# Internetwork traffic privacy in Amazon Keyspaces
<a name="inter-network-traffic-privacy"></a>

This topic describes how Amazon Keyspaces (for Apache Cassandra) secures connections from on-premises applications to Amazon Keyspaces and between Amazon Keyspaces and other Amazon resources within the same Amazon Web Services Region.

## Traffic between service and on-premises clients and applications
<a name="inter-network-traffic-privacy-on-prem"></a>

You have two connectivity options between your private network and Amazon: 
+ An Amazon Site-to-Site VPN connection. For more information, see [What is Amazon Site-to-Site VPN?](https://docs.amazonaws.cn/vpn/latest/s2svpn/VPC_VPN.html) in the *Amazon Site-to-Site VPN User Guide*.
+ An Amazon Direct Connect connection. For more information, see [What is Amazon Direct Connect?](https://docs.amazonaws.cn/directconnect/latest/UserGuide/Welcome.html) in the *Amazon Direct Connect User Guide*.

As a managed service, Amazon Keyspaces (for Apache Cassandra) is protected by Amazon global network security. For information about Amazon security services and how Amazon protects infrastructure, see [Amazon Cloud Security](https://www.amazonaws.cn/security/). To design your Amazon environment using the best practices for infrastructure security, see [Infrastructure Protection](https://docs.amazonaws.cn/wellarchitected/latest/security-pillar/infrastructure-protection.html) in *Security Pillar Amazon Well‐Architected Framework*.

You use Amazon published API calls to access Amazon Keyspaces through the network. Clients must support the following:
+ Transport Layer Security (TLS). We require TLS 1.2 and recommend TLS 1.3.
+ Cipher suites with perfect forward secrecy (PFS) such as DHE (Ephemeral Diffie-Hellman) or ECDHE (Elliptic Curve Ephemeral Diffie-Hellman). Most modern systems such as Java 7 and later support these modes.

Amazon Keyspaces supports two methods of authenticating client requests. The first method uses service-specific credentials, which are password based credentials generated for a specific IAM user. You can create and manage the password using the IAM console, the Amazon CLI, or the Amazon API. For more information, see [Using IAM with Amazon Keyspaces](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_credentials_mcs.html).

The second method uses an authentication plugin for the open-source DataStax Java Driver for Cassandra. This plugin enables [IAM users, roles, and federated identities](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles.html) to add authentication information to Amazon Keyspaces (for Apache Cassandra) API requests using the [Amazon Signature Version 4 process (SigV4)](https://docs.amazonaws.cn/general/latest/gr/signature-version-4.html). For more information, see [Create and configure Amazon credentials for Amazon Keyspaces](access.credentials.md). 

## Traffic between Amazon resources in the same Region
<a name="inter-network-traffic-privacy-within-region"></a>

Interface VPC endpoints enable private communication between your virtual private cloud (VPC) running in Amazon VPC and Amazon Keyspaces. Interface VPC endpoints are powered by Amazon PrivateLink, which is an Amazon service that enables private communication between VPCs and Amazon services. Amazon PrivateLink enables this by using an elastic network interface with private IPs in your VPC so that network traffic does not leave the Amazon network. Interface VPC endpoints don't require an internet gateway, NAT device, VPN connection, or Amazon Direct Connect connection. For more information, see [Amazon Virtual Private Cloud](https://docs.amazonaws.cn/vpc/latest/userguide/) and [Interface VPC endpoints (Amazon PrivateLink)](https://docs.amazonaws.cn/vpc/latest/privatelink/vpce-interface.html). For example policies, see [Using interface VPC endpoints for Amazon Keyspaces](vpc-endpoints.md#using-interface-vpc-endpoints).