This page describes how to create and use Private Endpoints to connect AWS PrivateLink to Pinecone while keeping your VPC private from the public internet.

PrivateLink diagram

Private Endpoints are additive to other Pinecone security features: data is also encrypted in transit, encrypted at rest, and an API key is required to authenticate.

Private Endpoints are in public preview and available only on Enterprise plans.

Before you begin

The following steps assume you have:

  • Access to the AWS console.

  • Created an Amazon VPC in the same AWS region as the index you want to connect to. You can optionally enable DNS hostnames and resolution, if you want your VPC to automatically discover the DNS CNAME for your PrivateLink and do not want configure a CNAME.

    Index regionPinecone DNS entry
    us-east-1 (N. Virginia)*.private.aped-4627-b74a.pinecone.io
    us-west-2 (Oregon)*.private.apw5-4e34-81fa.pinecone.io
    eu-west-1 (Ireland)*.private.apu-57e2-42f6.pinecone.io
  • A Pinecone Enterprise plan.

  • Created a serverless index in the same AWS region as your Amazon VPC.

Private Endpoints are configured at the project-level and you can add up to 10 endpoints per project. If you have multiple projects in your organization, Private Endpoints need to be set up separately for each.

1. Create an Amazon VPC endpoint

In the AWS console:

  1. Open the Amazon VPC console.

  2. In the navigation pane, click Endpoint.

  3. Click Create endpoint.

  4. For Service category, select Other endpoint services.

  5. In Service settings, enter the Service name, based on the region your Pinecone index is in:

    Index regionService name
    us-east-1 (N. Virginia)com.amazonaws.vpce.us-east-1.vpce-svc-05ef6f1f0b9130b54
    us-west-2 (Oregon)com.amazonaws.vpce.us-west-2.vpce-svc-04ecb9a0e0d5aab01
    eu-west-1 (Ireland)com.amazonaws.vpce.eu-west-1.vpce-svc-03c6b7e17ff02a70f
  6. Click Verify service.

  7. Select the VPC to host the endpoint.

  8. (Optional) In Additional settings, Enable DNS name. The enables you to access our service with the DNS name we configure. An additional CNAME record is needed if you disable this option.

  9. Select the Subnets and Subnet ID for the endpoint.

  10. Select the Security groups to apply to the endpoint.

  11. Click Create endpoint.

  12. Copy the VPC endpoint ID (e.g., vpce-XXXXXXX). This will be used to add a Private Endpoint in Pinecone.

2. Add a Private Endpoint in Pinecone

To add a Private Endpoint through the Pinecone console:

  1. Select your project.
  2. Go to Network.
  3. Click Add a connection.
  4. Select your VPC region. Only indexes in the selected region in this project will be affected.
  5. Click Next.
  6. Enter the AWS VPC endpoint ID you copied in the section above.
  7. Click Next.
  8. (optional) To enable VPC endpoint access only, turn the toggle on. This can also be enabled later. For more information, see Manage internet access to your project.
  9. Click Finish setup.

3. Run data plane commands

Once your Private Endpoint is successfully set up in Pinecone, you can run data plane commands (e.g., upsert data):

curl
curl -X POST "https://$INDEX_PRIVATE_HOST/vectors/upsert" \
# $INDEX_PRIVATE_HOST can be found in the Pinecone console after you select the index to view more details.
     -H "Api-Key: $PINECONE_API_KEY" \
     -H 'Content-Type: application/json' \
     -d '{
          "vectors": [
            {
              "id": "I", 
              "values": [0.1, 0.1, 0.1, 0.1, 0.1, 0.1, 0.1, 0.1]
            },
            {
              "id": "J", 
              "values": [0.2, 0.2, 0.2, 0.2, 0.2, 0.2, 0.2, 0.2]
            },
            {
              "id": "K", 
              "values": [0.3, 0.3, 0.3, 0.3, 0.3, 0.3, 0.3, 0.3]
            },
            {
              "id": "L", 
              "values": [0.4, 0.4, 0.4, 0.4, 0.4, 0.4, 0.4, 0.4]
            }
          ]
        }'

If you run the same command from outside of the Private Endpoint, you will get an Unauthorized response.

Manage internet access to your project

Once your Private Endpoint is configured, you can turn off internet access to your project. To enable VPC endpoint access only:

  1. Open the Pinecone console.

  2. Select your project.

  3. Go to Network > Access.

  4. Turn the VPC endpoint access only toggle on. This will turn off internet access to the project. This can be turned off at any point.

    This access control is set at the project-level and can unintentionally affect Pinecone indexes that communicate via the internet in the same project. Only indexes communicating through Private Endpoints will continue to work.

Manage Private Endpoints

In addition to creating Private Endpoints, you can also:

View Private Endpoints

To view Private Endpoints through the Pinecone console:

  1. Select your project.
  2. Go to Network. A list of Private Endpoints displays with the associated VPC ID and Cloud provider.

Delete a Private Endpoint

To delete a Private Endpoint through the Pinecone console:

  1. Select your project.
  2. Go to Network.
  3. For the Private Endpoint you want to delete, click the (Actions) icon.
  4. Click Delete.
  5. Enter the endpoint name.
  6. Click Delete Endpoint.