AWS Private Link
You can use AWS Private Link to connect your AWS hosted services to Shaped without exposing traffic to the public internet. This is particularly useful when your database is hosted in a private subnet or when you need to maintain strict network isolation.
To get started, you'll need the following information from Shaped:
- Shaped's AWS account ID (to allow-list as a principal on your endpoint service)
Reach out to our team to get our account ID and get started.
Setting up PrivateLink for database access
AWS Console
- Put a Network Load Balancer in front of your database (target group pointing at your DB host/IP and port).
- Navigate to VPC -> Endpoint Services -> Create endpoint service
- Configure the service:
- Load balancer type: Network
- Available load balancers: Select the NLB from step 1
- Supported regions: your DB's region (e.g.
us-east-2)
- Click "Create service"
- Note the Service name (format:
com.amazonaws.vpce.region.vpce-svc-xxxxxxxxx) - On the endpoint service, add Shaped's AWS account ID to the Allowed principals (use the ARN form:
arn:aws:iam::<shaped-account-id>:root).
Security Configuration
Update your database security group to allow inbound traffic on the DB port from the NLB — either from the NLB's subnet CIDRs (in your own VPC) or from a security group attached to the NLB's targets.
Information to Share with Shaped
Once your setup is complete, provide Shaped with:
- VPC Endpoint Service Name:
com.amazonaws.vpce.region.vpce-svc-xxxxxxxxx - Region: Where your service is hosted
- Database Port: (5432 for PostgreSQL, 3306 for MySQL, 5439 for Redshift, etc.)
- Database Connection Details:
- Database name
- Username/password (or preferred authentication method)