Most users of SpiceDB Dedicated privately connect to SpiceDB with AWS PrivateLink. PrivateLink enables private connections from your AWS accounts and VPCs to SpiceDB Permissions Systems in your SpiceDB Dedicated environment. Users of SpiceDB Dedicated can also have their SpiceDB Permissions Systems configured for access over the open internet.
Connect to SpiceDB Dedicated with PrivateLink
Before you can start using SpiceDB Dedicated, you'll need to get in touch with the AuthZed team.
Step 1: Configure the VPC Endpoint
- In your AWS management console for the account you want to connect to SpiceDB Dedicated, navigate to
Create Endpointand input the following info:
|Name tag||Choose whatever you want|
|Service category||Select “Other endpoint services”|
|Service name||Enter the "service name" provided to you by the AuthZed team|
|VPC||Choose the VPC from where you will deploy your SpiceDB client. DNS resolution for your SpiceDB cluster endpoint address will only be available from this VPC.|
|Subnets||You can deploy your VPC endpoint in one subnet per AZ. We recommend choosing all AZs where SpiceDB clients will exist.|
|IP address type||IPV4|
|Security Group||Choose a security group that allows inbound port 443 traffic from your clients|
Step 2: Enable DNS
- Navigate to the Endpoint you just created
- Select the
Actionsdrop down and then select
Modify private DNS namefrom the dropdown
Enable for this endpoint
Step 3: Add a Permissions System
You can skip this section if you've already created a SpiceDB Permissions System.
- Login to your SpiceDB management console
- On the homepage, select
Add Permissions System
- Configure your permission system to your liking and create it
Step 4: Verify Connectivity
To quickly verify connectivity from client machine with the Zed CLI tool
zed context set permission_system_name example.com:443 sdbst_h256_123 zed schema write example.yaml zed schema read
If everything works, you should see a SpiceDB Schema in your terminal.