The process of setting up an AWS PrivateLink connection is split between AWS and JFrog. These are the high-level steps you will need to complete for this procedure.
Before You Get Started
If you want to use your own custom domain to access your JFrog Platform instance (e.g., jfrog.acme.com), but have not yet set one up, do so now before beginning the process detailed below. Contact JFrog support to set up this configuration for you.
Step 1: Create the Endpoint in AWS
Create an endpoint in your Virtual Private Cloud (VPC) (see the AWS instructions for additional details on creating an interface endpoint to an endpoint service).
In the table below, locate the Service Name values for the region you are setting up. The PrivateLink is set up by JFrog in the supported AWS regions under the following service names:
AWS Public Regions
Supported Availability Zones
VPC Service Name
In the AWS Console, go to Endpoints > Create Endpoint.
Select the option Find service by name.
Enter the service name for your region and click Verify.
The endpoint you create in AWS must be in the same region as the PrivateLink you create in JFrog.
AWS verifies the service name you entered.
Scroll down to the VPC dropdown list and select the relevant VPC.
- In the Select security groups list, select a security group that has port 443 open for outbound connections.
Scroll to the bottom of the window and click Create endpoint.
AWS creates the endpoint and displays the VPC Endpoint with the VPC Endpoint ID.
The ID will be in the following format:
- Copy the Endpoint ID and click Close.
Step 2: Create an AWS PrivateLink in MyJFrog
Log in to MyJFrog.
Click the Actions dropdown menu and select Private Endpoint.
This opens the Manage Private Endpoints window, which contains the list of configured endpoints.
Click Create New.
This displays the Create Private Endpoint window.
In the Endpoint ID field, enter the ID you copied from AWS in step 1.
Verify that the endpoint ID you enter is an alphanumeric lowercase string that begins with
vpce-, for example:
In the Select Region dropdown, select the relevant region.
The instances for this region will appear in the Select Instances field. Select one or more instances you want to connect. You can also choose to Select All instances.
In the Manage Private Endpoints table you will see the current status of the configured endpoints (this process make take a while). Once the Private Endpoint has been set up, you will receive a confirmation email and the status in the Manage Private Endpoints table will change to Connected.
Step 3: Set up Your DNS in AWS
The purpose of this procedure is to ensure that all traffic originating from your own AWS VPC, going out to your JFrog JPD (residing in the same region) will be routed automatically via the Private Endpoint, rather than via public Internet. Traffic going out to other JFrog domains, such as remote JPDs located in other regions, or to other JFrog services such as releases.jfrog.io, will continue to be routed via public Internet.
Once you set up an AWS PrivateLink via MyJFrog, JFrog automatically creates an additional domain name that reaches your instance, in the format acme.pe.jfrog.io. This domain will be used by your Private Endpoint setup. For example, if your standard public JFrog domain is myservername.jfrog.io, then the additional domain will be myservername.pe.jfrog.io.
There are two ways to set up the DNS:
- Setting up a custom domain to access your JFrog instance
- Setting up the DNS to reach your JFrog Private Endpoint domain name
Set up a Custom Domain to Access Your JFrog Instance
If you are already using your own custom domain name to access your JFrog instance (e.g., http://jfrog.acme.com), follow these steps to configure your private DNS:
- Set up a CNAME that points your company domain name, e.g., jfrog.acme.com, to the Private Endpoint DNS name.
- If you are accessing your Docker repositories using the Docker subdomain method (e.g. docker-reponame.myservername.acme.com), set up another CNAME that points the docker subdomains (e.g., *.myservername.acme.com), to the Private Endpoint DNS name.
Set up a DNS to Reach Your JFrog Private Endpoint Domain Name
In this option, you will configure your clients to hit the Private Endpoint JFrog domain name (e.g., acme.pe.jfrog.io) rather than your standard domain name (e.g., acme.jfrog.io).
Set up a private hosted zone for pe.jfrog.io, and create a DNS CNAME record that points *.pe.jfrog.io into the Private Endpoint's DNS name. Once the DNS record is ready, configure your clients to hit the Private Endpoint JFrog domain name (e.g., acme.pe.jfrog.io), so that they reach your endpoint.
Step 4: Validate the Private Connection
In this step, you will need to validate that the connection goes through the private connection rather than public Internet. To verify that your connection is indeed private, connect from your VPC to the JFrog instance by opening a command prompt and entering the following command to ping the server.
Verify that you are able to access the JFrog Platform. If you are able to access the Platform, your setup is complete. You should now see your next hop IP prefix with the same IP prefix as your local VPC.
Step 5 (Optional): Block Public Access
The Private Endpoint connection itself does not block public access to your site. To block access, you will need to add your public IPs to the Allow List. Contact JFrog Support for more information.
Step 6 (Recommended): Set up a Gateway VPC Endpoint for Amazon S3
When performing a download request against your JFrog platform, your download may be served via a redirect to an AWS S3 bucket. Therefore, while your initial request to the JFrog platform will be routed via the Private Endpoint you created in step 2 and will reach the JFrog VPC, the redirect to S3 will reach S3 via public Internet.
If your AWS VPC network policy allows egress traffic into S3 via public internet (e.g., via NAT gateway), then the download can be completed without taking any further steps. However, if your network does not allow egress traffic via public internet, or if you would like to enjoy better performance and lower data transfer costs when working against S3, follow the instructions in the AWS documentation (when creating the gateway VPC endpoint, under Policy, select the default option "Full Access").
Edit and Delete Private Endpoints
Editing an AWS PrivateLink
To edit an existing Private Endpoint, select the connection you wish to edit, and click the edit icon.
This displays the Edit Private Endpoint window.
In the Select Instance field, add or remove the instances associated with the region (you will not be able to edit the Endpoint ID or the selected region).
Click Save to save your changes.
Deleting an AWS PrivateLink
To delete an AWS PrivateLink, select the connection you wish to delete.
You will receive a warning that this action cannot be undone.
Select the checkbox "I acknowledge and understand that this change cannot be reversed" and click Delete.
The Manage Private Endpoints window will show the status "Being deleted" until the connection has been deleted. In addition, you will also receive an email confirming the deletion.
After deleting an AWS PrivateLink through MyJFrog, the status of the endpoint in AWS will change to "Rejected." In the AWS Console, select Delete endpoint to delete the endpoint.
(Optional) You may also want to delete the DNS Private Zone you set up by following the steps in the AWS Console.
Deleting an AWS PrivateLink will not automatically restore the public Internet connection to your site. You will need to go to the MyJFrog Cloud Portal and to clear the IPs you added to the Allow List. For more information, see Configuring the IP/CIDR Allow List.