> ## Documentation Index
> Fetch the complete documentation index at: https://docs.unstructured.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Connecting to customer-managed services on AWS

This page covers how to establish private connectivity between your dedicated instance and services running in your AWS environment that do not have native AWS PrivateLink support.

This applies to:

* **Self-hosted applications** running in your VPC, such as MongoDB or Elasticsearch
* **AWS managed services without native PrivateLink support**, such as Amazon RDS (PostgreSQL)

For AWS-managed services with native PrivateLink support, see [Connecting to AWS-managed services](/business/aws/aws-privatelink/connect-to-services).

## How it works

Services without native PrivateLink support require you to front them with a Network Load Balancer (NLB) and expose them via a VPC Endpoint Service. Unstructured then creates a VPC Endpoint in the Unstructured-managed environment to connect to your service privately.

In AWS terminology, you are the *service provider* and Unstructured is the *service consumer*.

## Information exchange

<Note>
  The **Order** column indicates the general sequence for the information exchange. Items with the same order value can usually be provided at the same stage.
</Note>

| Order | Information Required        | Description                                                     | Example                                                        | Provided by  |
| ----- | --------------------------- | --------------------------------------------------------------- | -------------------------------------------------------------- | ------------ |
| 1     | Service Type                | The service being accessed                                      | `PostgreSQL (RDS)`, `MongoDB`, `Elasticsearch`                 | Customer     |
| 1     | Service Region              | Region where the service is hosted                              | `us-east-1`                                                    | Customer     |
| 1     | Service Port                | Port the service listens on                                     | `5432` (PostgreSQL), `27017` (MongoDB), `9200` (Elasticsearch) | Customer     |
| 2     | Unstructured AWS Account ID | Account ID to add as allowed principal on your endpoint service | `987654321098`                                                 | Unstructured |
| 3     | VPC Endpoint Service Name   | Service name for the endpoint service fronting the NLB          | `com.amazonaws.vpce.us-east-1.vpce-svc-0abc123`                | Customer     |
| 3     | Service Endpoint            | The endpoint URL for connection                                 | Custom DNS or endpoint service DNS                             | Customer     |

## Steps

### Step 1: Provide service information

Provide Unstructured with the service type, region, and port via support ticket. Unstructured will share the Unstructured AWS Account ID you need to complete Step 2.

### Step 2: Create a Network Load Balancer and VPC Endpoint Service

Create an NLB targeting your service, then create a VPC Endpoint Service pointing to the NLB. [Learn how](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html)

### Step 3: Allow Unstructured as a principal

Allow Unstructured's AWS Account ID as a principal on your VPC Endpoint Service so Unstructured can create a VPC Endpoint connecting to it.

**Using the AWS Console:**

1. Navigate to **VPC > Endpoint Services**.
2. Select your endpoint service.
3. Go to the **Allow principals** tab and click **Allow principals**.
4. Enter `arn:aws:iam::<UNSTRUCTURED_AWS_ACCOUNT_ID>:root` and confirm.

**Using the AWS CLI:**

```bash theme={null}
aws ec2 modify-vpc-endpoint-service-permissions \
  --service-id vpce-svc-0abc123def456789 \
  --add-allowed-principals "arn:aws:iam::<UNSTRUCTURED_AWS_ACCOUNT_ID>:root"
```

Replace `<UNSTRUCTURED_AWS_ACCOUNT_ID>` with the account ID provided by Unstructured.

### Step 4: Share your VPC Endpoint Service name with Unstructured

Provide Unstructured with your VPC Endpoint Service name and service endpoint via support ticket. [Learn how to find your endpoint service name](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html#share-endpoint-service)

Unstructured will create a VPC Endpoint in the Unstructured-managed environment targeting your service.

### Step 5: Accept Unstructured's connection request

Once Unstructured creates the VPC Endpoint, an endpoint connection request will appear on your VPC Endpoint Service. Accept it as soon as possible to avoid delays. [Learn how](https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#accept-reject-connection-requests)

## Questions? Need help?

Contact your Unstructured account team or open a ticket in the [Unstructured Support Portal](https://support.unstructured.io/).