Configure Private Endpoints for AWS PrivateLink ↗
noOriginal Documentation
Documentation Index#
Fetch the complete documentation index at: https://docs.pinecone.io/llms.txt Use this file to discover all available pages before exploring further.
Secure Pinecone with private VPC endpoints.
This page describes how to create and use Private Endpoints to connect AWS PrivateLink to Pinecone while keeping your VPC private from the public internet.
Use Private Endpoints to connect to PrivateLink#
Before you begin#
The following steps assume you have:
Access to the AWS console.
Created an Amazon VPC in the same AWS region as the index you want to connect to. You can optionally enable DNS hostnames and resolution, if you want your VPC to automatically discover the DNS CNAME for your PrivateLink and do not want configure a CNAME.
- To configure the routing yourself, use one of Pinecone’s DNS entry for the corresponding region:
| Index region | Pinecone DNS entry |
|---|---|
us-east-1 (N. Virginia) | *.private.aped-4627-b74a.pinecone.io |
us-west-2 (Oregon) | *.private.apw5-4e34-81fa.pinecone.io |
eu-west-1 (Ireland) | *.private.apu-57e2-42f6.pinecone.io |
Created a serverless index in the same AWS region as your Amazon VPC.
Private Endpoints are configured at the project-level and you can add up to 10 endpoints per project. If you have multiple projects in your organization, Private Endpoints need to be set up separately for each.
1. Create an Amazon VPC endpoint#
In the AWS console:
Open the Amazon VPC console.
In the navigation pane, click Endpoint.
Click Create endpoint.
For Service category, select Other endpoint services.
In Service settings, enter the Service name, based on the region your Pinecone index is in:
Index region Service name us-east-1(N. Virginia)com.amazonaws.vpce.us-east-1.vpce-svc-05ef6f1f0b9130b54us-west-2(Oregon)com.amazonaws.vpce.us-west-2.vpce-svc-04ecb9a0e0d5aab01eu-west-1(Ireland)com.amazonaws.vpce.eu-west-1.vpce-svc-03c6b7e17ff02a70fClick Verify service.
Select the VPC to host the endpoint.
(Optional) In Additional settings, Enable DNS name. The enables you to access our service with the DNS name we configure. An additional CNAME record is needed if you disable this option.
Select the Subnets and Subnet ID for the endpoint.
Select the Security groups to apply to the endpoint.
Click Create endpoint.
Copy the VPC endpoint ID (e.g.,
vpce-XXXXXXX). This will be used to add a Private Endpoint in Pinecone.
2. Add a Private Endpoint in Pinecone#
To add a Private Endpoint using the Pinecone console:
- Select your project.
- Go to Manage > Network.
- Click Add a connection.
- Select your VPC region. Only indexes in the selected region in this project will be affected.
- Click Next.
- Enter the AWS VPC endpoint ID you copied in the section above.
- Click Next.
- (optional) To enable VPC endpoint access only, turn the toggle on. This can also be enabled later. For more information, see Manage internet access to your project.
- Click Finish setup.
Private Endpoints only affect data plane access. Control plane access will continue over the public internet.
Read and write data#
Once your private endpoint is configured, you can run data operations against an index as usual, but you must target the index using its private endpoint URL. The only difference in the URL is that .svc. is changed to .svc.private..
You can get the private endpoint URL for an index from the Pinecone console or API.
To get the private endpoint URL for an index from the Pinecone console:
- Open the Pinecone console.
- Select the project containing the index.
- Select the index.
- Copy the URL under PRIVATE ENDPOINT.
To get the private endpoint URL for an index from the API, use the describe_index operation, which returns the private endpoint URL as the private_host value:
import { Pinecone } from '@pinecone-database/pinecone';
const pc = new Pinecone({ apiKey: 'YOUR_API_KEY' });
await pc.describeIndex('docs-example');
```
```go
package main
import (
"context"
"encoding/json"
"fmt"
"log"
"github.com/pinecone-io/go-pinecone/v4/pinecone"
)
func prettifyStruct(obj interface{}) string {
bytes, _ := json.MarshalIndent(obj, "", " ")
return string(bytes)
}
func main() {
ctx := context.Background()
pc, err := pinecone.NewClient(pinecone.NewClientParams{
ApiKey: "YOUR_API_KEY",
})
if err != nil {
log.Fatalf("Failed to create Client: %v", err)
}
idx, err := pc.DescribeIndex(ctx, "docs-example")
if err != nil {
log.Fatalf("Failed to describe index \"%v\": %v", idx.Name, err)
} else {
fmt.Printf("index: %v\n", prettifyStruct(idx))
}
}
```
```bash
PINECONE_API_KEY="YOUR_API_KEY"
curl -i -X GET "https://api.pinecone.io/indexes/docs-example" \
-H "Api-Key: YOUR_API_KEY" \
-H "X-Pinecone-Api-Version: 2025-10"
```
The response includes the private endpoint URL as the `private_host` value:
```json
{
name: 'docs-example',
dimension: 1536,
metric: 'cosine',
host: 'docs-example-jl7boae.svc.aped-4627-b74a.pinecone.io',
privateHost: 'docs-example-jl7boae.svc.private.aped-4627-b74a.pinecone.io',
deletionProtection: 'disabled',
tags: { environment: 'production' },
embed: undefined,
spec: {
byoc: undefined,
pod: undefined,
serverless: { cloud: 'aws', region: 'us-east-1' }
},
status: { ready: true, state: 'Ready' },
vectorType: 'dense'
}
```
```go
index: {
"name": "docs-example",
"dimension": 1536,
"host": "docs-example-jl7boae.svc.aped-4627-b74a.pinecone.io",
"private_host": "docs-example-jl7boae.svc.private.aped-4627-b74a.pinecone.io",
"metric": "cosine",
"deletion_protection": "disabled",
"spec": {
"serverless": {
"cloud": "aws",
"region": "us-east-1"
}
},
"status": {
"ready": true,
"state": "Ready"
},
"tags": {
"environment": "production"
}
}
```
```json
{
"id": "025117b3-e683-423c-b2d1-6d30fbe5027f",
"vector_type": "dense",
"name": "docs-example",
"metric": "cosine",
"dimension": 1536,
"status": {
"ready": true,
"state": "Ready"
},
"host": "docs-example-jl7boae.svc.aped-4627-b74a.pinecone.io",
"private_host": "docs-example-jl7boae.svc.private.aped-4627-b74a.pinecone.io",
"spec": {
"serverless": {
"region": "us-east-1",
"cloud": "aws"
}
},
"deletion_protection": "disabled",
"tags": {
"environment": "production"
}
```
<span class="tab-end"></span>
<span class="tab-group-end"></span>
<span class="callout-start" data-callout-type="note"></span>
If you run data operations against an index from outside the Private Endpoint, you will get an `Unauthorized` response.
<span class="callout-end"></span>
## Manage internet access to your project
Once your Private Endpoint is configured, you can turn off internet access to your project. To enable VPC endpoint access only:
1. Open the [Pinecone console](https://app.pinecone.io/organizations/-/projects).
2. Select your project.
3. Go to **Network > Access**.
4. Turn the **VPC endpoint access only** toggle on.
This will turn off internet access to the project. This can be turned off at any point.
<span class="callout-start" data-callout-type="warning"></span>
This access control is set at the *project-level* and can unintentionally affect Pinecone indexes that communicate via the internet in the same project. Only indexes communicating through Private Endpoints will continue to work.
<span class="callout-end"></span>
## Manage Private Endpoints
In addition to [creating Private Endpoints](#2-add-a-private-endpoint-in-pinecone), you can also:
* [View Private Endpoints](#view-private-endpoints)
* [Delete a Private Endpoint](#delete-a-private-endpoint)
### View Private Endpoints
To view Private Endpoints using the [Pinecone console](https://app.pinecone.io/organizations/-/projects):
1. Select your project.
2. Go to **Manage > Network**.
A list of Private Endpoints displays with the associated **VPC ID** and **Cloud** provider.
### Delete a Private Endpoint
To delete a Private Endpoint using the [Pinecone console](https://app.pinecone.io/organizations/-/projects):
1. Select your project.
2. Go to **Manage > Network**.
3. For the Private Endpoint you want to delete, click the *...* (Actions) icon.
4. Click **Delete**.
5. Enter the endpoint name.
6. Click **Delete Endpoint**.