Enable secure connectivity
This guide explains how to enable secure connectivity (AWS PrivateLink) for an AWS-hosted Camunda 8 SaaS Orchestration Cluster.
Secure connectivity must be enabled per cluster.
For a conceptual overview, see secure connectivity (AWS PrivateLink).
Prerequisites
Before enabling secure connectivity:
- The cluster must be hosted in AWS.
- The cluster must be version 8.8.0+.
- You must have sufficient permissions to manage clusters in Console.
- You must know the AWS account IDs or ARNs that should be allowed to connect.
- Your organization must be on an Enterprise plan.
On the AWS side, you must have:
- An existing AWS VPC.
- Permission to create VPC interface endpoints.
- Appropriate security group configuration.
For instructions on creating a VPC interface endpoint, see the AWS documentation on configuring an interface VPC endpoint.
Enable secure connectivity for a cluster
- Navigate to Console > Clusters.
- Select the cluster.
- Open the Private networking tab. The Private networking tab is available only for clusters hosted in AWS. It is not displayed for clusters hosted in other cloud providers.
- Select Activate PrivateLink endpoint service.
Allowed principals
- In Principal ARN, enter the ARN of an AWS principal that should be allowed to connect. For supported principal types, see the AWS documentation on configuring endpoint service permissions.
- Select Add principal.
- Repeat for additional principals as needed.
- Select Next.
Validation requirements for principal ARNs are described in validation and activation requirements.
Supported regions
The AWS region where the Orchestration Cluster is located is always supported and is preselected by default.
You can add additional AWS regions to allow cross-region endpoint connections. Cross-region connectivity may increase network latency and incur additional AWS charges.
- Review the cluster's AWS region (preselected).
- Optionally add additional regions to allow cross-region endpoint connections.
- Select Activate service.
After activation, Console provisions a VPC endpoint service for the cluster and displays the connection details.
Validation and activation requirements
When configuring and activating the PrivateLink endpoint service, Console validates the provided values during each step:
- At least one valid AWS principal ARN must be provided.
- Principal ARNs must follow a valid AWS ARN format.
- At least one supported region must be configured.
- The cluster’s AWS region is preselected by default.
You cannot activate the service until all required fields are completed.
Activation behavior
After selecting Activate service, Console provisions the VPC endpoint service for the cluster.
The service status is displayed in the Service details section. Provisioning may take up to 10 minutes.
During provisioning, the endpoint service is not available for new VPC endpoint connections.
View connection details
After activation, the Private networking tab displays the Service details section.
This section shows:
- Status (for example, Ready).
- Service name (VPC endpoint service name).
- Service region.
- Service type (Interface).
- Private DNS name (generated by Camunda for the endpoint service).
- Allowed principals.
- Supported regions.
To connect from AWS, select Create interface VPC endpoint connections in AWS.
Endpoint connections are created in your AWS account. When creating a VPC interface endpoint, use the Service name shown in the Service details section.
For detailed instructions, see the AWS documentation on creating an interface endpoint.
The Endpoint connections section lists VPC interface endpoint connections created in AWS that target this cluster’s VPC endpoint service.
For each connection, Console displays:
- The VPC endpoint identifier.
- The connection status (for example, Pending or Available).
New endpoint connections appear in this section after they are created in AWS.
Manage allowed principals and regions
After activation, you can modify the configuration from the Private networking tab.
In the Service details section:
- Select the edit icon next to Allowed principals to add or remove AWS principal ARNs.
- Select the edit icon next to Supported regions to add or remove regions.
Changes apply to new VPC endpoint connection attempts.
Removing a previously allowed principal does not invalidate existing VPC endpoint connections.
Endpoint connection approval
VPC endpoint connections are automatically approved when the AWS principal creating the interface endpoint is included in the Allowed principals list.
You don’t need to manually approve endpoint connections.
Removing supported regions
Removing a supported region does not affect existing VPC endpoint connections that were created using that region.
Existing endpoint connections remain available.
Create a VPC interface endpoint in AWS
After activating the PrivateLink endpoint service in Console:
- Copy the Service name from the Service details section.
- In your AWS account, create a VPC interface endpoint that connects to this service.
- Configure subnets, security groups, and optional private DNS according to your AWS requirements.
AWS-side provisioning must follow the standard AWS PrivateLink process.
For detailed instructions, see the AWS documentation on creating an interface endpoint, which also covers endpoint configuration and validation.
Deactivate secure connectivity
In the Private networking tab, select Deactivate service to remove the VPC endpoint service for the cluster.
Public connectivity remains available.
View-only access
If you do not have permission to manage private networking for a cluster:
- The Activate PrivateLink endpoint service button is not displayed.
- The Deactivate service option is not displayed.
- Edit options for Allowed principals and Supported regions are hidden.
You can still view the Service details and Endpoint connections sections.
Limits
You can create up to 10 VPC endpoint connections per cluster.
For organization-wide limits and adjustments, see secure connectivity (AWS PrivateLink).