Skip to main content

Connectivity

Control plane connectivity

Using the Temporal Cloud web UI, Terraform provider, tcld CLI, or Cloud Ops APIs requires network access to the Temporal Cloud control plane. Different hostnames are used for different parts of the service.

  • saas-api.tmprl.cloud (required for Terraform, tcld, and Cloud Ops APIs)
  • web.onboarding.tmprl.cloud (required for Web UI)
  • web.saas-api.tmprl.cloud (required for Web UI)

Connectivity rules

Support, stability, and dependency info

Connectivity rules are currently in Pre-release.

Contact support to request access.

To enable connectivity rules when using the tcld CLI, run:

tcld feature tcr

Connectivity rules are Temporal Cloud's mechanism for limiting network access to a namespace.

By default, a namespace has zero connectivity rules, and is accessible from 1. the public internet and 2. all private connections you've configured to the region containing the namespace.

When you add connectivity rules, Temporal Cloud will immediately block all traffic that does not have a corresponding connectivity rule from accessing the namespace. One namespace can have multiple connectivity rules, and may mix both public and private rules.

A connectivity rule specifies public (i.e. internet) or private (i.e. AWS PrivateLink or Google Cloud Private Service Connect) access to a namespace. See the linked docs to learn more about setting up those private connections in your cloud provider and configuring DNS for your workers.

Namespace access is always securely authenticated via API keys or mTLS, regardless of connectivity rules.

Only Account Admins and Account Owners can create and manage connectivity rules. Connectivity rules are visible to Account Developers, Account Admins, and Account Owners.

Creating a connectivity rule

Connectivity rules can be created and managed with tcld or Terraform.

A public connectivity rule takes no parameters.

An AWS PrivateLink (PL) connectivity rule requires the following parameters:

  • connection-id: The VPC endpoint ID of the PL connection (ex: vpce-00939a7ed9EXAMPLE)
  • region: The region of the PL connection, prefixed with aws (ex: aws-us-east-1). Must be the same region as the namespace. Refer to the Temporal Cloud region list for supported regions.

A GCP Private Service Connect (PSC) connectivity rule requires the following parameters:

  • connection-id: The ID of the PSC connection (ex: 1234567890123456789)
  • region: The region of the PSC connection, prefixed with gcp (ex: gcp-us-east1). Must be the same region as the namespace. Refer to the Temporal Cloud region list for supported regions.
  • gcp-project-id: The ID of the GCP project where you created the PSC connection (ex: my-example-project-123)

Temporal Cloud CLI (tcld)

Create public connectivity rule:

tcld connectivity-rule create --connectivity-type public

Create private connectivity rule (AWS):

tcld connectivity-rule create --connectivity-type private --connection-id "vpce-abcde" --region "aws-us-east-1"

Create private connectivity rule (GCP):

tcld connectivity-rule create --connectivity-type private --connection-id "1234567890" --region "gcp-us-central1" --gcp-project-id "my-project-123"

The cr alias works the same way:

tcld cr create --connectivity-type public

Private connectivity rule:

tcld cr create --connectivity-type private --connection-id "vpce-abcde" --region "aws-us-east-1"

Terraform

Example in the Terraform repo

Finish client setup

After creating a private connectivity rule, you must update all clients you want to use the private connection OR set up private DNS.

See our AWS or our GCP docs for exactly how to update your environment and/or your client configuration.

Attach connectivity rules to a namespace

Be careful! When any connectivity rules are set on a namespace, that namespace is ONLY accessible via the connections defined in those rules. If you remove a connectivity rule that your workers are using, your traffic will be interrupted.

If you already have workers using a namespace, adding both a public rule and any private rules simultaneously can help you avoid unintended loss of access. You can then ensure all workers are using private connections, and then remove the public rule.

Temporal Cloud CLI (tcld)

Setting the connectivity rules on a namespace:

tcld namespace set-connectivity-rules --namespace "my-namespace" --connectivity-rule-ids "rule-id-1" --connectivity-rule-ids "rule-id-2"

Or using aliases:

tcld n scrs -n "my-namespace" --ids "rule-id-1" --ids "rule-id-2"

Remove all connectivity rules (this will make the namespace public):

tcld namespace set-connectivity-rules --namespace "my-namespace" --remove-all

Terraform

Example in the Terraform repo

View the connectivity rules for a namespace

You have two ways to view the connectivity rules attached to a particular namespace.

Get namespace

Connectivity rules are included in the namespace details returned by the namespace get command.

tcld namespace get -n "my-namespace"

List connectivity rules by namespace

To see only the connectivity rules for a specific namespace (without other namespace details), use the connectivity-rule list command with a namespace argument.

tcld connectivity-rule list -n "my-namespace"