• Documentation
    • Search documentation
    karat

    +

    K

    API Reference ↗
    Data connectivity & integrationPrivate links (VPC connectivity)Supported private link providersAWS Private Link

    Connect to Foundry via AWS PrivateLink

    AWS PrivateLink ↗ allows users to access Foundry via a private AWS network without traversing the public internet. Currently, AWS only supports PrivateLink for VPCs (virtual private clouds) in the same region as the Foundry enrollment region. Note that AWS PrivateLink is an AWS service.

    Ingress to Foundry for AWS PrivateLink

    Traffic can flow from a customer's Virtual Private Cloud (VPC) to the Foundry VPC using the AWS backbone network. PrivateLink traffic and open internet traffic to Foundry are supported at the same time by configuring additional IP whitelists using Control Panel.

    Set up ingress to Foundry for AWS PrivateLink

    1. Send your AWS account ID ↗ to your Palantir representative.
    2. Palantir sends back the VPC Endpoint Service Name. Example of a VPC Endpoint Service Name: com.amazonaws.vpce.<REGION>.vpce-svc-<18_CHARACTER_UID>.
    3. Create a VPC Endpoint in the AWS Console under VPC > Endpoints > Create Endpoint. a. Optionally, add a name tag for your endpoint. b. Select Other endpoint services. c. In the Service Category section, paste the Palantir Endpoint Service Name and select Verify service. d. Fill in the rest of the details of the VPC, Subnets, and Security Groups that you want to connect to Foundry via Private Link. Note that the Security Group should allow connection to Foundry on port 443 (HTTPS). e. Select Create Endpoint at the bottom of the page to create a new Endpoint.
    4. Submit the newly created Endpoint ID (available in the Endpoints section of the AWS VPC dashboard), along with your Foundry Enrollment ID and Organization ID(s) for all organizations that should be allowed to use the Private Link. The Foundry Enrollment IDs and Organization IDs can be found in Control Panel.

    Screenshot of Foundry Enrollment ID in the Foundry Control Panel:

    Screenshot of Foundry Enrollment ID found in the Foundry Control Panel

    1. Add a DNS entry (CName or A-Record) that points the Foundry domain to the VPC Endpoint Universal DNS name. If you are doing this within AWS, it is recommended to create an A-Record alias in Route53 as shown in the AWS documentation for routing to a VPC Endpoint with Route53 ↗. You can find the Universal DNS name under DNS names in the Endpoints section of the AWS VPC dashboard.
    2. (Conditional) If the Foundry domain is owned by you (meaning that the domain is not a Palantir-owned domain such as *.palantirfoundry.com), there is additional configuration needed to funnel internal Foundry services through the endpoint as well; these steps are described in the documentation on customer-owned private links.
    3. Refresh and clear your browser cache, and all traffic from your VPC to Foundry will be routed through the private link instead of the public Internet.

    Egress from Foundry for AWS PrivateLink

    Traffic that occurs from Foundry to other AWS VPCs can also be configured to be routed through the AWS backbone instead of the public Internet, as long as both the Foundry instance's VPC and the target VPC are in the same AWS region.

    Some AWS services support sending all traffic via the AWS backbone without extra AWS costs of using a custom PrivateLink, by using AWS Gateway Endpoints ↗. The AWS services currently supported are:

    • S3: You can set up an AWS Gateway Endpoint for S3 directly in Foundry Control Panel by creating an S3 bucket same-region policy.
    • DynamoDB: Contact your Palantir representative to set up an AWS Gateway Endpoint for DynamoDB.

    For all other AWS services or any other types of traffic, a PrivateLink (VPC Endpoint) must be set up in AWS and configured in Foundry. This setup process is fully self-service and is described in the documentation on private link egress.

    FAQ

    I get an "Unable to verify service name" error when creating a VPC Endpoint.

    Ensure that you sent the correct AWS Account ID to your Palantir representative in the first step. Note that if the account ID starts with zeroes, these still need to be included in the ID.

    Can Palantir give me an AWS federated token?

    No; you must use Palantir’s Endpoint Service name to create an VPC Endpoint as described in steps 1-3 of the guide to setting up ingress to Foundry.

    Is it possible to connect my non-Foundry VPC to Foundry’s VPC via VPC Peering?

    No, VPC peering with a non-Palantir network is not supported; we suggest using a Private Link instead as described in the documentation on this page.

    Is it possible to set up a cross-region Private Link between my non-Foundry VPC and my Foundry instance?

    No, AWS PrivateLink does not fully support cross-region Private Links; instead, we suggest that you set up a new VPC in the same region as your Foundry instance, and then set up VPC peering between your original VPC and the new VPC. Then, you can connect the new VPC to Foundry via AWS PrivateLink as described above. For more information, see the AWS documentation on how to configure cross-Region Amazon VPC interface endpoints to access AWS PrivateLink resources ↗.