Skip to main content

PrivateLink connectivity

The AWS SageMaker Unified Studio (SMUS) connector uses AWS PrivateLink so that all metadata API traffic between Atlan and your SMUS resources stays within the AWS private network. Traffic never traverses the public internet.

This is an infrastructure-level capability managed entirely by Atlan—no additional configuration or setup is required on your end.

How it works

The SMUS connector communicates with two AWS services to crawl and sync metadata:

  • Amazon DataZone : All metadata operations (listing projects, assets, glossaries, lineage, and more) go through DataZone APIs.
  • AWS STS : The connector calls AssumeRole to obtain temporary credentials for your AWS account before making DataZone calls.

Atlan maintains interface VPC endpoints for both of these services within Atlan's infrastructure. With private DNS enabled on these endpoints, all API calls automatically resolve to private IPs and route through the AWS internal network.

Traffic flow

  1. The connector authenticates by calling sts:AssumeRole through the STS VPC endpoint. This call resolves to a private endpoint IP and travels over the AWS internal network.
  2. AWS STS returns temporary credentials scoped to your IAM role.
  3. The connector calls DataZone APIs using the temporary credentials. These calls also resolve privately through the DataZone VPC endpoint and travel over the AWS internal network.
  4. At no point does any traffic leave the AWS private network.

Benefits

  • Network isolation: All metadata traffic stays within the AWS private network, even though it's also encrypted via TLS. This provides defense-in-depth beyond encryption alone.
  • Compliance: Meets enterprise requirements that prohibit data plane traffic from leaving the AWS private network, addressing concerns around DNS hijacking, BGP route leaks, and data residency regulations.
  • No impact on authentication: Cross-account IAM Role authentication continues to work identically. PrivateLink changes only the network path, not the authentication mechanism.
  • No performance impact: PrivateLink typically has equivalent or lower latency compared to public endpoints, so crawl performance isn't affected.

What you need to do

Nothing. Atlan manages the PrivateLink infrastructure entirely. You don't need to create any VPC endpoints, modify your network configuration, or make any changes to your AWS environment. The existing authentication setup using IAM Role or IAM User credentials continues to work as before.

See also