PrivateLink egress [Beta]
The ability to configure PrivateLinks is in beta and may not be available on all enrollments. Some functionality may change before this feature becomes generally available.
PrivateLink egress refers to connections that are made from the Palantir platform to another system that is hosted on the same cloud provider as the Palantir platform using private connectivity. This is only supported for AWS-hosted Palantir platform instances and customer services in the same region powered by AWS PrivateLink ↗️. If your target resource is in a different region, configure VPC peering ↗️ to the Palantir platform’s region, then create a PrivateLink.
This page outlines how PrivateLink egress is configured and managed in Control Panel, and how these created connections are used in the Palantir platform. PrivateLink egress supports private egress to AWS services, user-owned resources deployed on AWS, or third-party APIs deployed on AWS.
Limits
- 20 PrivateLinks are allowed per enrollment.
- 10 private domains are allowed per PrivateLink.
To increase these limits contact your Palantir administrator.
Configure a PrivateLink
Navigate to the PrivateLinks tab in the Network egress page in Control Panel to manage PrivateLinks.
To successfully create a PrivateLink connection, do the following:
- Create an endpoint service for your target resource.
- Allow the Palantir platform to access the target resource.
- Provide the target resource endpoint service name.
- Create network egress policies.
Create an endpoint service for your target resource
AWS services
A list of PrivateLink compatible AWS services and their endpoint service names can be found in the AWS documentation ↗️. Creation of an endpoint service is not required for AWS services, the endpoint service name provided by AWS can be used. An example of an AWS service that supports private links is Amazon Bedrock ↗️.
User-owned resources on AWS
For a user-owned resource deployed on AWS, create an endpoint service following the steps in the AWS documentation ↗️. An example of a user owned resource is databases powered by AWS RDS ↗️.
Third-party APIs on AWS
For user-owned third-party APIs deployed on AWS, create an endpoint service following the steps from the AWS documentation ↗️. If owned by another party, request their VPC endpoint service name. For example, Snowflake’s VPC endpoint service name can be requested as shown in the Snowflake documentation ↗️.
Additionally, request the private domains of third-party APIs if the service uses custom transport layer security (TLS) certificates that are not valid for the AWS-generated domain ↗️ of the PrivateLink. For example, Snowflake’s private domains can be found following the Snowflake documentation ↗️. Below is an example of a private third party domain:
abc.us-east-1.privatelink.snowflakecomputing.com
Allow the Palantir platform to access the target resource
To access the target resource through a PrivateLink, allow the Palantir platform to access the resource. Add the Palantir platform’s AWS account in the allowed principal list of your endpoint service by following the AWS documentation ↗️. The allowed principal should look like the following:
arn:aws:iam::<the Palantir platform_aws_account_id>:root
Provide the target resource endpoint service name
-
Navigate to Control Panel > Network Egress > PrivateLinks and select New PrivateLink to create a PrivateLink.
-
Enter the following details for your target resource for the PrivateLink:
- Endpoint service name: The endpoint service name of the target resource that was retrieved in the step above.
-
Advanced settings:
- Private domains: If the PrivateLink egresses to a resource that has custom TLS certificates, add those domain entries here. the Palantir platform will create
CNAMErecords for theses domains that map to the other end of the PrivateLink. Currently, only Snowflake private domains are allowed. To add other domains contact your Palantir administrator. - TCP ports: Add ports that should be allowed over this PrivateLink, the default port is 443.
- Private domains: If the PrivateLink egresses to a resource that has custom TLS certificates, add those domain entries here. the Palantir platform will create
- After providing the details above, select Create.
The PrivateLink may have the following states:
- Creating: Creation of the PrivateLink has begun.
- Creating cloud resources: Provisioning cloud resources.
- Managing DNS: Managing DNS records.
- Waiting for cloud resources: Waiting for resources to be created by the cloud provider.
- Pending acceptance: PrivateLink is waiting for acceptance by the service provider.
- Ready: PrivateLink has been successfully created.
If the PrivateLink is in the Failed state, one of the following errors have occurred:
- Failed: The connection request failed. Check permissions for your virtual private cloud (VPC) endpoint service configuration in AWS and recreate.
- Rejected: The service provider rejected the connection request. The owner of the VPC endpoint service has rejected the connection, contact them to move forward.
- Expired: The connection request expired. The owner of the VPC endpoint service has not accepted the connection in time, re-create the PrivateLink
- Timeout: PrivateLink creation timed out. This could be a transient error, delete and retry. Contact your Palantir administrator if retrying does not solve the issue.
- Validation failed: PrivateLink validation failed. Contact your Palantir administrator to move forward.
- Cloud provider error: Cloud resource creation failed. Contact your Palantir administrator to move forward.
- DNS management failed: DNS management failed. Contact your Palantir administrator to move forward.
Create network egress policies
After successful creation of a PrivateLink, create network egress policies to allow egress to the target resource.
- Create network egress policies by selecting Actions > Create network egress policy in Control Panel.
- Input the port of the target resource per item when creating a network egress policy. These created policies are visible under Actions > View network egress policy in Control Panel.
Cases that require egress policies
- A network egress policy is required for the default domain. If you are connecting to a third-party API, and the AWS generated default domain is not intended for use, a network egress policy is not required.
- If you intend to use zonal domains, create network egress policies for the zonal domains. If your VPC is in the same AWS zone as the Palantir platform, then using the same zone domain may be more efficient.
- If the target resource is a non HTTP(S)-based resource, IP-based network egress policies are required.
- Create network egress policies for private domains if configured.
Once the PrivateLink is in the Ready state and network egress policies are created, the PrivateLink can be used in the Palantir platform.
Manage PrivateLinks
Possible actions on the PrivateLink are displayed under Actions in the PrivateLink details page, and in the PrivateLinks page for each item.
Update a PrivateLink
A PrivateLink’s Private domains and TCP ports can be updated by selecting Actions > Update.
Delete a PrivateLink
PrivateLinks can be deleted by selecting Actions > Delete.
Share network egress policies
Share the created network egress policies with users who intend to egress to the target resource through the PrivateLink. On the domain or IP that is to be shared, select Actions > View network egress policy and navigate to the network policy page. On the network policy page select Actions > Manage sharing and add the intended user or user group to share the network egress policy.
PrivateLink usage
Data Connection source
In Data Connection, configure a source using the default domain or the third-party API domain, and attach the created network egress policies. After configuring, test connectivity by previewing or exploring the source and verifying that the source’s data is accurate.
Snowflake source
To create a Snowflake source connected through a PrivateLink, follow these steps:
- Allowlist the Palantir platform cloud provider account in Snowflake.
- Create the PrivateLink in Control Panel.
- Create the Snowflake source in Data Connection.
Allowlist the Palantir platform cloud provider account in Snowflake
For the Palantir platform to create a PrivateLink to Snowflake, the Palantir platform’s account needs to be allowlisted in your Snowflake account. To do this follow these steps:
- Find the Palantir platform’s cloud provider account ID in Control Panel > Network Egress > PrivateLinks as shown below:
- Open a support case ↗️ with Snowflake and provide the following information:
- The Palantir platform’s cloud provider account ID (include the cloud provider; AWS, Azure or GCP).
- The Snowflake account URL.
- Include that the above account ID needs to be allowlisted for private connectivity with Palantir. Note that
SYSTEM$AUTHORIZE_PRIVATELINKcannot be used, since Palantir users do not have direct access to the underlying cloud provider infrastructure and are not provided with the requiredfederated_token.
Once Snowflake has allowlisted the Palantir platform’s cloud provider account, continue to the next step.
Create the PrivateLink in Control Panel
Before creating a PrivateLink between the Palantir platform and Snowflake, retrieve the PrivateLink configuration from Snowflake by running the command, SYSTEM$GET_PRIVATELINK_CONFIG ↗️. This command outputs the required information to create a PrivateLink in the Palantir platform.
- To create a PrivateLink, navigate to Control Panel > Network Egress > PrivateLinks > New PrivateLink.
- Enter the following details from the output above to create a PrivateLink:
- Endpoint service name: Enter the
privatelink-vpce-idfrom the output ofSYSTEM$GET_PRIVATELINK_CONFIG. - Advanced settings:
- Private domains: the Palantir platform will map these URLs to the other end of the Snowflake PrivateLink and route traffic over the PrivateLink, maintaining Snowflake's use of Online Certificate Status Protocol (OCSP) for security. Read more about configuring your VPC network ↗️ in the Snowflake documentation. The following values can be obtained using
SYSTEM$GET_PRIVATELINK_CONFIG:privatelink-account-urlprivatelink-connection-ocsp-urlsprivatelink-connection-urlsprivatelink-ocsp-urlregionless-privatelink-account-urlregionless-snowsight-privatelink-urlsnowsight-privatelink-url
- TCP ports: Enter
443and80as mentioned in the Snowflake documentation ↗️.
- Private domains: the Palantir platform will map these URLs to the other end of the Snowflake PrivateLink and route traffic over the PrivateLink, maintaining Snowflake's use of Online Certificate Status Protocol (OCSP) for security. Read more about configuring your VPC network ↗️ in the Snowflake documentation. The following values can be obtained using
- Endpoint service name: Enter the
Once configured, select Create to create the PrivateLink. When the PrivateLink is in the Ready state, continue to the next step.
Create the Snowflake source in Data Connection
- To create a Snowflake data source in Data Connection, navigate to Data Connection > New Source > Snowflake.
- Configure the source, and do the following in Connection details to use the created PrivateLink:
- Account identifier: Input the account ID of the Snowflake account that the PrivateLink was created for.
- PrivateLink: Toggle this to use the PrivateLink.
Network egress policies
Create network egress policies for all of the URLs output by the command SYSTEM$ALLOWLIST_PRIVATELINK ↗️. Additionally, create an S3 bucket policy for the STAGE of the output as shown below:
For more information on Snowflake configuration refer to our Snowflake documentation.