoint service name provided by AWS can be used. An example of an AWS service that supports private links is Amazon Bedrock ↗️.

User-owned resources on AWS

For a user-owned resource deployed on AWS, create an endpoint service following the steps in the AWS documentation ↗️. An example of a user owned resource is databases powered by AWS RDS ↗️.

Third-party APIs on AWS

For user-owned third-party APIs deployed on AWS, create an endpoint service following the steps from the AWS documentation ↗️. If owned by another party, request their VPC endpoint service name. For example, Snowflake’s VPC endpoint service name can be requested as shown in the Snowflake documentation ↗️.

Additionally, request the private domains of third-party APIs if the service uses custom transport layer security (TLS) certificates that are not valid for the AWS-generated domain ↗️ of the PrivateLink. For example, Snowflake’s private domains can be found following the Snowflake documentation ↗️. Below is an example of a private third party domain:

abc.us-east-1.privatelink.snowflakecomputing.com

Allow the Palantir platform to access the target resource

To access the target resource through a PrivateLink, allow the Palantir platform to access the resource. Add the Palantir platform’s AWS account in the allowed principal list of your endpoint service by following the AWS documentation ↗️. The allowed principal should look like the following:

arn:aws:iam::<the Palantir platform_aws_account_id>:root

A Control Panel callout displaying the Palantir platforms' AWS account.

Provide the target resource endpoint service name

  1. Navigate to Control Panel > Network Egress > PrivateLinks and select New PrivateLink to create a PrivateLink.

  2. Enter the following details for your target resource for the PrivateLink:

    • Endpoint service name: The endpoint service name of the target resource that was retrieved in the step above.

    The Control Panel dialog to create a PrivateLink.

    • Advanced settings:

      • Private domains: If the PrivateLink egresses to a resource that has custom TLS certificates, add those domain entries here. the Palantir platform will create CNAME records for theses domains that map to the other end of the PrivateLink. Currently, only Snowflake private domains are allowed. To add other domains contact your Palantir administrator.
      • TCP ports: Add ports that should be allowed over this PrivateLink, the default port is 443.

The Control Panel advanced settings when creating a PrivateLink.

  1. After providing the details above, select Create.

The PrivateLink may have the following states:

  • Creating: Creation of the PrivateLink has begun.
  • Creating cloud resources: Provisioning cloud resources.
  • Managing DNS: Managing DNS records.
  • Waiting for cloud resources: Waiting for resources to be created by the cloud provider.
  • Pending acceptance: PrivateLink is waiting for acceptance by the service provider.
  • Ready: PrivateLink has been successfully created.

If the PrivateLink is in the Failed state, one of the following errors have occurred:

  • Failed: The connection request failed. Check permissions for your virtual private cloud (VPC) endpoint service configuration in AWS and recreate.
  • Rejected: The service provider rejected the connection request. The owner of the VPC endpoint service has rejected the connection, contact them to move forward.
  • Expired: The connection request expired. The owner of the VPC endpoint service has not accepted the connection in time, re-create the PrivateLink
  • Timeout: PrivateLink creation timed out. This could be a transient error, delete and retry. Contact your Palantir administrator if retrying does not solve the issue.
  • Validation failed: PrivateLink validation failed. Contact your Palantir administrator to move forward.
  • Cloud provider error: Cloud resource creation failed. Contact your Palantir administrator to move forward.
  • DNS management failed: DNS management failed. Contact your Palantir administrator to move forward.

Create network egress policies

After successful creation of a PrivateLink, create network egress policies to allow egress to the target resource.

  1. Create network egress policies by selecting Actions > Create network egress policy in Control Panel.
  2. Input the port of the target resource per item when creating a network egress policy. These created policies are visible under Actions > View network egress policy in Control Panel.

The Control Panel display of default, private and zonal domains in the network egress policy settings in a PrivateLink.

Cases that require egress policies

  • A network egress policy is required for the default domain. If you are connecting to a third-party API, and the AWS generated default domain is not intended for use, a network egress policy is not required.

The Control Panel display of default domains in the network egress policy settings in a PrivateLink.

  • If you intend to use zonal domains, create network egress policies for the zonal domains. If your VPC is in the same AWS zone as the Palantir platform, then using the same zone domain may be more efficient.

The Control Panel display of zonal domains in the network egress policy settings in a PrivateLink.

The Control Panel display of IP addresses in the network egress policy settings in a PrivateLink.

  • Create network egress policies for private domains if configured.

The Control Panel display of private domains in the network egress policy settings in a PrivateLink.

Once the PrivateLink is in the Ready state and network egress policies are created, the PrivateLink can be used in the Palantir platform.

Possible actions on the PrivateLink are displayed under Actions in the PrivateLink details page, and in the PrivateLinks page for each item.

The Control Panel display of the menu for managing a PrivateLink through the details page.

The Control Panel display of menu for managing in a PrivateLink through the overview page.

A PrivateLink’s Private domains and TCP ports can be updated by selecting Actions > Update.

The Control Panel display for updating a PrivateLink.

PrivateLinks can be deleted by selecting Actions > Delete.

Share network egress policies

Share the created network egress policies with users who intend to egress to the target resource through the PrivateLink. On the domain or IP that is to be shared, select Actions > View network egress policy and navigate to the network policy page. On the network policy page select Actions > Manage sharing and add the intended user or user group to share the network egress policy.

The Control Panel display of sharing network egress policies.

Data Connection source

In Data Connection, configure a source using the default domain or the third-party API domain, and attach the created network egress policies. After configuring, test connectivity by previewing or exploring the source and verifying that the source’s data is accurate.

Snowflake source

To create a Snowflake source connected through a PrivateLink, follow these steps:

  1. Allowlist the Palantir platform cloud provider account in Snowflake.
  2. Create the PrivateLink in Control Panel.
  3. Create the Snowflake source in Data Connection.

Allowlist the Palantir platform cloud provider account in Snowflake

For the Palantir platform to create a PrivateLink to Snowflake, the Palantir platform’s account needs to be allowlisted in your Snowflake account. To do this follow these steps:

  1. Find the Palantir platform’s cloud provider account ID in Control Panel > Network Egress > PrivateLinks as shown below:

A Control Panel callout displaying the AWS account of the Palantir platform.

  1. Open a support case ↗️ with Snowflake and provide the following information:
    • The Palantir platform’s cloud provider account ID (include the cloud provider; AWS, Azure or GCP).
    • The Snowflake account URL.
    • Include that the above account ID needs to be allowlisted for private connectivity with Palantir. Note that SYSTEM$AUTHORIZE_PRIVATELINK cannot be used, since Palantir users do not have direct access to the underlying cloud provider infrastructure and are not provided with the required federated_token.

Once Snowflake has allowlisted the Palantir platform’s cloud provider account, continue to the next step.

Before creating a PrivateLink between the Palantir platform and Snowflake, retrieve the PrivateLink configuration from Snowflake by running the command, SYSTEM$GET_PRIVATELINK_CONFIG ↗️. This command outputs the required information to create a PrivateLink in the Palantir platform.

  1. To create a PrivateLink, navigate to Control Panel > Network Egress > PrivateLinks > New PrivateLink.

A Control Panel callout displaying a sample configuration of a Snowflake PrivateLink.

  1. Enter the following details from the output above to create a PrivateLink:
    • Endpoint service name: Enter the privatelink-vpce-id from the output of SYSTEM$GET_PRIVATELINK_CONFIG.
    • Advanced settings:
      • Private domains: the Palantir platform will map these URLs to the other end of the Snowflake PrivateLink and route traffic over the PrivateLink, maintaining Snowflake's use of Online Certificate Status Protocol (OCSP) for security. Read more about configuring your VPC network ↗️ in the Snowflake documentation. The following values can be obtained using SYSTEM$GET_PRIVATELINK_CONFIG:
        • privatelink-account-url
        • privatelink-connection-ocsp-urls
        • privatelink-connection-urls
        • privatelink-ocsp-url
        • regionless-privatelink-account-url
        • regionless-snowsight-privatelink-url
        • snowsight-privatelink-url
      • TCP ports: Enter 443 and 80 as mentioned in the Snowflake documentation ↗️.

Once configured, select Create to create the PrivateLink. When the PrivateLink is in the Ready state, continue to the next step.

Create the Snowflake source in Data Connection

  1. To create a Snowflake data source in Data Connection, navigate to Data Connection > New Source > Snowflake.
  2. Configure the source, and do the following in Connection details to use the created PrivateLink:
    • Account identifier: Input the account ID of the Snowflake account that the PrivateLink was created for.
    • PrivateLink: Toggle this to use the PrivateLink.

A Control Panel callout displaying the sample configuration of a Snowflake source.

Network egress policies

Create network egress policies for all of the URLs output by the command SYSTEM$ALLOWLIST_PRIVATELINK ↗️. Additionally, create an S3 bucket policy for the STAGE of the output as shown below:

A Control Panel callout displaying suggested egress for a Snowflake source.

For more information on Snowflake configuration refer to our Snowflake documentation.