This guide helps you set up a secure and private connection between your AWS Virtual Private Cloud (VPC) and SambaCloud using AWS PrivateLink. It’s designed for enterprise users who require low-latency, high-security access to AI models and APIs without exposing traffic to the public internet. With PrivateLink, your data stays on the AWS network, never touching the public internet. It connects services across different accounts and availability zones, including on-prem setups. SambaCloud supports PrivateLink in the us-west-1 region (N. California), giving you better performance and stronger security for enterprise-level AI inference. All SambaNova API endpoints and features are available through the PrivateLink connection. You can use your existing API token and standard Cloud API authentication methods to access them.
Check your region access here.

Key benefits

Connecting through AWS PrivateLink offers the following benefits:
  • Secure connectivity: Your data remains within the Amazon network, eliminating exposure to the public internet.
  • Reduced attack surface: Limits external access points, significantly lowering security risks.
  • Lower latency: Ensures faster communication by keeping traffic within the same AWS region as your workloads.
  • Improved compliance: Supports stricter security policies and enhances audit readiness.
  • Enterprise compatibility: Integrates easily with existing corporate networking, identity, and access management frameworks.

How the connection works

When you’re connecting to SambaCloud through AWS PrivateLink, there are a few key things to understand about how the connection behaves and what security measures are in place. This section gives you a clear picture of what to expect and how to keep your setup secure.

Security and connection behavior

  • HTTPS is required: All API traffic must use HTTPS to ensure encryption.
  • Certificates: For HTTPS under your domain (e.g., example.com), configure matching TLS certificates.
  • Traffic remains private: Data stays on the AWS backbone—never exposed to the public internet.
  • Standard authentication: SambaNova’s API tokens and auth flows apply.
  • Optional endpoint policies: Use AWS VPC endpoint policies to control access.
  • Monitoring: Track endpoint health and usage with AWS CloudWatch.
  • High availability: Our services span multiple Availability Zones in us-west-1.
  • No extra rate limits: Only standard API rate limits apply.

Prerequisites

Before you begin, make sure you have:
  • An active AWS account
  • AWS CLI installed
  • A VPC in the us-west-1 region
  • Access to the SambaNova PrivateLink service
  • Your AWS account ID added to our allowlist

Step 1: Request access

Before you can create a PrivateLink endpoint, you’ll need to request access from SambaNova. Reach out to your SambaNova representative with the following details:
  • Your AWS Account ID (the one that will create the endpoint)
  • A brief description of your use case or access needs
  • Expected usage pattern or data volume
  • AWS region(s) where you plan to connect

Step 2: SambaNova actions

After we receive your request, SambaNova will:
  1. Review your request details.
  2. Add your AWS Account ID to the allowed principals list.
  3. Approve the endpoint connection once it’s visible to us.
  4. Notify you when your account is ready to complete the setup.
Once approved, you’re ready to create the VPC endpoint in your AWS account.

Step 3: Create your VPC endpoint

After approval:
  • Go ahead and create the PrivateLink endpoint in your VPC
  • We’ll accept the connection on our end—typically within one business day
  • Once accepted, you’re ready to roll

Create and configure the VPC endpoint

Follow the instructions below to create your VPC endpoint and connect it to SambaCloud using AWS PrivateLink.
  • Watch the setup video

1. Setup your VPC

If you don’t already have a VPC in us-west-1, let’s start by creating one. 
# Create a new VPC
aws ec2 create-vpc \
  --cidr-block 10.0.0.0/16 \
  --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=sambanova-vpc}]' \
  --region us-west-1
Next, enable DNS support (required for PrivateLink): 
# Enable DNS hostname resolution
aws ec2 modify-vpc-attribute \
  --vpc-id <vpc-id> \
  --enable-dns-hostnames \
  --region us-west-1

# Enable DNS support
aws ec2 modify-vpc-attribute \
  --vpc-id <vpc-id> \
  --enable-dns-support \
  --region us-west-1

2. Create subnets

Create subnets in two availability zones for high availability: 
# Subnet in us-west-1a
aws ec2 create-subnet \
  --vpc-id <vpc-id> \
  --cidr-block 10.0.1.0/24 \
  --availability-zone us-west-1a \
  --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=sambanova-subnet-1a}]' \
  --region us-west-1
  
# Subnet in us-west-1c
aws ec2 create-subnet \
  --vpc-id <vpc-id> \
  --cidr-block 10.0.2.0/24 \
  --availability-zone us-west-1c \
  --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=sambanova-subnet-1c}]' \
  --region us-west-1

3. Configure security group

Set up a security group to allow secure traffic to the endpoint: 
# Create a new security group
aws ec2 create-security-group \
  --group-name sambanova-endpoint-sg \
  --description "Security group for SambaNova PrivateLink endpoint" \
  --vpc-id <vpc-id> \
  --region us-west-1

# Allow HTTPS traffic from your VPC CIDR
aws ec2 authorize-security-group-ingress \
  --group-id <security-group-id> \
  --protocol tcp \
  --port 443 \
  --cidr <vpc-cidr> \
  --region us-west-1
Ensure this security group allows port 443 inbound from your VPC CIDR—PrivateLink requires HTTPS.

4. Create VPC endpoint

Now connect your VPC to SambaNova’s PrivateLink service: 
aws ec2 create-vpc-endpoint \
  --vpc-id <vpc-id> \
  --service-name com.amazonaws.vpce.us-west-1.vpce-svc-0bfec72bfb8a753a1 \
  --vpc-endpoint-type Interface \
  --subnet-ids <subnet-1a-id> <subnet-1c-id> \
  --security-group-ids <security-group-id> \
  --region us-west-1
This is the default endpoint for general API access. If you need a model-specific endpoint (e.g., Mixtral 8x22B), contact SambaNova Support to receive a separate service name.

5. Configure custom DNS

You’ll need a custom domain using Route 53 to make endpoint access seamless.

Create a private hosted zone

# Replace 'yourdomain.com' with your domain
aws route53 create-hosted-zone \
  --name yourdomain.com \
  --hosted-zone-config Comment='Private Hosted Zone',PrivateZone=true \
  --vpc VPCRegion=us-west-1,VPCId=<your-vpc-id> \
  --caller-reference $(date +%s)

Get the endpoint’s private IPs

# Replace with your actual endpoint ID
NETWORK_IDS=$(aws ec2 describe-vpc-endpoints \
  --vpc-endpoint-ids <your-endpoint-id> \
  --query 'VpcEndpoints[0].NetworkInterfaceIds' \
  --output text \
  --region us-west-1)

ENDPOINT_IPS=$(aws ec2 describe-network-interfaces \
  --network-interface-ids $NETWORK_IDS \
  --query 'NetworkInterfaces[*].PrivateIpAddress' \
  --output text \
  --region us-west-1)

Create a record for your custom domain

aws route53 change-resource-record-sets \
  --hosted-zone-id <your-hosted-zone-id> \
  --change-batch '{
    "Changes": [{
      "Action": "CREATE",
      "ResourceRecordSet": {
        "Name": "api.sambanova.yourdomain.com",
        "Type": "A",
        "TTL": 300,
        "ResourceRecords": [{"Value": "'$ENDPOINT_IPS'"}]
      }
    }]
  }'

DNS configuration tips

  • Your custom domain will resolve to the endpoint’s private IP
  • DNS works only within your VPC
  • You can now call: https://api.sambanova.yourcompany.com
  • TTL of 5 minutes allows flexibility if endpoint IPs change

Example domains

  • https://api.sambanova.yourcompany.com
  • https://sambanova-api.internal.yourcompany.com
  • https://ml-api.yourcompany.local

6. Test the connection

Once everything’s set up, validate the PrivateLink integration with the following checks.

Get the endpoint DNS names

Use this to confirm the DNS names assigned to your VPC endpoint: 
aws ec2 describe-vpc-endpoints \
  --vpc-endpoint-ids <endpoint-id> \
  --region us-west-1

Check private DNS resolution

Ensure the private DNS resolves correctly from within your VPC: nslookup api.sambanova.custom.com

Send a test request

Try an actual API call using your custom domain and token: 
curl -k \
  -H "Host: api.sambanova.ai" \
  -H "Authorization: Bearer <your-api-token>" \
  -H "Content-Type: application/json" \
  -d '{
        "stream": true,
        "model": "Meta-Llama-3.1-8B-Instruct",
        "messages": [
          { "role": "system", "content": "You are a helpful assistant" },
          { "role": "user", "content": "Hello" }
        ]
      }' \
  -X POST https://api.sambanova.custom.com/v1/chat/completions
-k skips SSL verification (useful for internal testing). Use with caution in production.

Successful response

A valid connection will return a response stream from the LLM model—confirming that:
  • Your DNS is correctly resolving
  • The VPC endpoint is reachable
  • Your API token is working
  • The SambaNova LLM is ready to serve your requests

Endpoint configuration

Use the following information when configuring your PrivateLink connection to SambaCloud:
CategoryDetails
Primary regionus-west-1
Availability zonesus-west-1a, us-west-1b
Service portPort 443 (HTTPS only) — HTTP requests are automatically redirected
Network load balanceracp-production-sc3-1-ingress-1
VPC endpoint service namecom.amazonaws.vpce.us-west-1.vpce-svc-0bfec72bfb8a753a1
SambaNova VPC IDvpc-0b7900a153c27435c
Additional regionsContact SambaNova Support for availability

Service limits and quotas

Cost overview

  • AWS PrivateLink pricing applies (billed by AWS).
  • SambaNova does not charge extra for enabling or using PrivateLink.
  • Standard API usage fees remain unchanged per your current service plan.

Troubleshooting guide

If you’re encountering issues during setup or testing, refer to the following categorized checks.

Connection issues

  • Confirm your subnets are in us-west-1a or us-west-1c.
  • Ensure the VPC endpoint status is “Available”.
  • Check DNS resolution for api.sambanova.custom.com.
  • Confirm your security group allows inbound HTTPS (port 443) from your VPC CIDR.
  • Make sure your AWS account is listed in the allowed principals for the endpoint service.

DNS resolution issues

  • VPC DNS settings must be enabled: both DNS hostnames and DNS resolution support.
  • Private DNS cannot be enabled for this endpoint service—this is expected.
  • Confirm the Route 53 private hosted zone is associated with the correct VPC.
  • Ensure an A record maps your custom domain to the endpoint’s IP addresses.
  • Run DNS checks from an instance in the VPC using: 
    nslookup api.sambanova.custom.com
dig api.sambanova.custom.com
  • Use the exact custom domain as documented.

HTTPS connection issues

  • Always connect via HTTPS (port 443).
  • Use the -k flag with curl to accept self-signed certificates: curl -k ...
  • Include all required headers:
    • Host: api.sambanova.ai
    • Authorization: Bearer <your-api-token>
    • Content-Type: application/json

Validation commands

Use the following commands to validate your endpoint configuration and DNS setup.

1. Check endpoint status and private DNS settings

aws ec2 describe-vpc-endpoints \
  --vpc-endpoint-ids <endpoint-id> \
  --region us-west-1

2. Test DNS resolution for custom domain

nslookup api.sambanova.custom.com

3. Test HTTPS connectivity

telnet api.sambanova.custom.com 443

4. Verify route 53 configuration

aws route53 list-hosted-zones
aws route53 get-hosted-zone --id <hosted-zone-id>
aws route53 list-resource-record-sets --hosted-zone-id <hosted-zone-id>

5. Get endpoint network interfaces and private IPs

aws ec2 describe-network-interfaces \
  --filters Name=vpc-endpoint-id,Values=<endpoint-id> \
  --query 'NetworkInterfaces[*].PrivateIpAddress' \
  --region us-west-1

Next steps

After successfully connecting to SambaCloud via AWS PrivateLink:
  • Start making API requests using your private or custom DNS name.
  • Use AWS CloudWatch to monitor endpoint performance and availability.
  • Share this setup internally as a reference for additional teams or use cases.
  • Reach out to help@sambanova.ai if you need access to additional models, custom endpoints, or higher throughput capacity.

Summary

By following these recommendations, you can ensure high availability, maintain strict security controls, and optimize DNS configuration and performance for your VPC endpoints.
  • All resources must be created in the us-west-1 region.
  • Use both us-west-1a and us-west-1c availability zones to ensure high availability.
  • Configure security group rules to be as restrictive as possible while still allowing necessary traffic.
  • The VPC endpoint’s DNS name is unique and automatically generated.
  • Private DNS resolution is only available from within the VPC.
  • You can assign a custom domain name within your VPC for easier access and management.
  • DNS changes may take up to five minutes to propagate (TTL = 300).
  • Regularly monitor the health and performance of your VPC endpoint.