Cloud customer?
Start for Free >
Upgrade in MyJFrog >
What's New in Cloud >






Skip to end of metadata
Go to start of metadata

To help JFrog customers who wish to reduce the security risks associated with exposing their JFrog SaaS instances via the public Internet, JFrog enables you to set up an AWS PrivateLink connection. 

This enables establishing a secure network connection–originating from your own cloud environment (AWS VPC), to your JFrog Cloud (SaaS) instance – without traversing the traffic via public Internet. Instead, the traffic traverses within the AWS backbone.

This option is currently available for Enterprise X and Enterprise+ subscriptions only.

You are about to set up an AWS PrivateLink connection, in which the source is your own AWS Virtual Private Cloud (VPC) and the target is the JFrog PrivateLink.

In this procedure, we will guide you through the steps of setting up the AWS PrivateLink. Once you establish the connection, you will be able to connect from your VPC into your JFrog instance via the AWS backbone (i.e., without going through the public Internet).

Important

When using an AWS PrivateLink connection, remember to disable CDN for the repository you are using for this connection.


The AWS PrivateLink connection can be used seamlessly in conjunction with other AWS network services, such as AWS DirectConnect and AWS Transit Gateway. 

For example, if you wish to connect from your on-premise environment or data center into the JFrog Cloud on AWS, you can use AWS’ DirectConnect to connect from the on-premise environment into your own AWS account (this part does not involve JFrog). Next, you will set up a PrivateLink (utilizing AWS PrivateLink) to connect from your AWS account into your JFrog instance. 

You can also use the AWS Transit Gateway to allow various parts of your network to reach the PrivateLink, and through that to access the JFrog instance.


JFrog Subscription Levels

ENTERPRISE X
ENTERPRISE+
Page Contents

 


The process of setting up an AWS PrivateLink connection is split between AWS and JFrog. These are the high-level steps you will need to complete for this procedure.

Before You Get Started

If you want to use your own custom domain to access your JFrog Platform instance (e.g., jfrog.your-company-domain.com), but have not yet set one up, do so now before beginning the process detailed below. Contact JFrog support to set up this configuration for you.

JFrog CloudAWS Console

Step 1: Create an endpoint in your AWS account
Step 2: Create an AWS PrivateLink in MyJFrog

Step 3: Set up your DNS in AWS
Step 4: Validate the private connection
Step 5 (Optional): Block public access

Step 6 (Recommended): Set up a Gateway VPC Endpoint for Amazon S3

Create an endpoint in your Virtual Private Cloud (VPC) (see the AWS instructions for additional details on creating an interface endpoint to an endpoint service).

  1. In the table below, locate the Service Name values for the region you are setting up. The PrivateLink is set up by JFrog in the supported AWS regions under the following service names:

    AWS Public Regions

    Region

    		Supported Availability Zones

    VPC Service Name

    ap-northeast-1                        

    		apne1-az4 
    apne1-az1
    apne1-az2

    com.amazonaws.vpce.ap-northeast-1.vpce-svc-09dd8eef60e50c7c5

    ap-south-1

    		aps1-az1
    aps1-az3
    aps1-az2

    com.amazonaws.vpce.ap-south-1.vpce-svc-0b0a06d6c8a7cd783

    ap-southeast-1

    		apse1-az1
    apse1-az2
    apse1-az3

    com.amazonaws.vpce.ap-southeast-1.vpce-svc-0babc04adde38218d

    ap-southeast-2

    		apse2-az1
    apse2-az3
    apse2-az2

    com.amazonaws.vpce.ap-southeast-2.vpce-svc-09aebe448ba4abe71

    eu-central-1

    		euc1-az2
    euc1-az3
    euc1-az1

    com.amazonaws.vpce.eu-central-1.vpce-svc-043e028202f4cfc12

    eu-west-1

    		euw1-az1
    euw1-az2
    euw1-az3

    com.amazonaws.vpce.eu-west-1.vpce-svc-0151288edb7967fc4

    us-east-1

    		use1-az1
    use1-az2
    use1-az3
    use1-az4 
    use1-az5
    use1-az6

    com.amazonaws.vpce.us-east-1.vpce-svc-0b245d99885c0eef6

    us-west-1

    		usw1-az1
    usw1-az3

    com.amazonaws.vpce.us-west-1.vpce-svc-01d00c73f8b691baa

    us-west-2

    		usw2-az1
    usw2-az2
    usw2-az3
    usw2-az4

    com.amazonaws.vpce.us-west-2.vpce-svc-08a10cac228921959

    ca-central-1ca-central-1a (cac1-az1)
    ca-central-1b (cac1-az2)
    ca-central-1d (cac1-az4)    		com.amazonaws.vpce.ca-central-1.vpce-svc-04f7ff10e97e8d23f

  2. In the AWS Console, go to Endpoints > Create Endpoint.

  3. Select the option Find service by name.

  4. Enter the service name for your region and click Verify

    Important

    The endpoint you create in AWS must be in the same region as the PrivateLink you create in JFrog.

    AWS verifies the service name you entered.

  5. Scroll down to the VPC dropdown list and select the relevant VPC. 

  6. In the Select security groups list, select a security group that has port 443 open for outbound connections.

  7. Scroll to the bottom of the window and click Create endpoint.
    AWS creates the endpoint and displays the VPC Endpoint with the VPC Endpoint ID.
    The ID will be in the following format:     vpce-1234abc123a123456

  8. Copy the Endpoint ID and click Close.

  1. Log in to MyJFrog.

  2. Click the Security page.
  3. If you have multiple JPDs, select the JPD for which you wish to set up the private connection.

  4. Select the Private Connections tab.
    This opens the Manage Private Connections window (if you have already configured a private connection for this JPD, they will appear as a list in this tab).

  5. Click +Create New.

  6. In the Endpoint ID field, enter the ID you copied from AWS in step 1.
    Verify that the endpoint ID you enter is an alphanumeric lowercase string that begins with vpce-, for example: vpce-1234abc123a123456.

  7. Click Create
    In the Manage Private Connections table you will see the current status of the configured endpoints (this process may take a while). Once a PrivateLink has been set up, you will receive a confirmation email and the status in the Manage Private Connection table will change to Connected.

To add additional endpoints to the JPD, you will need to verify that all failed endpoints are fixed.

The purpose of this procedure is to ensure that all traffic originating from your own AWS VPC, going out to your JFrog JPD (residing in the same region) will be routed automatically via the PrivateLink, rather than via public Internet. Traffic going out to other JFrog domains, such as remote JPDs located in other regions, or to other JFrog services such as releases.jfrog.io, will continue to be routed via public Internet.

Once you set up an AWS PrivateLink via MyJFrog, JFrog automatically creates an additional domain name that reaches your instance, in the format acme.pe.jfrog.io. This domain will be used by your PrivateLink setup. For example, if your standard public JFrog domain is myservername.jfrog.io, then the additional domain will be myservername.pe.jfrog.io.

How you choose to set up your DNS in AWS depends on your organization's architecture, in which there are two factors:

  • Which domain name?
    • Custom domain name
    • JFrog domain
  • Which type of connection?
    • Connecting directly from your AWS VPC to JFrog's VPC
    • Connecting from your on-premise data center via AWS to the JFrog VPC

To better understand these options, they have been broken down into the section below, with diagrams to illustrate how they work.

If you are already using your own custom domain name to access your JFrog instance (e.g., http://jfrog.your_domain_name.com), follow these steps to configure your private DNS. How you set up depends on the type of connection.

In this configuration, you will set up a CNAME that points your company domain name, e.g., jfrog.acme.com, to the PrivateLink DNS name. If you are accessing your Docker repositories using the Docker subdomain method (e.g., docker-reponame.myservername.acme.com), set up another CNAME that points the docker subdomains (e.g., *.myservername.acme.com), to the PrivateLink DNS name.

In the diagram below, you can see the steps required to map the custom domain to the DNS of the endpoint.  

In this flow, the DNS resolution is not performed through the AWS service but from your corporate data center. Your data center DNS resolution will, therefore, need to know to point from the custom domain name to the DNS.

When using this option, you will configure your clients to hit the PrivateLink JFrog domain name (e.g., acme.pe.jfrog.io) rather than your standard domain name (e.g., acme.jfrog.io).

Set up a private hosted zone for pe.jfrog.io, and create a DNS CNAME record that points *.pe.jfrog.io (or, if you need to reach multiple Artifactorys in multiple PrivateLinks, for example, yourcompanyname.pe.jfrog.io) into the PrivateLink's DNS name. Once the DNS record is ready, configure your clients to hit the PrivateLink JFrog domain name (e.g., acme.pe.jfrog.io), so that they reach your endpoint (remember to use a hosted zone here).

As with the custom domain option, how you set up depends on the type of connection.

In this flow, you will set up the DNS to reach your JFrog PrivateLink domain name from your VPC (via Route 53 private zone DNS) directly to the JFrog VPC via the Service Endpoint.

In this flow, the DNS resolution is not performed through the AWS service but from your corporate data center. Your data center DNS resolution will, therefore, need to know to point from the JFrog domain name to the DNS.

This flow, which involves multiple jumps, will likely be the preferred option for most customers.



In this step, you will need to validate that the connection goes through the private connection rather than public Internet. To verify that your connection is indeed private, connect from your VPC to the JFrog instance by opening a command prompt and entering the following command to ping the server.

curl -v https://<customer fqdn>/artifactory/api/system/ping

For example:

curl -v https://acme.pe.jfrog.io/artifactory/api/system/ping

Verify that you are able to access the JFrog Platform. If you are able to access the Platform, your setup is complete. You should now see your next hop IP prefix with the same IP prefix as your local VPC.

The PrivateLink connection itself does not block public access to your site. To block access, you will need to add your public IPs to the Allow List. Contact JFrog Support for more information.

When performing a download request against your JFrog platform, your download may be served via a redirect to an AWS S3 bucket. Therefore, while your initial request to the JFrog platform will be routed via  the PrivateLink you created in step 2 and will reach the JFrog VPC, the redirect to S3 will reach S3 via public Internet

If your AWS VPC network policy allows egress traffic into S3 via public internet (e.g., via NAT gateway), then the download can be completed without taking any further stepsHowever, if your network does not allow egress traffic via public internet, or if you would like to enjoy better performance and lower data transfer costs when working against S3, follow the instructions in the AWS documentation (when creating the gateway VPC endpoint, under Policy, select the default option "Full Access").


  • No labels
Copyright © 2023 JFrog Ltd.