PrivateLink

Dremio PrivateLink enables secure, private connectivity between your AWS VPC and Dremio services without exposing traffic to the public internet. This service allows you to access all Dremio control plane services, including the UI, REST APIs, and query execution endpoints.

When you enable PrivateLink for your Dremio organization, all Dremio services are accessible only through your VPC endpoint. However, the following Dremio services remain publicly accessible:

• login.dremio.cloud – OAuth server for programmatic authentication (API clients, JDBC/ODBC)
• scim.dremio.cloud – SCIM provisioning endpoint for identity provider integration (Microsoft Entra ID, Okta, etc.)
• sql.dremio.cloud – Dremio JDBC driver (Legacy) endpoint.

If your organization restricts outbound internet access, ensure the accounts.dremio.cloud (or accounts.eu.dremio.cloud for EU regions) domain is allowed in your firewall rules for authentication to function properly. This authentication service is used during single sign-on (SSO) login flows.

Upon activation of PrivateLink, Dremio console sessions terminate immediately, JDBC/ODBC/API sessions terminate within one hour, and running queries may be interrupted.

Before activating PrivateLink in your Dremio organization:

• Verify your VPC endpoint is available.
• Confirm DNS resolution is working and connections through the endpoint are functioning.
• Schedule a maintenance window and notify users.

PrivateLink uses a service-based routing approach with the following domain structure:

<orgAlias>.<resource>.privatelink.dremio.cloud

Domain Components

• orgAlias – Your organization's unique identifier that routes connections to your Dremio organization. Requirements:
  • Starts with a letter (a-z, A-Z)
  • Contains only letters, digits, and hyphens
  • Ends with a letter or digit (not a hyphen)
  • Length: 3-63 characters
  • Case-insensitive (stored as lowercase)
  • Follows RFC 1035 DNS naming conventions
• resource – The Dremio services in the connection. The following interfaces are not supported by PrivateLink:
  • sql.dremio.cloud for the Dremio JDBC driver (Legacy). Dremio recommends the Arrow Flight SQL JDBC driver using the data.dremio.cloud service endpoint when using PrivateLink.
  • mcp.dremio.cloud for AI agent integration. Once PrivateLink is activated, this endpoint will not be available.
• privatelink.dremio.cloud – The PrivateLink domain suffix for all private connections

Examples:

• acme-corp.app.privatelink.dremio.cloud – Routes to the Dremio console at app.dremio.cloud
• acme-corp.api.privatelink.dremio.cloud – Routes to the REST API at api.dremio.cloud

Network Components

PrivateLink uses a VPC endpoint in your AWS VPC to provide secure, private connectivity to Dremio services. Users and applications within the VPC connect through the VPC endpoint using your privately hosted DNS name resolution. Remote users connect via VPN to access the VPC and its resources.

Certificate Management

Dremio uses wildcard certificates for *.privatelink.dremio.cloud. No additional certificate management is required. Server certificates are managed by Dremio, and standard TLS verification applies to client vertification. All certificates are publicly logged.

Prerequisites

Before setting up PrivateLink, ensure you have:

• AWS Requirements
  • VPC: Your VPC in the same region as your Dremio service, where you want to enable PrivateLink connectivity.
  • Subnets: At least one subnet in your VPC. When you create a VPC endpoint, you select one or more subnets, and AWS creates an Elastic Network Interface (ENI) in each selected subnet. All ENIs belong to the same VPC endpoint. Select subnets in multiple availability zones for high availability—if one availability zone fails, traffic continues to flow through ENIs in other zones.
  • VPC Endpoints: Permission to create and manage VPC endpoints.
  • Security Groups: Ability to create or modify security groups.
• Network Requirements
  • DNS Resolution: Ability to configure private DNS (such as Route 53 Private Hosted Zones) or CNAME records in your VPC. You will need to create CNAME records that map PrivateLink URLs like acme-corp.app.privatelink.dremio.cloud to your VPC endpoint DNS name. While you could technically connect using the VPC endpoint DNS name directly, DNS configuration is required for proper TLS certificate validation and to enable host-based routing to different Dremio services, including app, api, data, and login.
  • TLS/SSL: Your environment must support TLS 1.2 or higher.
• Client Requirements
  • Arrow Flight Drivers: All SQL clients and BI tools must use Arrow Flight-based drivers. Some clients and tools provide their own embedded drivers, but you must use the Dremio Arrow Flight JDBC and ODBC drivers in place of those embedded drivers.

Configuration Steps

To create a PrivateLink connection:

1. Create a VPC Endpoint – In the Amazon Management Console, create a VPC endpoint for connecting to an endpoint service as the service consumer, using the steps defined by AWS.

   • For Type, choose Endpoint services that use NLBs and GWLBs.
   • For Service Name, enter the Dremio service name for your Dremio region:
     • us-east-1: com.amazonaws.vpce.us-east-1.vpce-svc-0c795b359782ac685
     • us-west-2: com.amazonaws.vpce.us-west-2.vpce-svc-0b42aeb4681d6f4a4
   • Select your VPC, subnets, and additional configurations.
   • Optionally define a DNS name for your VPC endpoint and enter that name in your privately hosted DNS.
   • Click Create endpoint.

2. Configure a Security Group – Attach a security group with the following rules:

   • Inbound Rules:

     Type	Protocol	Port Range	Source	Description
     HTTPS	TCP	443	Your VPC CIDR or specific security groups	Allow HTTPS traffic from your resources

   • Outbound Rules:

     Type	Protocol	Port Range	Destination	Description
     HTTPS	TCP	443	0.0.0.0/0	Allow outbound HTTPS (required for SSO authentication)

3. Configure Private DNS – Create CNAME records in your private DNS (Route 53 Private Hosted Zone or equivalent) to map Dremio service domains to your VPC endpoint DNS name. See AWS documentation for creating a private hosted zone. Create one CNAME record for each PrivateLink URL associated with a Dremio service. Replace <orgAlias> with your organization alias and <vpc-endpoint-dns-name> with the DNS name of your VPC endpoint (found in the AWS Console under VPC > Endpoints).

   • <orgAlias>.app.privatelink.dremio.cloud → <vpc-endpoint-dns-name>
   • <orgAlias>.api.privatelink.dremio.cloud → <vpc-endpoint-dns-name>
   • <orgAlias>.data.privatelink.dremio.cloud → <vpc-endpoint-dns-name>
   • <orgAlias>.login.privatelink.dremio.cloud → <vpc-endpoint-dns-name>

4. Configure Client Tools – Configure client applications to use the PrivateLink endpoints:

   • Power BI Desktop - See Connect to Dremio via PrivateLink.
   • JDBC/ODBC Drivers - Update connection strings to use <orgAlias>.data.privatelink.dremio.cloud.
   • REST API Clients - Update base URL to https://<orgAlias>.api.privatelink.dremio.cloud.

5. Verify Connectivity – Test connectivity to Dremio using the VPC endpoint and private DNS:

   • Test DNS resolution using nslookup <orgAlias>.app.privatelink.dremio.cloud. This should resolve to private IP addresses in your VPC.
   • From a system within your VPC, test access to the Dremio console by navigating to https://<orgAlias>.app.privatelink.dremio.cloud. You should see the Dremio login page.
   • From a system within your VPC, test API access by calling an API endpoint with a base URL of curl https://<orgAlias>.api.privatelink.dremio.cloud/api/v0/.

6. Enable PrivateLink – Enable PrivateLink by filing a support ticket with Dremio Support at the Dremio Support Portal. In the support ticket, provide:

   • Your orgAlias
   • Your Dremio Organization ID by clicking in the side navigation bar, choosing Organization Settings, and then copying the Organization ID.
   • Your VPC endpoint ID from the AWS Console.
   • Confirmation that connectivity works using your new VPC endpoint.

7. Resume Operation – Resume operation utilizing your PrivateLink connections.