Starburst Documentation
Starburst Galaxy
  •  Get started
  •  Working with data
  •  Data engineering
  •  Developer tools
  •  Cluster administration
  •  Security and compliance
  •  Troubleshooting
  • Galaxy status
  •  Reference

    • starburst galaxy > security and compliance > manage cluster connectivity > private connections > Connect clients to AWS PrivateLink

    Connect clients to AWS PrivateLink #

    Starburst Galaxy supports connecting clients and tools to Galaxy clusters through AWS PrivateLink. To configure AWS PrivateLink, you must work with a Starburst technical resource. The following sections provide guidance for connecting clients and tools to clusters with AWS PrivateLink.

    Configuration #

    To configure an AWS PrivateLink connection from your client or tool to your Starburst Galaxy cluster, you must complete the following steps:

    Provide Starburst with your AWS account ID #

    To configure an AWS PrivateLink connection, you must provide your Starburst technical resource with your AWS account ID. Your technical resource uses this ID to grant you access to the Starburst Galaxy endpoint service.

    For assistance with locating your AWS account ID, see the AWS account management documentation.

    Configure the Starburst Galaxy service endpoint #

    Before you begin, you must obtain the service name for the Starburst Galaxy service endpoint from your Starburst technical resource.

    Create an endpoint in the AWS console #

    Use the following steps to create a service endpoint in the AWS console:

    1. Go to the AWS VPC Console.
    2. In the navigation menu, select Endpoints.
    3. Click Create endpoint.
    4. In the Name tag field, provide a name for the endpoint.
    5. In the Service catalog section, choose Other endpoint services.
    6. In the Service name field, paste the service name for the Starburst Galaxy service endpoint.
    7. Click Verify service. Ensure that you receive a Service name verified message.
    8. From the VPC drop-down menu, select the VPC that contains the client or tool you wish to connect to your Galaxy cluster.
    9. In the Subnets list, select the checkbox next to each Availability Zone.
    10. In the Subnet ID column of the Subnets list, select the subnet you wish to use for each Availability Zone.
    11. In the Security groups list, select the security group you wish to use for the endpoint. Ensure that you allow HTTPS (port 443) on the security group.
    12. Click Create endpoint.

    Contact your Starburst Galaxy technical resource #

    Next, your Starburst technical resource must accept your endpoint connection to the Galaxy endpoint service.

    1. Let your Starburst technical resource know that you have created the endpoint.
    2. Monitor the Details tab for your endpoint. Wait for the status to change from Pending acceptance to Available.
    3. In the DNS names section of the Details tab, copy the first item on the list. Save the value in a text editor for a later configuration step.
    4. In the Subnets tab, save all the IP addresses in the list.
    1. From the Starburst Galaxy navigation menu, select Admin > Clusters.
    2. Click Create cluster.
    3. Provide a meaningful Cluster name.
    4. From the Catalogs drop-down menu, select the catalogs you wish to attach to your cluster.
    5. From the Cluster size drop-down menu, select a cluster size other than Free.
    6. Expand Advanced settings. Enable the Cluster accessible only via PrivateLink selector.
    7. Select the rest of your desired settings.
    8. Click Create cluster.
    9. In the cluster list, click the Connection info button for the cluster.
    10. Save the Host value for a later configuration step.

    Configure Route 53 #

    To configure Route 53 for your Starburst Galaxy PrivateLink cluster, you must create the following:

    Create a Route 53 private hosted zone #

    1. Go to the AWS Route 53 dashboard.
    2. In the navigation menu, select Hosted zones.
    3. Click Create hosted zone.
    4. In the Domain name field, enter your Starburst Galaxy account domain. If you are using your Galaxy production domain, enter galaxy.starburst.io.
    5. In the Type section, select Private hosted zone.
    6. In the VPCs to associate with the hosted zone section, select the Region and VPC ID for your endpoint from the drop-down menus.
    7. Click Create hosted zone.

    Create a DNS alias wildcard record #

    1. Select your newly created hosted zone.
    2. Click Create record.
    3. In the Record name field, enter * to create a wildcard record.
    4. Enable the Alias selector.
    5. In the Route traffic to section:
      • In the first field, select Alias to VPC endpoint from the drop-down menu.
      • In the second field, select the region of your service endpoint.
      • In the third field, enter the DNS name of your service endpoint. For assistance locating your DNS name, refer to the service endpoint section of this page.
    6. Click Create record.

    Test your connection #

    To test the connection from your client or tool to your Starburst Galaxy PrivateLink cluster, you must do the following:

    Run a DNS lookup test #

    Use your PrivateLink cluster’s Host name to run a DNS lookup test. For assistance with locating your host name, refer to the PrivateLink cluster section of this page.

    Go to the host where your client or host is installed and run a DNS test.

    • If your host is running Windows, use the nslookup command.
    • If your host is running MacOS or Linux, use the dig command.

    Verify the results of your DNS test by confirming that the command output matches your endpoint’s IP addresses.

    Connect your client tool to the DNS name #

    The Trino CLI provides an easy way to test a client’s connection to your DNS name.

    To complete the following steps, you must download the latest version of the Trino CLI from the Starburst software downloads webpage.

    1. To connect the Trino CLI to your PrivateLink cluster, run one of the following commands depending on your operating system:
      • Windows 
         java -jar trino --server https://<Your-PrivateLink-Cluster-URL> --user <Your-Galaxy-Login>/accountadmin --password --debug
      • Mac or Linux 
         ./trino --server https://<Your-PrivateLink-Cluster-URL> --user <Your-Galaxy-Login>/accountadmin --password --debug
    2. When prompted, enter your password.
    3. Run the following SQL statement to view all the catalogs connected to your cluster: 
       SHOW CATALOGS;
    4. Ensure that the list of catalogs is correct.
    5. You are now ready to use AWS PrivateLink to connect your clients and tools to Starburst Galaxy.