Configuring cross-account access to Amazon Keyspaces without a shared VPC
If the Amazon Keyspaces table and private VPC endpoint are owned by different accounts but are
not sharing a VPC, applications can still connect cross-account using VPC endpoints.
Because the accounts are not sharing the VPC endpoints, Account A
,
Account B
, and Account C
require their own
VPC endpoints. To the Cassandra client driver, Amazon Keyspaces appears like a single node instead
of a multi-node cluster. Upon connection, the client driver reaches the DNS server which
returns one of the available endpoints in the account’s VPC.
You can also access Amazon Keyspaces tables across different accounts without a shared VPC endpoint by using the public
endpoint or deploying a private VPC endpoint in each account. When not using a shared VPC, each
account requires its own VPC endpoint. In this example Account A
, Account B
,
and Account C
require their own VPC endpoints to access the table in Account A
. When using VPC endpoints in
this configuration, Amazon Keyspaces appears as a single node cluster to the Cassandra client
driver instead of a multi-node cluster. Upon connection, the client driver reaches the DNS server
which returns one of the available endpoints in the account’s VPC. But the client driver is not able to access
the system.peers
table to discover additional endpoints. Because there are less hosts available, the driver
makes less connections. To adjust this, increase the connection pool setting of the driver by a factor of three.