Securing Real-Time Applications with SingleStore Helios and AWS PrivateLink

Securing Real-Time Applications with SingleStore Helios and AWS PrivateLink

In today’s digital world, cloud data security is a critical concern for both businesses and individuals. With the increasing volume of data being generated and stored in the cloud, it's more important than ever to protect sensitive information from cyber threats. 

At SingleStore, nothing is more important than the security of our customer’s data. Our organization works diligently to ensure security is architected, designed, implemented and audited at every layer of the technology stack.

As part of our ongoing commitments to security and partnerships, we’re proud to announce that SingleStore has recently attained AWS PrivateLink Ready Partner designation — particularly for our managed offering, Singlestore Helios on AWS. In this blog, we’ll discuss all things AWS PrivateLink and Singlestore Helios. 

singlestore-heliosSinglestore Helios

Singlestore Helios is a fully managed, cloud-native database that powers real-time workloads.  Our patented Universal Storage architecture intelligently tiers data between three storage layers (RAM, SSD, object storage) based on data access patterns. This ensures that data is always on the correct storage tier, delivering high performance at scale.

Built for engineers by engineers, SingleStoreDB is based on a distributed SQL architecture, meaning databases are spread amongst a cluster of nodes rather than a single node monolith. Allowing SingleStore nodes to scale horizontally mitigates bottlenecks in data architectures,  delivering  millisecond performance on complex queries. These ‘shared nothing’ design principles allow businesses to effortlessly scale real-time applications.

Having a distributed SQL database with Universal Storage architecture enables transactions and analytics to be unified in a single database engine. This is simpler, more performant, and more affordable than the alternative of stitching together disparate purpose-built databases to serve transactions and analytics separately. SingleStoreDB drives low-latency access to large datasets and simplifies the development of fast, modern applications.

AWS PrivateLink provides private connectivity between virtual private clouds (VPCs), supported AWS services and on-premises networks without exposing traffic to the public internet. Interface VPC endpoints, powered by AWS PrivateLink, connect you to services hosted by AWS Partners and supported solutions available in AWS Marketplace.

AWS PrivateLink with Singlestore Helios allows customers to securely connect private services in their own VPC to Singlestore Helios (more specifically, SingleStore’s VPC). This configuration uses Elastic Network Interfaces (ENIs) to create an interface endpoint within your VPC for the service. This endpoint appears as a network interface with a private IP address in your VPC's subnet. You can then use this endpoint to access services securely, without compromising network traffic — all traffic stays within the given AWS regional data centers.

In the following diagram, the VPC on the left has several EC2 instances in a private subnet and three interface VPC endpoints. The top-most VPC endpoint connects to an AWS service. The middle VPC endpoint connects to a service hosted by another AWS account (a VPC endpoint service). The bottom VPC endpoint connects to an AWS Marketplace partner service.

With any database solution, the most critical consideration is securing the flow of data between the database and peripheral technologies (applications, analytics, AI/ML, etc). When running Singlestore Helios on AWS, AWS PrivateLink is the best way to ensure this security. Following this best practice configuration will protect network traffic by avoiding the public internet, ensuring data never leaves AWS’s protected network. When using AWS PrivateLink to connect your VPC to SingleStore’s VPC, all traffic between your databases and workloads will be secure, performant and affordable. 

Here’s a look at the high level architecture of using AWS PrivateLink to connect to Singlestore Helios on AWS. 

Using Singlestore Helios with AWS PrivateLink offers several benefits, including:

  • Security: AWS PrivateLink provides a secure way to access Singlestore Helios without exposing data to the public internet, reducing the risk of data breaches.
  • Performance: AWS PrivateLink offers low-latency and high-bandwidth connectivity, which improves the performance of database queries.
  • Cost: AWS PrivateLink is a cost-effective way to securely access Singlestore Helios, since it doesn't require the use of a NAT gateway or VPN. It also eliminates unnecessary Egress data transfer costs.
  • Simplicity: AWS PrivateLink simplifies network management,  requiring no changes to route tables or concerns of overlapping IP address space.

singlestore-helios-aws-private-link-customer-success-storySinglestore Helios & AWS PrivateLink: Customer Success Story

Proof is a joint customer of AWS and SingleStore. Their fintech SaaS closes the gap between market principles and the actual trading experience for long term investors. As an execution-only broker dealer, Proof  builds algorithms to navigate the market on behalf of their institutional clients. They provide unprecedented levels of transparency, ensuring their products are highly accountable and highly performant.

We interviewed Proof’s CTO, Marcio Moreno, about his experience connecting to Singlestore Helios using AWS PrivateLink.

We prefer to use AWS PrivateLink because it’s a great tool for keeping traffic inside the AWS data centers, so we can avoid the public internet. This is great for our security posture. We don’t need to keep adding IPs to our firewalls to access our databases, we configure AWS PrivateLink on our VPC and it just works. Once it’s configured, we can securely connect to SingleStore from our native AWS services. Now we don’t have to worry about constant network security maintenance or having traffic compromised on the public internet. This solution is perfect for us.”

You can connect Singlestore Helios to private AWS services and networks via AWS PrivateLink. This process is straightforward and takes just a few steps.

There are two types of connection methods to Singlestore Helios via AWS PrivateLink— inbound and outbound.

An inbound request means your workloads are querying data from Singlestore Helios. Check out the documentation for detailed prerequisites and steps to connect to Singlestore Helios Workspaces from Private Networks/Services via AWS PrivateLink.

An outbound request means Singlestore Helios makes the request (usually via Pipelines, but it can also be via SELECT … INTO …), so the configuration starts at the customer end. The most common pattern we see here is for the SingleStore Pipeline to ingest data from Kafka. We support self-managed Apache Kafka on AWS, Amazon Managed Streaming for Apache Kafka (MSK), and Confluent Cloud on AWS. Check out the documentation for detailed prerequisites and steps to connect out from Singlestore Helios Workspaces to Private Networks/Services via AWS PrivateLink.

To make the process as seamless as possible, we recommend gathering all the necessary details for your request before sharing with
SingleStore support.


AWS PrivateLink is a valuable tool for protecting data when using Singlestore Helios on AWS. It provides a simple way to access databases without exposing them to the public internet, improving security, performance, and cost-efficiency. By following this blog post and our docs, you can easily set up AWS PrivateLink for Singlestore Helios on AWS and enjoy its many benefits.

Ready to get started? Try Singlestore Helios on AWS today!

By tapping into the power of Singlestore Helios and AWS PrivateLink, you maintain up to 99.99% uptime SLA on a highly available, scalable, performant cloud native database.