---
title: Private endpoints | Tiger Data Docs
description: Connect your services to AWS PrivateLink endpoints to eliminate public internet exposure
---

With Tiger Cloud, you can connect your services to AWS PrivateLink endpoints. A private endpoint in your VPC routes traffic to your service over the AWS backbone, without crossing the public internet or requiring VPC peering. This page describes how to authorize your AWS account in Tiger Console, create a private endpoint on the AWS side, and attach a service to it.

## Prerequisites

To follow the steps on this page:

- Create a target [Tiger Cloud service](/docs/get-started/quickstart/create-service/index.md) with the Real-time analytics capability.

* Create an [AWS account](https://signin.aws.amazon.com/signup?request_type=register) with a [VPC](https://docs.aws.amazon.com/vpc/latest/userguide/create-vpc.html) and a subnet for the resources you will connect to Tiger Cloud.
* Configure [IAM permissions](https://docs.aws.amazon.com/vpc/latest/privatelink/identity-access-management.html) to create VPC endpoints.

## Set up a private endpoint connection

Note

Private endpoint connections in Tiger Cloud are currently in private preview. To request access in Tiger Console, go to `Security` > `Private Endpoints` and click `Request access`. Then refresh the page and follow the steps below.

Take the following steps to connect your Tiger Cloud service to a PrivateLink endpoint.

1. **Create an AWS account authorization**

   1. In [Tiger Console](https://console.cloud.tigerdata.com/dashboard/aws-privatelink), select `Security` > `Private Endpoints` > `Configure Private Endpoint Connection`.

      ![Configure private endpoint connection in Tiger Cloud](/docs/_astro/private-endpoint-tiger-cloud.CsM1u4VA_Z2djjdM.webp)

   2. In `Cloud provider`, select `AWS`.

   3. In `Principal ID`, enter your AWS account ID. Give your authorization a name, for convenience.

      Warning

      Click the checkmark next to `Connection name` to save your authorization. Otherwise, your input is discarded.

   4. Under `Alias`, copy the alias for the region in which you need to create the connection. Choose the region of your AWS resources.

   5. Click `Done`. Tiger Cloud confirms your authorization. Once it is confirmed, you can connect multiple endpoints from the same authorized account.

2. **Create a VPC endpoint in AWS**

   1. In [AWS Console](https://console.aws.amazon.com/), go to `VPC` > `Endpoints` > `Create endpoint`.

   2. Optionally provide a name tag for your endpoint.

   3. Under `Type`, select `PrivateLink Ready partner services`.

      ![AWS create endpoint settings](/docs/_astro/aws-private-endpoint-settings.BV5BZDys_Zmdxfq.webp)

   4. Under `Service settings` > `Service name`, paste in the alias your copied in Tiger Console and click `Verify service`. Wait for the `Service name verified.` success message.

      ![AWS endpoint service settings](/docs/_astro/aws-private-endpoint-service-settings.5t4nz9qK_1GMB0a.webp)

   5. Select the VPC that contains the resources you want to connect to Tiger Cloud, then choose one or more Availability Zones and subnets where the endpoint’s private IPs will be created. For lowest latency and no cross-AZ data transfer charges, match the Availability Zones of your workloads; select multiple AZs for high availability.

   6. Optionally configure the security groups and tags, then click `Create endpoint`.

   7. Go to `EC2` > `Network interfaces` and copy the primary private IPv4 address of your endpoint.

3. **Sync the connection**

   1. In [Tiger Console](https://console.cloud.tigerdata.com/dashboard/aws-privatelink) > `Security` > `Private Endpoints`, click `Refresh`. Tiger Cloud automatically approves connections from authorized accounts. Your connection appears in the list.

      ![Authorized Private Endpoint connection in Tiger Cloud](/docs/_astro/private-endpoint-connection-authorized.Bh_zZp9N_Z1nWA9c.webp)

   2. Under `IP Address` click `Add IP` and paste the private endpoint IP address you have copied from AWS.

   3. Under `Services` click `Attach service`. Select your service from the dropdown and click `Attach`. You can attach a service to one private endpoint.

   4. From an EC2 instance inside your VPC, connect to your service using a connection string with your [connection details](/docs/integrate/find-connection-details/index.md). You should be able to connect successfully.

## Manage connections

- To detach a service from a private endpoint connection, go to `Security` > `Private Endpoints`, expand the arrow in the `Services` column, and click the trash icon next to the service connection string.
- To edit or remove an endpoint connection, go to `Security` > `Private Endpoints` and click the three dots next to the connection in the list. Select `Edit` or `Disconnect`, respectively. You need to detach all services from a private endpoint connection before deleting it.
- To remove an authorization, click `Manage Authorizations` > trash bin icon. You need to disconnect all relevant endpoint connections before removing an authorization.