Configuring cross-account access for Amazon Keyspaces without a shared VPC - Amazon Keyspaces (for Apache Cassandra)
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Configuring cross-account access for Amazon Keyspaces without a shared VPC

If the Amazon Keyspaces table and private VPC endpoint are owned by different accounts but are not sharing a VPC, applications can still connect cross-account using VPC endpoints. Because the accounts are not sharing the VPC endpoints, Account A, Account B, and Account C require their own VPC endpoints. To the Cassandra client driver, Amazon Keyspaces appears like a single node instead of a multi-node cluster. Upon connection, the client driver reaches the DNS server which returns one of the available endpoints in the account’s VPC.

You can also access Amazon Keyspaces tables across different accounts without a shared VPC endpoint by using the public endpoint or deploying a private VPC endpoint in each account. When not using a shared VPC, each account requires its own VPC endpoint. In this example Account A, Account B, and Account C require their own VPC endpoints to access the table in Account A. When using VPC endpoints in this configuration, Amazon Keyspaces appears as a single node cluster to the Cassandra client driver instead of a multi-node cluster. Upon connection, the client driver reaches the DNS server which returns one of the available endpoints in the account’s VPC. But the client driver is not able to access the system.peers table to discover additional endpoints. Because there are less hosts available, the driver makes less connections. To adjust this, increase the connection pool setting of the driver by a factor of three.

Diagram showing three different accounts in owned by the same organization in the same Amazon Web Services Region without a shared VPC.