Manage private connectivity endpoints: AWS

This topic provides information on how to manage private connectivity endpoints for use with outbound private connectivity to AWS.

Provision private connectivity endpoints

You can use the SYSTEM$PROVISION_PRIVATELINK_ENDPOINT system function to create a private connectivity endpoint by specifying the service or resource, and the hostname. You need to use the ACCOUNTADMIN role when using this system function.

The SYSTEM$PROVISION_PRIVATELINK_ENDPOINT function accepts a provider service name and host name as its arguments. You can obtain these values by using the describe-vpc-endpoint-services subcommand from the AWS command line. As described in the AWS documentation, this AWS subcommand returns a JSON object with a ServiceName field and a PrivateDnsName field. Use the following table to determine which values to use for the SYSTEM$PROVISION_PRIVATELINK_ENDPOINT function:

SYSTEM$PROVISION_PRIVATELINK_ENDPOINT argument

describe-vpc-endpoint-services output

provider_service_name

ServiceName

host_name

PrivateDnsName

You can use any of the values, including the ones with wildcards.

For example, to create a PrivateLink with external access to Amazon S3, execute the following SQL statement:

SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
  'com.amazonaws.us-west-2.s3',
  '*.s3.us-west-2.amazonaws.com'
);
Copy

After you create an endpoint, there is a delay before you can use the endpoint. For information about checking the status of a created endpoint, see SYSTEM$GET_PRIVATELINK_ENDPOINTS_INFO.

Remove a private connectivity endpoint to services

You can use the SYSTEM$DEPROVISION_PRIVATELINK_ENDPOINT system function to remove a private connectivity endpoint by specifying the service or resource.

After the endpoint is removed, the endpoint is put on a queue to be deleted after 7 days.

You need to use the ACCOUNTADMIN role when using this system function.

For example, to remove a PrivateLink with external access to Amazon S3, execute the following SQL statement:

SELECT SYSTEM$DEPROVISION_PRIVATELINK_ENDPOINT('com.amazonaws.us-west-2.s3');
Copy

Restore a private connectivity endpoint to services

You can use the SYSTEM$RESTORE_PRIVATELINK_ENDPOINT system function to restore a removed private connectivity endpoint that is still on the deletion queue by specifying the service or resource. If the endpoint is not found on the deletion queue, then you cannot restore the endpoint.

You need to use the ACCOUNTADMIN role when using this system function.

For example, to restore a PrivateLink with external access to Amazon S3, execute the following SQL statement:

SELECT SYSTEM$RESTORE_PRIVATELINK_ENDPOINT('com.amazonaws.us-west-2.s3');
Copy

List all private connectivity endpoints to services

You can use the SYSTEM$GET_PRIVATELINK_ENDPOINTS_INFO system function to list all private connectivity endpoints, and information about the endpoints, in your account.

You need to use the ACCOUNTADMIN role when using this system function.

For example, to list all AWS PrivateLink endpoints with AWS services, execute the following SQL statement:

SELECT SYSTEM$GET_PRIVATELINK_ENDPOINTS_INFO();
Copy

For a description of the fields of the JSON object returned by the function, see Returns.

Note

You can also query the OUTBOUND_PRIVATELINK_ENDPOINTS view in the ACCOUNT_USAGE schema to list the private endpoints in your account.