AWS PrivateLink Setup (For Business Critical Accounts)

⚙️ When to use this Complete your Yuki Proxy deployment first (via Fully Hosted, Helm, or Terraform). Use this guide after the proxy is connected if your organization requires that all Yuki–Snowflake communication stays within AWS private networking (Business Critical or higher).

This document describes how to connect Yuki Proxy privately to your Snowflake account using AWS PrivateLink. All traffic stays on AWS private networking - no public internet paths.

Deployment Architecture Overview

All PrivateLink configurations follow the same core security and connectivity principles: traffic flows privately between your environment, the Yuki Proxy, and Snowflake - without traversing the public internet.

The diagrams below illustrate how network routing and endpoint placement differ across deployment models when PrivateLink is enabled.

• Your existing Environment:

• With Yuki - Full Hosted (SAAS):

• With Yuki - Same Cluster:

• With Yuki - Dedicated VPC:

What this enables

• A private connection from Yuki’s AWS VPC to your Snowflake account (Interface VPC Endpoint → Snowflake PrivateLink service).

• A private connection between your AWS VPC and Yuki’s proxy (Interface VPC Endpoint → Yuki Endpoint Service).

💡 Use this guide if your Snowflake edition is Business Critical or higher and you want all Yuki-Snowflake communication to remain private.

Integration with Snowflake via PrivateLink

Prerequisites

• Your Snowflake edition is Business Critical (or higher).

• Your Snowflake account and the PrivateLink endpoints are in the same AWS region. If you need cross‑region access, plan a Transit Gateway architecture and appropriate routing.

Configure the connection to Snowflake

1. Ask Snowflake Support to enable AWS PrivateLink on your Snowflake account. In your request, include:

   • Yuki’s AWS Account ID (this will be shared with you by Yuki Support, use 000000000000 as a placeholder in internal notes until then).

   • Your Snowflake account identifier.

2. In Snowflake, run:

   Copy

   SELECT SYSTEM$GET_PRIVATELINK_CONFIG();

3. Share the full JSON output from the above query with the Yuki Support (securely).

4. Yuki will establish a PrivateLink interface endpoint to your Snowflake service in Yuki’s AWS and validate connectivity.

5. Yuki will confirm availability and provide/confirm the PrivateLink host address to use for your Yuki→Snowflake traffic.

6. In Yuki, create or update the Snowflake connection to use that PrivateLink host so that all Snowflake-bound traffic remains private.

Connectivity from your AWS VPC to Yuki (PrivateLink)

You can enable a private path from your workloads (EKS, EC2, etc.) to the Yuki proxy via AWS PrivateLink by creating a VPC Interface Endpoint to Yuki’s Endpoint Service.

Prerequisites

• A VPC - you can use an existing one.

• 2 private subnets in different AZs.

• A security group for the endpoint ENIs with inbound TCP 443.

• VPC DNS enabled (DNS hostnames & DNS resolution = true).

Configure the connection from your VPC to Yuki

1. Contact Yuki Support to request that PrivateLink be enabled on your Yuki account and provide:

   • Your AWS account id.

2. Create a VPC Endpoint and associate it with Yuki's service which will be provided to you after step one. private dns needs to be enabled.

3. Contact Yuki Support for approval of your endpoint connection.

Next Steps

Follow these guides to complete your security setup (if applicable): → Service User Authentication → Add User-Allowed IPs