Set Up AWS PrivateLink with Protegrity | Teradata VantageCloud Lake - Set Up AWS PrivateLink Service with Protegrity - Teradata VantageCloud Lake

Lake - Configure and Manage Your Environment and Organization
Deployment
VantageCloud
Edition
Lake
Product
Teradata VantageCloud Lake
Release Number
Published
February 2025
ft:locale
en-US
ft:lastEdition
2025-10-24
dita:mapPath
erj1683672627920.ditamap
dita:ditavalPath
pny1626732985837.ditaval
dita:id
erj1683672627920

Before installing the Protegrity application in VantageCloud Lake, you must configure the ESA Server with specific parameters on an AWS account using PrivateLink .

As Protegrity ESA Server administrator perform the following steps to configure ESA Server:

  1. Obtain VantageCloud Lake details:
    1. Sign on VantageCloud Lake Console as organization administrator.
    2. From the User Defined Functions page, select Third Party Applications.
    3. Under Available Partner Solutions, select Protegrity.
    4. From Configure Partner Solution page, select the License Agreement check-box.
    5. Select an Environment in which you want to install Protegrity application.
    6. Make a note of the Availability Zone ID of Lake Environment and IAM Role that are displayed under your environment selection.
  2. Create Target Group for Data Protectors:
    1. Sign on your organization’s AWS account as administrator. You must also have ESA Server administrator privileges.
    2. From EC2 Dashboard > Load Balancing > Target Groups, select Create Target Group.
    3. Fill out the form with the specified values:
      Option Value
      Target Type Instances
      Protocol TCP

      Required for mTLS handshake between Data Protectors and the ESA Server.
      Port 8443
      VPC VPC where ESA instance is deployed
    4. From the Register Targets screen, select ESA or Proxy instance that you want to include in this Target Group.
    5. Select Include as pending below and select Create target group.
      The registered target status transitions to healthy.
  3. Create Target Group for Log Forwarders:
    1. As administrator of your organization AWS account, from EC2 Dashboard > Load Balancing > Target Groups, select Create Target Group.
    2. Fill out the form with the specified values:
      Option Value
      Target Type Instances
      Protocol TCP

      Required for mTLS handshake between Log Forwarders and the ESA Server.
        9200
        VPC where ESA instance is deployed
    3. From the Register Targets screen, select ESA or Proxy instance that you want to include in this Target Group.
    4. Select Include as pending below and select Create target group.
      The registered target status transitions to healthy.
    For more information, see Open Listening Ports section in Protegrity Enterprise Security Administrator Guide 9.1.0.0 .
  4. Create Network Load Balancer:
    1. From the Basic Configuration screen, select Internal as Scheme, and use the default values for IPv4 address and Private IPv4 address.
    2. Fill out the form with the specified values and select Save.
      Option Value
      Network Mappings
      1. Select VPC where the ESA instance or Proxy you want to expose is deployed.
      2. Select Availability Zones and Subnets as Mappings.

        You can select all the availability zones and subnets that you want the load balancer to connect to. You must deploy the ESA Server in the availability zone that has the same Availability Zone ID as that of your VantageCloud Lake environment that you noted in step 1.f.
      Listeners and routing
      1. Select TCP as Protocol
      2. Select 8443 and 9200 as Ports
      3. Under the Default Action, specify to forward the traffic to the target groups created in the previous steps.
      Attributes Select Enable cross-zone load balancing to make sure that the load balancer works in all the Availability Zones.
  5. Create VPC Endpoint Service:
    1. From the VPC dashboard select Endpoint Services, then Create Endpoint Service.
    2. Select the Network Load Balancer that you created in the previous step.
    3. Select Create Service and fill out the form with specified values.
      Option Value
      Endpoint Service Settings Select Network as Load Balancer Type
      Available Load Balancers Select the Network Load Balancer that you created in the previous step.
      Details of selected load balancer Verify that Availability Zone ID of your services is same as that of VantageCloud Lake.
      Additional Settings
      • Select Acceptance Required
      • Select IPv4 as Supported IP Address Types.
  6. Allow Principals to use the VPC Endpoint Service:
    1. Select the VPC Endpoint Service created in the previous step.
    2. Select Actions, then Allow Principals.
    3. Enter the Amazon Resource Number (ARN) of the IAM role that you noted in step 1.f.
    4. Select Allow Principals.
      This assures that only the Data Protectors in your VantageCloud Lake environment can access the ESA Server. Teradata recommends to allow only the VantageCloud Lake to secure your ESA Server.