Connecting through AWS PrivateLink via VPC Lattice

Polytomic can also connect to your AWS RDS PostgreSQL database through AWS PrivateLink. This page describes the steps to enable this using AWS Resource Access Manager (RAM).

How it works

1. You create a Resource Gateway in your VPC. Think of it as a managed proxy endpoint for the VPC Lattice data plane — it's what actually forwards connections to RDS from your side.
2. You create a Resource Configuration pointing at the RDS hostname (not IP). Lattice re-resolves the hostname on each connection, so RDS failover is followed automatically.
3. You RAM-share the Resource Configuration with Polytomic's AWS account.
4. Polytomic accepts the share and creates a Resource-type VPC Endpoint against it. Connections originate from Polytomic, transit the Lattice fabric, hit your Resource Gateway, and are forwarded to RDS.

Prerequisites

Before you start, collect:

• The VPC ID containing your RDS instance.
• At least two private subnet IDs in distinct Availability Zones. The Resource Gateway will live in these subnets and must be able to route to RDS.
• The RDS instance's hostname, port, and security group ID.
• Polytomic's AWS account ID — ask your Polytomic Solutions Engineer if you don't already have it.

You also need an AWS provider version new enough to support aws_vpclattice_resource_configuration — Terraform AWS provider 5.60 or later.

Option 1: Terraform (recommended)

Polytomic publishes a module that creates the Resource Gateway, its security group, the Resource Configuration, the RAM share, and the RDS security group ingress rule in one shot.

provider "aws" {
  region = "us-east-1"
}

module "polytomic_privatelink" {
  source = "github.com/polytomic/on-premises/terraform/modules/aws-privatelink-rds-lattice"

  name       = "polytomic"
  vpc_id     = "vpc-0123456789abcdef0"
  subnet_ids = [
    "subnet-aaaa",  # private subnet in us-east-1a
    "subnet-bbbb",  # private subnet in us-east-1b
    "subnet-cccc",  # private subnet in us-east-1c
  ]

  rds_host              = "mydb.xxxxxxxxxxxx.us-east-1.rds.amazonaws.com"
  rds_port              = 5432
  rds_security_group_id = "sg-0123456789abcdef0"

  polytomic_aws_account_id = "123456789012"  # provided by your SE
}

output "resource_configuration_arn" {
  value = module.polytomic_privatelink.resource_configuration_arn
}

Run:

terraform init
terraform apply

Send the value of the resource_configuration_arn output to your Polytomic Solutions Engineer. It will look like
arn:aws:vpc-lattice:us-east-1:123456789012:resourceconfiguration/rcfg-….

Option 2: AWS Console

The console flow has several steps and it's very easy to miss the security group rule — if you're comfortable with Terraform, prefer Option 1.

1. Create a security group for the Resource Gateway

1. VPC → Security groups → Create security group.
2. Name: polytomic-resource-gateway, VPC: the RDS VPC.
3. Inbound rules: leave empty. Return traffic is handled automatically.
4. Outbound rules: TCP 5432 to the RDS security group.

2. Create the Resource Gateway

1. VPC → Lattice → Resource gateways → Create resource gateway.
2. Name: polytomic-rg.
3. VPC: the RDS VPC. Subnets: at least two private subnets in distinct AZs
   that can route to RDS.
4. Security groups: select the one you created in step 1.
5. IP address type: IPv4.
6. Create. Wait for status Active.

3. Update the RDS security group

This is the step most manual setups miss. Without it, the Resource Gateway can reach RDS on the network, but RDS drops the connection.

1. Open the RDS instance's security group.
2. Add an inbound rule:
   • Type: PostgreSQL
   • Protocol: TCP
   • Port: 5432
   • Source: the security group you created in step 1
     (polytomic-resource-gateway)

4. Create the Resource Configuration

1. VPC → Lattice → Resource configurations → Create resource
   configuration.
2. Name: polytomic-rc.
3. Type: Single resource.
4. Resource gateway: select the one from step 2.
5. Resource definition:
   • DNS name, not IP address.
   • Domain name: the RDS hostname, e.g.
     mydb.xxxxxxxxxxxx.us-east-1.rds.amazonaws.com.
   • IP address type: IPv4.
6. Protocol: TCP.
7. Port ranges: 5432.
8. Create.

5. Share with Polytomic via RAM

1. RAM → Shared by me → Resource shares → Create resource share.
2. Name: polytomic-rc.
3. Resources: select the Resource Configuration from step 4.
4. Principals: Polytomic's AWS account ID (the 12-digit number your SE
   provided).
5. Allow sharing with principals outside your AWS organization: yes.
6. Create.

6. Send the Resource Configuration ARN to Polytomic

Email your Solutions Engineer the ARN from step 4. It will look like arn:aws:vpc-lattice:<region>:<account>:resourceconfiguration/rcfg-….

Verification

Polytomic will accept the RAM share and create a Resource VPC endpoint on their side. From there they'll test connectivity using the private DNS name provisioned by their consumer module.

Troubleshooting

"Configured per the docs, but Polytomic can't connect."

In the overwhelming majority of cases this is one of:

1. RDS security group doesn't allow the Resource Gateway SG. Re-check step 3. Allowing a CIDR block instead of the SG is not sufficient if the gateway's ENIs come from a different range than you expect.
2. Resource Gateway SG egress doesn't allow 5432. Re-check step 1.
3. Resource configuration uses an IP, not a DNS name. If you configured it as an IP resource, you lose the automatic failover behavior and the IP may no longer be current. Delete and recreate as a DNS resource.