This page describes how to create and use Private Endpoints to connect AWS PrivateLink to Pinecone while keeping your VPC private from the public internet.

This feature is in public preview and available only on Enterprise plans.

Before you begin

The following steps assume you have:

  • Access to the AWS console.

  • Created an Amazon VPC in the same AWS region as the index you want to connect to. You can optionally enable DNS hostnames and resolution, if you want your VPC to automatically discover the DNS CNAME for your PrivateLink and do not want configure a CNAME.

    Index regionPinecone DNS entry
    us-east-1 (N. Virginia)*.private.aped-4627-b74a.pinecone.io
    us-west-2 (Oregon)*.private.apw5-4e34-81fa.pinecone.io
    eu-west-1 (Ireland)*.private.apu-57e2-42f6.pinecone.io
  • A Pinecone Enterprise plan.

  • Created a serverless index in the same AWS region as your Amazon VPC.

Private Endpoints are configured at the project-level and you can add up to 10 endpoints per project. If you have multiple projects in your organization, Private Endpoints need to be set up separately for each.

1. Create an Amazon VPC endpoint

In the AWS console:

  1. Open the Amazon VPC console.

  2. In the navigation pane, click Endpoint.

  3. Click Create endpoint.

  4. For Service category, select Other endpoint services.

  5. In Service settings, enter the Service name, based on the region your Pinecone index is in:

    Index regionService name
    us-east-1 (N. Virginia)com.amazonaws.vpce.us-east-1.vpce-svc-05ef6f1f0b9130b54
    us-west-2 (Oregon)com.amazonaws.vpce.us-west-2.vpce-svc-04ecb9a0e0d5aab01
    eu-west-1 (Ireland)com.amazonaws.vpce.eu-west-1.vpce-svc-03c6b7e17ff02a70f
  6. Click Verify service.

  7. Select the VPC to host the endpoint.

  8. (Optional) In Additional settings, Enable DNS name. The enables you to access our service with the DNS name we configure. An additional CNAME record is needed if you disable this option.

  9. Select the Subnets and Subnet ID for the endpoint.

  10. Select the Security groups to apply to the endpoint.

  11. Click Create endpoint.

  12. Copy the VPC endpoint ID (e.g., vpce-XXXXXXX). This will be used to add a Private Endpoint in Pinecone.

2. Add a Private Endpoint in Pinecone

To add a Private Endpoint using the Pinecone console:

  1. Select your project.
  2. Go to Manage > Network.
  3. Click Add a connection.
  4. Select your VPC region. Only indexes in the selected region in this project will be affected.
  5. Click Next.
  6. Enter the AWS VPC endpoint ID you copied in the section above.
  7. Click Next.
  8. (optional) To enable VPC endpoint access only, turn the toggle on. This can also be enabled later. For more information, see Manage internet access to your project.
  9. Click Finish setup.

Private Endpoints only affect data plane access. Control plane access will continue over the public internet.

3. Run data plane commands

Once your Private Endpoint is successfully set up in Pinecone, you can run data plane commands (e.g., upsert data):

If you run the same command from outside of the Private Endpoint, you will get an Unauthorized response.

Manage internet access to your project

Once your Private Endpoint is configured, you can turn off internet access to your project. To enable VPC endpoint access only:

  1. Open the Pinecone console.

  2. Select your project.

  3. Go to Network > Access.

  4. Turn the VPC endpoint access only toggle on. This will turn off internet access to the project. This can be turned off at any point.

    This access control is set at the project-level and can unintentionally affect Pinecone indexes that communicate via the internet in the same project. Only indexes communicating through Private Endpoints will continue to work.

Manage Private Endpoints

In addition to creating Private Endpoints, you can also:

View Private Endpoints

To view Private Endpoints using the Pinecone console:

  1. Select your project.
  2. Go to Manage > Network. A list of Private Endpoints displays with the associated VPC ID and Cloud provider.

Delete a Private Endpoint

To delete a Private Endpoint using the Pinecone console:

  1. Select your project.
  2. Go to Manage > Network.
  3. For the Private Endpoint you want to delete, click the (Actions) icon.
  4. Click Delete.
  5. Enter the endpoint name.
  6. Click Delete Endpoint.