Skip to main content
Version: User Guides (Cloud)

Set up a Private Link

Zilliz Cloud offers private access to your cluster through a private link. This is useful if you do not want your cluster traffic to go over the Internet.

To enable private client access to clusters on Zilliz Cloud, you must create an endpoint in each of the subnets within your application's VPC. Then, register the VPC, subnets, and endpoints with Zilliz Cloud so that it can allocate a private link for you to set up a DNS record mapping the private link to the endpoints.

The following figure demonstrates how it works.


This guide walks you through setting up a private link for a cluster.

Before you start

Make sure the following conditions are met:

  • You have signed up for Zilliz Cloud.

  • A cluster has been created. For information on how to create a cluster, see Create Cluster.

Zilliz Cloud offers you an intuitive wizard to add a private link. On the Private Link tab in your project, click + Add Private Link and configure the settings.

Setting up a private link is project-level. When you configure a private link for a cluster, it applies to its neighboring clusters in the same project deployed in the same cloud region.

  1. Select a cloud provider and region

    To create a private link for a cluster deployed in an AWS region, select AWS from the Cloud Provider drop-down list. In Region, select the region that accommodates the cluster you want to access privately. For more information on available cloud providers and regions, see Cloud Providers & Regions.


    Once you have created a private link in a project, it applies immediately to its member clusters that have been deployed in the specified region. For those clusters that undergo maintenance then, such as scaling or patch-fixing, the private link applies to them after maintenance.


  2. Obtain a VPC ID

    Before creating a VPC endpoint, you need to have a VPC on your Amazon console. To view your VPCs, do as follows:

    1. Open the Amazon VPC console.

    2. In the navigation pane, choose VPCs.

    3. Find the VPC of your desire and copy its ID.

    4. Enter this ID in VPC ID on Zilliz Cloud.

    To create a VPC, see Create a VPC.

  3. Obtain a subnet ID

    Subnets are sub-divisions of your VPC. You need to have a subnet that resides in the same region as the private link to be created. To view your subnets, do as follows:

    1. Open the Amazon VPC console.

    2. Change the current region to the one specified for creating the private link.

    3. In the navigation pane, choose Subnets.

    4. Find the subnet of your desire and copy its ID.

    5. Enter this ID in Subnet IDs on Zilliz Cloud. To create a subnet, see Create a Subnet in Your VPC.

  4. Obtain a VPC endpoint

    Copy the command generated at the bottom of the Add Private Link dialog box on Zilliz Cloud, and run this command in your Amazon CloudShell to create a VPC endpoint.

    The returned message is similar to the following:

    "VpcEndpoint": {
    # Copy this and fill it in "Your VPC Private Link ID"
    "VpcEndpointId": "vpce-0ce90d01341533a5c",
    "VpcEndpointType": "Interface",
    "DnsEntries": [
    # Copy this one and use it as "VPCE_DNS" in the next step.
    "DnsName": "",
    "HostedZoneId": "Z1YSA3EXCYUU9Z"
    "DnsName": "",
    "HostedZoneId": "Z1YSA3EXCYUU9Z"

    In the returned message, copy the ID and DNS name of the created VPC endpoint.

    Then, enter the VPC endpoint ID in Your VPC Private Link ID and click Add.

  5. Obtain a private link

    After verifying and accepting the VPC endpoint you have submitted, Zilliz Cloud allocates a private link for this endpoint. You can view it on the details tab of your cluster.

  6. Set up a DNS record

    Before you can access your cluster via the private link allocated by Zilliz Cloud, it is necessary to create a CNAME record in your DNS zone to resolve the private link to the DNS name of your VPC endpoint.

    • Create a hosted zone using Amazon Route 53

      Amazon Route 53 is a web-based DNS service. Create a hosted DNS zone so that you can add DNS records to it.


      1. Log into your AWS account and go to Hosted zones.

      2. Click Create hosted zone.

      3. In the Hosted zone configuration section, set the following parameters.

        Parameter nameParameter Description
        Domain namePrivate Link allocated by Zilliz Cloud for the target cluster.
        DescriptionDescription used to distinguish hosted zones.
        TypeSelect Private hosted zone.
      4. In the VPCs to associate with the hosted zone section, add your VPC ID to associate it with the hosted zone.

    • Create an alias record in the hosted zone

      An alias record is a type of DNS record that maps an alias name to a true or canonical domain name. Create an alias record to map the private link allocated by Zilliz Cloud to the DNS name of your VPC endpoint. Then, you can use the private link to access your cluster privately.


      1. In the created hosted zone, click Create record.

      2. On the Create record page, switch on Alias, and select Route traffic to as follows:

        1. Select Alias to VPC endpoint in the first drop-down list.

        2. Select the cloud region in the second drop-down list.

        3. Enter the name of the endpoint that has been created above.

      3. Click Create records.

Verify the connection


Once you complete the preceding steps, you can verify the connection as follows:

  1. On the details tab of your cluster, click Private Link in the Cloud Endpoint area.

  2. Copy the private link, and then click View the guides to connect your database via endpoint.


A timeout usually occurs for the following reasons:

  • No private DNS records exist.

    If a DNS record exists, you can ping the private link as follows:



    If the IP address of the VPC endpoint has been resolved correctly in the output of the ping request, the DNS record works.

    If you see the following, you need to set up the DNS record.


  • No or invalid security group rules exist.

    You need to properly set the security group rules for the traffic from your EC2 instance to your VPC endpoint in the AWS console. A proper security group within your VPC should allow inbound access from your EC2 instances on the port suffixed to your private link.


    You can use a curl command to test the connectivity of the private link. In a normal case, it returns a 400 response.


    If the curl command hangs without any response as in the following screenshot, you need to set up proper security group rules by referring to step 9 in Create a VPC endpoint.


    Two security groups must be configured: one for the EC2 instance, which must allow traffic on the port associated with your private link, and another for the VPC endpoint, which must permit traffic from the IP address of the EC2 instance and target the specified port number.

Check your DNS settings by referring to Set up firewall rules and a DNS record.

  • If the configuration is correct, when you ping your private link, you should see


  • If the configuration is incorrect, when you ping your private link, you may see