Connecting using AWS PrivateLink
AWS PrivateLink lets you connect your AWS VPC to SurrealDB Cloud over a private network path that never traverses the public internet, improving both security and network isolation.
AWS PrivateLink is an enterprise feature. Onboarding is a manual process handled by the SurrealDB Cloud team, and requires coordinated setup on both sides. Contact support to get started.
Prerequisites
- You have a SurrealDB Cloud instance.
- You have an AWS account.
- You have an AWS VPC.
- You have AWS IAM credentials (user, role, or policy) with the necessary permissions to create interface VPC endpoints.
- You have a SurrealDB Cloud instance in the US West 2 (Oregon) region.
Supported regions
AWS PrivateLink is currently available in the following regions:
How it works
Once onboarded, you create an interface VPC endpoint in your AWS account that connects directly to SurrealDB Cloud. The endpoint is assigned a private IP address within your VPC, so all traffic between your application and SurrealDB Cloud stays on the AWS private network — it never touches the public internet and is not routed through a NAT gateway or internet gateway.
Public and PrivateLink instances use entirely separate connection paths and DNS namespaces, so the access mode is always explicit and enforceable:
- Public instances resolve under
*.aws-usw2.surreal.cloud and are reachable from the internet. - PrivateLink instances resolve under
*.privatelink.aws-usw2.surreal.cloud and are only resolvable from within your VPC.
The two paths are fully isolated at the network level — there is no shared infrastructure between them. This makes accidental public exposure of a private instance impossible by design.
Onboarding process
Enabling AWS PrivateLink for your organisation involves both your team and the SurrealDB Cloud team. It cannot be self-served through the SurrealDB Cloud dashboard.
The steps are:
- Contact SurrealDB support to request PrivateLink access for your organisation and region.
- SurrealDB sets up the private connection on our side and shares the details you need to complete your end.
- You configure a private endpoint in your AWS account using those details.
- SurrealDB completes the setup and enables PrivateLink for your organisation and region.
Once onboarding is complete, you can view and manage the access mode of your instances from the SurrealDB Cloud dashboard.
Using AWS PrivateLink in Surrealist
Once you have onboarded, you will see the option to select the PrivateLink access mode in the instance creation, once you have selected the region.
You can change this access mode later in the instance dashboard by clicking on the Manage Instance button and then selecting the Network.
Instance access modes
Each instance in a PrivateLink-enabled region can be set to one of three access modes:
| Access mode | Description |
|---|
public | Accessible via the public internet only. Default for all instances. |
private | Accessible via PrivateLink only. No public hostname is assigned. |
dual | Accessible via both public internet and PrivateLink. |
All existing instances default to public. The private and dual modes are only available after your organisation has been onboarded.
Limitations
- AWS PrivateLink is currently available in US West 2 (Oregon) only. Additional regions will be added over time.
- PrivateLink must be enabled for your organisation by the SurrealDB Cloud team before it can be used.
- PrivateLink hostnames are only resolvable from within your VPC. They cannot be used to connect from outside AWS.
