跳转至

Connect to Foundry via AWS PrivateLink(通过 AWS PrivateLink 连接到 Foundry)

AWS PrivateLink ↗ allows users to access Foundry via a private AWS network without traversing the public Internet. AWS Private Link supports connections between different VPCs (virtual private clouds) regions. Note that there may be additional limitations to cross-region support; contact your Palantir representative with the desired (start_region, destination_region) combination to verify support. Note that AWS PrivateLink is an AWS service.

Traffic can flow from a customer's Virtual Private Cloud (VPC) to the Foundry VPC using the AWS backbone network. PrivateLink traffic and open Internet traffic to Foundry are supported at the same time by configuring additional IP whitelists using Control Panel.

  1. Send your AWS account ID ↗ to your Palantir representative.
  2. Palantir sends back the VPC Endpoint Service Name. Example of a VPC Endpoint Service Name: com.amazonaws.vpce.<REGION>.vpce-svc-<18_CHARACTER_UID>.
  3. Create a VPC Endpoint in the AWS Console under VPC > Endpoints > Create Endpoint. a. Optionally, add a name tag for your endpoint. b. Select Other endpoint services. c. In the Service Category section, paste the Palantir Endpoint Service Name and select Verify service. d. Fill in the rest of the details of the VPC, Subnets, and Security Groups that you want to connect to Foundry via Private Link. Note that the Security Group should allow connection to Foundry on port 443 (HTTPS). e. Select Create Endpoint at the bottom of the page to create a new Endpoint.
  4. Provide your newly created Endpoint ID (found in the Endpoints section of the AWS VPC dashboard) and the AWS region of the endpoint, as well as your Foundry Enrollment ID and the Organization ID(s) for every organization that should have access via the Private Link, to your Palantir representative. The Foundry Enrollment IDs and Organization IDs can be found in Control Panel.

Screenshot of Foundry Enrollment ID in the Foundry Control Panel:

Screenshot of Foundry Enrollment ID found in the Foundry Control Panel

  1. Add a DNS entry (CName or A-Record) that points the Foundry domain to the VPC Endpoint Universal DNS name. If you are doing this within AWS, it is recommended to create an A-Record alias in Route53 as shown in the AWS documentation for routing to a VPC Endpoint with Route53 ↗. You can find the Universal DNS name under DNS names in the Endpoints section of the AWS VPC dashboard.
  2. (Conditional) If the Foundry domain is owned by you (meaning that the domain is not a Palantir-owned domain such as *.palantirfoundry.com), there is additional configuration needed to funnel internal Foundry services through the endpoint as well; these steps are described in the documentation on customer-owned private links.
  3. Refresh and clear your browser cache, and all traffic from your VPC to Foundry will be routed through the private link instead of the public Internet.

Traffic that occurs from Foundry to other AWS VPCs can also be configured to be routed through the AWS backbone instead of the public Internet, even if the Foundry instance's VPC and the target VPC are in different AWS regions.

Some AWS services support sending all traffic via the AWS backbone without extra AWS costs of using a custom PrivateLink, by using AWS Gateway Endpoints ↗. The AWS services currently supported are:

  • S3: You can set up an AWS Gateway Endpoint for S3 directly in Foundry Control Panel by creating an S3 bucket same-region policy.
  • DynamoDB: Contact your Palantir representative to set up an AWS Gateway Endpoint for DynamoDB.

For all other AWS services or any other types of traffic, a PrivateLink (VPC Endpoint) must be set up in AWS and configured in Foundry. This setup process is fully self-service and is described in the documentation on private link egress.

FAQ

I get an "Unable to verify service name" error when creating a VPC Endpoint.

Ensure that you sent the correct AWS Account ID to your Palantir representative in the first step. Note that if the account ID starts with zeroes, these still need to be included in the ID.

Can Palantir give me an AWS federated token?

No; you must use Palantir's Endpoint Service name to create an VPC Endpoint as described in steps 1-3 of the guide to setting up ingress to Foundry.

Is it possible to connect my non-Foundry VPC to Foundry's VPC via VPC Peering?

No, VPC peering with a non-Palantir network is not supported; we suggest using a Private Link instead as described in the documentation on this page.

Yes, AWS PrivateLink supports cross-region Private Links. See the ingress and egress instructions above to establish this connection.


中文翻译

通过 AWS PrivateLink 连接到 Foundry

AWS PrivateLink ↗ 允许用户通过私有 AWS 网络访问 Foundry,而无需经过公共互联网。AWS PrivateLink 支持不同 VPC(虚拟私有云)区域之间的连接。请注意,跨区域支持可能存在额外限制;请联系您的 Palantir 代表,提供所需的 (start_region, destination_region) 组合以验证支持情况。另请注意,AWS PrivateLink 是一项 AWS 服务。

流量可以通过 AWS 骨干网络从客户的虚拟私有云(VPC)流向 Foundry VPC。通过使用控制面板配置额外的 IP 白名单,可以同时支持 PrivateLink 流量和开放互联网流量进入 Foundry。

  1. 将您的 AWS 账户 ID ↗ 发送给您的 Palantir 代表。
  2. Palantir 将返回 VPC 端点服务名称。VPC 端点服务名称示例:com.amazonaws.vpce.<REGION>.vpce-svc-<18_CHARACTER_UID>
  3. 在 AWS 控制台中,依次选择 VPC > Endpoints > Create Endpoint 创建 VPC 端点。 a. (可选)为您的端点添加名称标签。 b. 选择 Other endpoint services。 c. 在 Service Category 部分,粘贴 Palantir 端点服务名称,然后选择 Verify service。 d. 填写您希望通过 Private Link 连接到 Foundry 的 VPC、子网和安全组的其余详细信息。请注意,安全组应允许通过端口 443(HTTPS)连接到 Foundry。 e. 选择页面底部的 Create Endpoint 以创建新端点。
  4. 将您新创建的端点 ID(可在 AWS VPC 控制台的 Endpoints 部分找到)、端点的 AWS 区域、您的 Foundry Enrollment ID 以及每个应通过 Private Link 访问的组织 ID 提供给您的 Palantir 代表。Foundry Enrollment ID 和组织 ID 可在控制面板中找到。

Foundry 控制面板中 Foundry Enrollment ID 的截图:

Foundry 控制面板中 Foundry Enrollment ID 的截图

  1. 添加一条 DNS 记录(CName 或 A-Record),将 Foundry 域名指向 VPC 端点的通用 DNS 名称。如果您在 AWS 内部执行此操作,建议在 Route53 中创建 A-Record 别名,如 AWS 文档中关于使用 Route53 路由到 VPC 端点的说明 ↗ 所示。您可以在 AWS VPC 控制台的 Endpoints 部分的 DNS names 下找到通用 DNS 名称。
  2. (条件性)如果 Foundry 域名归您所有(即该域名不是 Palantir 拥有的域名,例如 *.palantirfoundry.com),则还需要额外配置以将内部 Foundry 服务也通过端点路由;这些步骤在客户自有私有链接的文档中进行了说明。
  3. 刷新并清除浏览器缓存,从您的 VPC 到 Foundry 的所有流量将通过私有链接路由,而非公共互联网。

从 Foundry 到其他 AWS VPC 的流量也可以配置为通过 AWS 骨干网络路由,而非公共互联网,即使 Foundry 实例的 VPC 和目标 VPC 位于不同的 AWS 区域。

某些 AWS 服务支持通过使用 AWS Gateway Endpoints ↗ 通过 AWS 骨干网络发送所有流量,无需使用自定义 PrivateLink 的额外 AWS 成本。目前支持的 AWS 服务包括:

  • S3: 您可以通过创建 S3 存储桶同区域策略直接在 Foundry 控制面板中为 S3 设置 AWS Gateway Endpoint。
  • DynamoDB: 联系您的 Palantir 代表为 DynamoDB 设置 AWS Gateway Endpoint。

对于所有其他 AWS 服务或任何其他类型的流量,必须在 AWS 中设置 PrivateLink(VPC 端点)并在 Foundry 中进行配置。此设置过程完全自助,在私有链接出站流量文档中进行了说明。

常见问题解答

创建 VPC 端点时出现"无法验证服务名称"错误。

请确保您在第一步中向 Palantir 代表发送了正确的 AWS 账户 ID。请注意,如果账户 ID 以零开头,这些零仍必须包含在 ID 中。

Palantir 能否提供 AWS 联合令牌?

不能;您必须按照设置 Foundry 入站流量指南的步骤 1-3 所述,使用 Palantir 的端点服务名称创建 VPC 端点。

是否可以通过 VPC Peering 将我的非 Foundry VPC 连接到 Foundry 的 VPC?

不可以,不支持与非 Palantir 网络进行 VPC 对等连接;我们建议按照本页文档中的说明使用 Private Link。

可以,AWS PrivateLink 支持跨区域 Private Link。请参阅上述入站流量出站流量说明来建立此连接。