Private Endpoint Security is Here: Another Step Forward for Astra DB Security

Adoption of DataStax Astra DB is accelerating, users love the speed and ease in spinning up Cassandra clusters in minutes rather than weeks. Coupled with autoscaling and consumption-based pricing, Astra DB is a clear choice for enterprises that need high availability and infinite scalability. To help support our security conscious users on this journey, we’re excited to announce the general availability of private endpoint on AWS, GCP and Azure.

Private endpoint enables enterprises to safely and easily connect applications or microservices in their virtual private cloud (VPC) to Astra DB. Cloud network configuration can be complex, especially with multi-cloud deployments or when connecting services from multiple SaaS vendors. By providing the ability to define private endpoints with private communications from your cloud infrastructure provider, Astra DB helps meet the security and governance requirements of enterprises.

What are the benefits of private endpoint?

One of the threat vectors associated with connecting services to the cloud is that traffic is exposed to the public internet, even if you’re connecting services within the same cloud provider. With private endpoint, all traffic remains within the cloud provider’s private network backbone and the VPC need not have an internet gateway. By removing access to an internet gateway, the VPC is insulated from threat vectors lurking in the public internet and is protected from any resources accidentally being launched in the VPC.

Our users are incredibly resourceful and many have used VPC peering as a workaround to connect virtual private clouds without transiting over the public internet. However, this is laborious and complicated. Everytime VPC peering is configured, users have to remove conflicting IP addresses or overlapping Classless Inter-Domain Routing (CIDR) blocks from the networks being connected. This complexity increases as more and more VPCs are peered. 

Additionally, when using peered networks, all the services in the VPC are exposed, which may not be the intended approach. Users can associate private endpoint with security groups that can be used to enforce governance on network traffic through security group rules. Private endpoint is scalable and an order of magnitude easier to configure than VPC peering.

One common use case for private endpoint is connecting Astra DB to your cloud provider-hosted resources such as your applications or microservices. You can also use private endpoint to connect Astra DB to third-party vendors that host services such as data analytics, etc. Business units within an enterprise may host their applications on separate virtual private clouds, and private endpoint can connect Astra DB to these applications.

How do I get started?

Private endpoint supports AWS PrivateLink, Google Private Service Connect, Azure Private Link and is configured using the Astra DB DevOps API. As with all peering connections, the service needs to be enabled in Astra DB and in the user’s VPC. The Astra DB private endpoint appears in the user's VPC, enabling direct connectivity to the database via private IP addresses. Users can then accept the private endpoint and choose which of their VPCs have access to Astra DB. This effectively allows Astra DB to function like a service that is hosted directly on the user’s private network.

Unlike traditional VPC peering, connectivity works out of the box, without any additional configurations on routing tables and security groups. We also intend to allow users to configure private endpoint through the Astra UI or console shortly. Private endpoint allows security conscious users to connect to Astra DB; a managed service built on Apache Cassandra ™ easily and safely.

Ready to configure your private endpoint? See our documentation to get started. 

If you’re not using Astra DB, get started without a credit card by registering for an account at https://astra.datastax.com/register and use your Google or GitHub account to sign in (you can also sign up using your email address). Sign up and receive US $300 worth of free usage to create a proof of concept or deploy into production from the same environment.