> ## Documentation Index
> Fetch the complete documentation index at: https://docs.maia.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Connectivity via AWS PrivateLink using an AWS Hybrid Maia runner

export const m_runner = "Maia runner";

export const maia = "Maia";

export const RunnerMetadata = ({runnerType, platforms = []}) => {
  return <div style={{
    background: 'var(--colors-background-light, #f9fafb)',
    border: '1px solid var(--colors-border-default, #e5e7eb)',
    borderRadius: '12px',
    padding: '20px 28px',
    marginBottom: '28px'
  }}>
      <table style={{
    width: '100%',
    borderCollapse: 'collapse'
  }}>
        <tbody>
          <tr>
            <td style={{
    fontWeight: '600',
    paddingRight: '32px',
    paddingBottom: '14px',
    whiteSpace: 'nowrap',
    verticalAlign: 'middle',
    width: '180px'
  }}>Runner type</td>
            <td style={{
    paddingBottom: '14px',
    verticalAlign: 'middle'
  }}>{runnerType}</td>
          </tr>
          <tr>
            <td style={{
    fontWeight: '600',
    paddingRight: '32px',
    whiteSpace: 'nowrap',
    verticalAlign: 'middle'
  }}>Runner platform</td>
            <td style={{
    verticalAlign: 'middle'
  }}>
              <div style={{
    display: 'flex',
    flexWrap: 'wrap',
    gap: '8px'
  }}>
                {platforms.map((platform, i) => <span key={i} style={{
    background: '#dcfce7',
    color: '#15803d',
    border: '1px solid #bbf7d0',
    borderRadius: '9999px',
    padding: '3px 12px',
    fontSize: '0.85rem',
    fontWeight: '500',
    whiteSpace: 'nowrap'
  }}>
                    {platform} ✅
                  </span>)}
              </div>
            </td>
          </tr>
        </tbody>
      </table>
    </div>;
};

<RunnerMetadata runnerType={`${maia} Hybrid`} platforms={["AWS"]} />

<Note>
  This feature is available to customers on specific editions. Visit the {maia} [Pricing](https://www.maia.ai/pricing) page to learn more about each edition.
</Note>

AWS PrivateLink is an AWS service that allows you to connect services such as {maia} to your own AWS virtual private cloud (VPC) via a secure, private connection. Using AWS PrivateLink, no traffic is exposed to the public Internet when it travels between two different VPCs. For further details of the service, read [What is AWS PrivateLink?](https://docs.aws.amazon.com/vpc/latest/privatelink/what-is-privatelink.html).

***

## Prerequisites

This article assumes you are using {maia} in a [Hybrid SaaS configuration](/docs/guides/runner-overview#matillion-hybrid-saas) with a {m_runner} running in your own AWS account.

If you are using {maia} in a [Full-SaaS configuration](/docs/guides/runner-overview#matillion-full-saas), read [Connectivity via AWS PrivateLink](/docs/guides/aws-privatelink) instead.

<Note>
  Use of AWS PrivateLink will incur a cost with AWS. For details, read [AWS PrivateLink pricing](https://aws.amazon.com/privatelink/pricing/).
</Note>

***

## Enabling PrivateLink

If you require PrivateLink to be enabled in {maia}, raise a [support ticket](https://support.matillion.com/s/) with Matillion, providing the following information:

* Whether you require Full SaaS or Hybrid SaaS PrivateLink.
* The service name (VPCe). For example, `com.amazonaws.vpce.<region_id>.vpce-svc-xxxxxxxxxxxxxxxxx`.
* Your {maia} account number. To find this, log in to {maia} and click the **Profile & Account** icon in the bottom-left of the screen. Your account number is the 8-digit number listed next to **ID**.

***

## Cross-region support

AWS PrivateLink can enable connectivity to the {maia} region from a different AWS region. To do this, you need to:

1. Configure a VPC in the region in which the endpoint service resides.
2. Create an inter-region VPC peering connection from the PrivateLink connected VPC to the remote VPC.

For further details, read [What is VPC peering?](https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html)

{maia} will reside in one of the following regions:

* eu-west-1 (eu1)
* us-east-1 (us1)

***

## Set up AWS PrivateLink

### Apply a security group

You will need to apply a security group to control who can access the Elastic Network Interface (ENI) and the target application.

### Create the VPC endpoint

<Note>
  Before creating the AWS PrivateLink endpoint, you must have created the VPC and subnets you wish to use.
</Note>

1. Log in to the [AWS Console](https://aws.amazon.com/console/).

2. Type `VPC` in the search bar, and click **VPC** (it should be the top search result).

3. Under **PrivateLink and Lattice** in the left-hand menu, click **Endpoints**.

4. Click **Create endpoint**.

5. On the **Create endpoint** screen, select **Endpoint services that use NLBs and GWLBs**.

6. For **Service name**, enter the appropriate name for your {maia} region, as follows:

   | Region    | Service name                                              |
   | --------- | --------------------------------------------------------- |
   | eu-west-1 | `com.amazonaws.vpce.eu-west-1.vpce-svc-05d76c667b72daf2d` |
   | us-east-1 | `com.amazonaws.vpce.us-east-1.vpce-svc-0e24b7e2cd2b24e3f` |

7. Click **Verify service** and ensure you see a "Service name verified" response.

8. From the **VPC** drop-down, select the VPC in which your {m_runner} is located.

9. In the list of **Subnets**, select the VPC subnets that your {m_runner} uses.

10. Click **Create endpoint**.

11. Copy the **DNS names** listed under the details of the new endpoint. These will be needed to configure Route 53, as described below.

### Configure DNS requirements

Create a hosted zone in [Amazon Route 53](https://docs.aws.amazon.com/route53/) and create alias records that point at your VPC endpoints. Use the DNS names that you noted when creating the endpoint, above.

Read [Routing traffic to an Amazon Virtual Private Cloud interface endpoint by using your domain name](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-vpc-interface-endpoint.html) for more details.

The DNS entries used by {maia} are:

* For region eu-west-1:
  * `opentelemetry.eu1.privatelink.matillion.com`
  * `api.agent-gateway.eu1.privatelink.matillion.com`
* For region us-east-1:
  * `opentelemetry.us1.privatelink.matillion.com`
  * `api.agent-gateway.us1.privatelink.matillion.com`

### Authentication

Authentication will be handled by Keycloak at [https://keycloak.core.matillion.com](https://keycloak.core.matillion.com/), where a token will be generated. This will be the only connection over the public Internet prior to connecting to services over AWS PrivateLink.

***

## Configure the Maia runner

To enable a {m_runner} to use AWS PrivateLink, you need to add the environment variable `MATILLION_PRIVATELINK_ENABLED = TRUE`. This requires you to create a new task revision and restart the {m_runner} service. Ensure that there are no pipelines actively using the {m_runner} before you begin this process.

1. Log in to your [AWS console](https://aws.amazon.com/).

2. In the AWS console, type `Elastic Container Service` in the search bar, and select that service.

3. In the left-hand menu, click **Task definitions**.

4. Select the task definition for your {m_runner} and click **Create new revision**.

5. On the **Create new task definition revision** screen, under **Environment variables**, add the following:

   | Key                             | Value type | Value  |
   | ------------------------------- | ---------- | ------ |
   | MATILLION\_PRIVATELINK\_ENABLED | Value      | `TRUE` |

6. Click **Create**.

7. Return to **Update service**.

8. Select the latest task definition and click **Update**.