From dd584e6d79ab12027085ce37421ac3cdbd5465a7 Mon Sep 17 00:00:00 2001 From: Luke Knepper Date: Tue, 12 May 2026 13:01:02 -0700 Subject: [PATCH 1/2] Correct the list of Regional Endpoints to the right format --- docs/cloud/references/regions/awsregions.md | 28 ++++++++++----------- docs/cloud/references/regions/gcpregions.md | 10 ++++---- 2 files changed, 19 insertions(+), 19 deletions(-) diff --git a/docs/cloud/references/regions/awsregions.md b/docs/cloud/references/regions/awsregions.md index a1c9f4dc53..34033888e1 100644 --- a/docs/cloud/references/regions/awsregions.md +++ b/docs/cloud/references/regions/awsregions.md @@ -1,7 +1,7 @@ ### Asia Pacific - Tokyo (`ap-northeast-1`) - **Cloud API Code**: `aws-ap-northeast-1` -- **Regional Endpoint**: `aws-ap-northeast-1.region.tmprl.cloud` +- **Regional Endpoint**: `ap-northeast-1.aws.api.temporal.io` - **PrivateLink Endpoint Service**: `com.amazonaws.vpce.ap-northeast-1.vpce-svc-08f34c33f9fb8a48a` - **Same Region Replication**: Not Available - **Multi-Region Replication**: @@ -16,7 +16,7 @@ ### Asia Pacific - Seoul (`ap-northeast-2`) - **Cloud API Code**: `aws-ap-northeast-2` -- **Regional Endpoint**: `aws-ap-northeast-2.region.tmprl.cloud` +- **Regional Endpoint**: `ap-northeast-2.aws.api.temporal.io` - **PrivateLink Endpoint Service**: `com.amazonaws.vpce.ap-northeast-2.vpce-svc-08c4d5445a5aad308` - **Same Region Replication**: Not Available - **Multi-Region Replication**: @@ -31,7 +31,7 @@ ### Asia Pacific - Mumbai (`ap-south-1`) - **Cloud API Code**: `aws-ap-south-1` -- **Regional Endpoint**: `aws-ap-south-1.region.tmprl.cloud` +- **Regional Endpoint**: `ap-south-1.aws.api.temporal.io` - **PrivateLink Endpoint Service**: `com.amazonaws.vpce.ap-south-1.vpce-svc-0ad4f8ed56db15662` - **Same Region Replication**: Not Available - **Multi-Region Replication**: @@ -46,7 +46,7 @@ ### Asia Pacific - Hyderabad (`ap-south-2`) - **Cloud API Code**: `aws-ap-south-2` -- **Regional Endpoint**: `aws-ap-south-2.region.tmprl.cloud` +- **Regional Endpoint**: `ap-south-2.aws.api.temporal.io` - **PrivateLink Endpoint Service**: `com.amazonaws.vpce.ap-south-2.vpce-svc-08bcf602b646c69c1` - **Same Region Replication**: Not Available - **Multi-Region Replication**: @@ -61,7 +61,7 @@ ### Asia Pacific - Singapore (`ap-southeast-1`) - **Cloud API Code**: `aws-ap-southeast-1` -- **Regional Endpoint**: `aws-ap-southeast-1.region.tmprl.cloud` +- **Regional Endpoint**: `ap-southeast-1.aws.api.temporal.io` - **PrivateLink Endpoint Service**: `com.amazonaws.vpce.ap-southeast-1.vpce-svc-05c24096fa89b0ccd` - **Same Region Replication**: Not Available - **Multi-Region Replication**: @@ -76,7 +76,7 @@ ### Asia Pacific - Sydney (`ap-southeast-2`) - **Cloud API Code**: `aws-ap-southeast-2` -- **Regional Endpoint**: `aws-ap-southeast-2.region.tmprl.cloud` +- **Regional Endpoint**: `ap-southeast-2.aws.api.temporal.io` - **PrivateLink Endpoint Service**: `com.amazonaws.vpce.ap-southeast-2.vpce-svc-0634f9628e3c15b08` - **Same Region Replication**: Available - **Multi-Region Replication**: @@ -91,7 +91,7 @@ ### Europe - Frankfurt (`eu-central-1`) - **Cloud API Code**: `aws-eu-central-1` -- **Regional Endpoint**: `aws-eu-central-1.region.tmprl.cloud` +- **Regional Endpoint**: `eu-central-1.aws.api.temporal.io` - **PrivateLink Endpoint Service**: `com.amazonaws.vpce.eu-central-1.vpce-svc-073a419b36663a0f3` - **Same Region Replication**: Not Available - **Multi-Region Replication**: @@ -103,7 +103,7 @@ ### Europe - Ireland (`eu-west-1`) - **Cloud API Code**: `aws-eu-west-1` -- **Regional Endpoint**: `aws-eu-west-1.region.tmprl.cloud` +- **Regional Endpoint**: `eu-west-1.aws.api.temporal.io` - **PrivateLink Endpoint Service**: `com.amazonaws.vpce.eu-west-1.vpce-svc-04388e89f3479b739` - **Same Region Replication**: Not Available - **Multi-Region Replication**: @@ -115,7 +115,7 @@ ### Europe - London (`eu-west-2`) - **Cloud API Code**: `aws-eu-west-2` -- **Regional Endpoint**: `aws-eu-west-2.region.tmprl.cloud` +- **Regional Endpoint**: `eu-west-2.aws.api.temporal.io` - **PrivateLink Endpoint Service**: `com.amazonaws.vpce.eu-west-2.vpce-svc-0ac7f9f07e7fb5695` - **Same Region Replication**: Not Available - **Multi-Region Replication**: @@ -128,7 +128,7 @@ - **Cloud API Code**: `aws-ca-central-1` - **PrivateLink Endpoint Service**: `com.amazonaws.vpce.ca-central-1.vpce-svc-080a781925d0b1d9d` -- **Regional Endpoint**: `aws-ca-central-1.region.tmprl.cloud` +- **Regional Endpoint**: `ca-central-1.aws.api.temporal.io` - **Same Region Replication**: Not Available - **Multi-Region Replication**: - `aws-us-east-1` @@ -142,7 +142,7 @@ ### North America - Northern Virginia (`us-east-1`) - **Cloud API Code**: `aws-us-east-1` -- **Regional Endpoint**: `aws-us-east-1.region.tmprl.cloud` +- **Regional Endpoint**: `us-east-1.aws.api.temporal.io` - **PrivateLink Endpoint Service**: `com.amazonaws.vpce.us-east-1.vpce-svc-0822256b6575ea37f` - **Same Region Replication**: Available - **Multi-Region Replication**: @@ -157,7 +157,7 @@ ### North America - Ohio (`us-east-2`) - **Cloud API Code**: `aws-us-east-2` -- **Regional Endpoint**: `aws-us-east-2.region.tmprl.cloud` +- **Regional Endpoint**: `us-east-2.aws.api.temporal.io` - **PrivateLink Endpoint Service**: `com.amazonaws.vpce.us-east-2.vpce-svc-01b8dccfc6660d9d4` - **Same Region Replication**: Not Available - **Multi-Region Replication**: @@ -172,7 +172,7 @@ ### North America - Oregon (`us-west-2`) - **Cloud API Code**: `aws-us-west-2` -- **Regional Endpoint**: `aws-us-west-2.region.tmprl.cloud` +- **Regional Endpoint**: `us-west-2.aws.api.temporal.io` - **PrivateLink Endpoint Service**: `com.amazonaws.vpce.us-west-2.vpce-svc-0f44b3d7302816b94` - **Same Region Replication**: Available - **Multi-Region Replication**: @@ -187,7 +187,7 @@ ### South America - São Paulo (`sa-east-1`) - **Cloud API Code**: `aws-sa-east-1` -- **Regional Endpoint**: `aws-sa-east-1.region.tmprl.cloud` +- **Regional Endpoint**: `sa-east-1.aws.api.temporal.io` - **PrivateLink Endpoint Service**: `com.amazonaws.vpce.sa-east-1.vpce-svc-0ca67a102f3ce525a` - **Same Region Replication**: Not Available - **Multi-Region Replication**: diff --git a/docs/cloud/references/regions/gcpregions.md b/docs/cloud/references/regions/gcpregions.md index 14e7438635..c3082b28c5 100644 --- a/docs/cloud/references/regions/gcpregions.md +++ b/docs/cloud/references/regions/gcpregions.md @@ -1,7 +1,7 @@ ### North America - Iowa (`us-central1`) - **Cloud API Code**: `gcp-us-central1` -- **Regional Endpoint**: `gcp-us-central1.region.tmprl.cloud` +- **Regional Endpoint**: `us-central1.gcp.api.temporal.io:7233` - **Private Service Connect Service Attachment URI**: `projects/prod-d9ch6v2ybver8d2a8fyf7qru9/regions/us-central1/serviceAttachments/pl-5xzng` - **Same Region Replication**: Not Available - **Multi-Region Replication**: @@ -16,7 +16,7 @@ ### North America - Oregon (`us-west1`) - **Cloud API Code**: `gcp-us-west1` -- **Regional Endpoint**: `gcp-us-west1.region.tmprl.cloud` +- **Regional Endpoint**: `us-west1.gcp.api.temporal.io:7233` - **Private Service Connect Service Attachment URI**: `projects/prod-rbe76zxxzydz4cbdz2xt5b59q/regions/us-west1/serviceAttachments/pl-94w0x` - **Same Region Replication**: Not Available - **Multi-Region Replication**: @@ -31,7 +31,7 @@ ### North America - Northern Virginia (`us-east4`) - **Cloud API Code**: `gcp-us-east4` -- **Regional Endpoint**: `gcp-us-east4.region.tmprl.cloud` +- **Regional Endpoint**: `us-east4.gcp.api.temporal.io:7233` - **Private Service Connect Service Attachment URI**: `projects/prod-y399cvr9c2b43es2w3q3e4gvw/regions/us-east4/serviceAttachments/pl-8awsy` - **Same Region Replication**: Not Available - **Multi-Region Replication**: @@ -46,7 +46,7 @@ ### Europe - Frankfurt (`europe-west3`) - **Cloud API Code**: `gcp-europe-west3` -- **Regional Endpoint**: `gcp-europe-west3.region.tmprl.cloud` +- **Regional Endpoint**: `europe-west3.gcp.api.temporal.io:7233` - **Private Service Connect Service Attachment URI**: `projects/prod-kwy7d4faxp6qgrgd9x94du36g/regions/europe-west3/serviceAttachments/pl-acgsh` - **Same Region Replication**: Not Available - **Multi-Region Replication**: @@ -59,7 +59,7 @@ ### Asia Pacific - Mumbai (`asia-south1`) - **Cloud API Code**: `gcp-asia-south1` -- **Regional Endpoint**: `gcp-asia-south1.region.tmprl.cloud` +- **Regional Endpoint**: `asia-south1.gcp.api.temporal.io:7233` - **Private Service Connect Service Attachment URI**: `projects/prod-d5spc2sfeshws33bg33vwdef7/regions/asia-south1/serviceAttachments/pl-7w7tw` - **Same Region Replication**: Not Available - **Multi-Region Replication**: From e2b707a919e112ad569bdbc3059b3fc2eeb61d66 Mon Sep 17 00:00:00 2001 From: Luke Knepper Date: Tue, 12 May 2026 14:25:21 -0700 Subject: [PATCH 2/2] Fixing all instances of old regional endpoint --- docs/cloud/connectivity/aws-connectivity.mdx | 30 ++++++++++++------- docs/cloud/connectivity/gcp-connectivity.mdx | 8 +++-- docs/cloud/connectivity/index.mdx | 2 +- docs/cloud/get-started/namespaces.mdx | 6 ++++ docs/cloud/high-availability/failovers.mdx | 2 +- .../high-availability/ha-connectivity.mdx | 26 ++++++++-------- docs/cloud/references/regions/awsregions.md | 28 ++++++++--------- static/json/privatelink_services_aws.json | 19 ++++++++++++ 8 files changed, 79 insertions(+), 42 deletions(-) create mode 100644 static/json/privatelink_services_aws.json diff --git a/docs/cloud/connectivity/aws-connectivity.mdx b/docs/cloud/connectivity/aws-connectivity.mdx index 380b0c1b03..eb2094dcfe 100644 --- a/docs/cloud/connectivity/aws-connectivity.mdx +++ b/docs/cloud/connectivity/aws-connectivity.mdx @@ -33,9 +33,18 @@ After creating the PrivateLink endpoint, configure your clients to use it throug ## Requirements -Your AWS PrivateLink endpoint must be in the same region as your Temporal Cloud namespace. If using [replication for High Availability](/cloud/high-availability), the PL connection must be in the same region as one of the replicas. +* Your AWS PrivateLink endpoint must be in the same region as your Temporal Cloud namespace. If using [replication for High Availability](/cloud/high-availability), the PL connection must be in the same region as one of the replicas. + See [cross-region PrivateLink connectivity](#cross-region-privatelink) to access the Namespace from a different region. +* Your Private DNS must be configured to direct Worker / Client traffic to your VPC Endpoint, as described below. +* If the Worker / Client is not using the Namespace Endpoint, it may need to set the `server_name` config to the Namespace Endpoint string, as described below. -AWS Cross Region endpoints are not supported. +### Cross-region PrivateLink Connectivity {#cross-region-privatelink} + +Temporal Cloud does **not** support [cross-region connectivity for AWS PrivateLink](https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-cross-region-connectivity-for-aws-privatelink/) out of the box. + +You can access your VPC Endpoint in a different region using the [native cross-region routing in AWS](https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/centralized-access-to-vpc-private-endpoints.html#cross-region-endpoint-access). + +When using High Availability on Temporal Cloud, it's best practice to have two VPC Endpoints, one in each of the Namespace's regions, to ensure at least one VPC Endpoint is accessible during a regional outage. ## Creating an AWS PrivateLink connection @@ -58,7 +67,7 @@ Individual Namespaces do not use separate services. ::: - + 7. Confirm your service by clicking on the _Verify service_ button. AWS should respond "Service name verified." @@ -111,7 +120,7 @@ This approach is **optional**; Temporal Cloud works without it. It simply stream | Endpoint type | PHZ domain format | Example | | ------------------ | ---------------------------------- | -------------------------------------- | | Namespace endpoint | `.tmprl.cloud` | `payments.abcde.tmprl.cloud` | -| Regional endpoint | `-.region.tmprl.cloud` | `aws-ap-northeast-2.region.tmprl.cloud` | +| Regional endpoint | `..api.temporal.io` | `ap-northeast-2.aws.api.temporal.io` | ### Step-by-step instructions @@ -188,7 +197,7 @@ The DNS resolver inside your VPC returns the private endpoint, while TLS still v ## Configure private DNS for Namespaces with High Availability -For Namespaces with [High Availability features](/cloud/high-availability), you need to override DNS for `region.tmprl.cloud` so each region resolves to the local VPC Endpoint, and you need to ensure Workers can reach whichever region is active. Failover is transparent to clients only when this is set up correctly. +For Namespaces with [High Availability features](/cloud/high-availability), you need to override DNS for `region.tmprl.io` so each region resolves to the local VPC Endpoint, and you need to ensure Workers can reach whichever region is active. Failover is transparent to clients only when this is set up correctly. The complete guidance — including single-cloud (AWS-only) HA, multi-cloud HA (AWS PrivateLink + GCP Private Service Connect), and a recommended failover-testing plan — lives on a single page: [Connectivity for High Availability](/cloud/high-availability/ha-connectivity). @@ -203,12 +212,13 @@ For single-region Namespaces, you can avoid creating DNS records for each Namesp With this approach, new Namespaces do not require new DNS records. -:::warning Not compatible with High Availability Namespaces +:::warning Extra care needed for Namespaces with High Availability + +Direct VPCE targeting bypasses the Temporal-managed DNS CNAME that normally routes a Namespace to its active region, so each Worker is pinned to whichever VPC Endpoint you configure. To keep both regions reachable, you must run Workers in each region and configure them with **different endpoints**: -This approach does not work for Namespaces with High Availability features. -HA Namespaces rely on Temporal's public DNS CNAME records to route traffic to the active region during failover. -If you bypass DNS, your Workers cannot follow the CNAME to the new region. -For HA Namespaces, use [private DNS](#configuring-private-dns-for-aws-privatelink) instead. +- Workers in the primary region: the local VPC Endpoint for that region (e.g., `vpce-...-us-east-1.vpce.amazonaws.com:7233`). +- Workers in the replica region: the local VPC Endpoint for that region (e.g., `vpce-...-us-west-2.vpce.amazonaws.com:7233`). +- All Workers: the same SNI override — the Namespace Endpoint value (e.g., `my-namespace.my-account.tmprl.cloud`). ::: diff --git a/docs/cloud/connectivity/gcp-connectivity.mdx b/docs/cloud/connectivity/gcp-connectivity.mdx index fae379994c..a94b96a2f2 100644 --- a/docs/cloud/connectivity/gcp-connectivity.mdx +++ b/docs/cloud/connectivity/gcp-connectivity.mdx @@ -38,7 +38,9 @@ If you use GCP Private Service Connect, you must manually update your workers to ## Requirements -Your GCP Private Service Connect connection must be in the same region as your Temporal Cloud namespace. If using [replication for High Availability](/cloud/high-availability), the PSC connection must be in the same region as one of the replicas. +* Your GCP Private Service Connect endpoint must be in the same region as your Temporal Cloud namespace. If using [replication for High Availability](/cloud/high-availability), the PSC connection must be in the same region as one of the replicas. +* Your Private DNS must be configured to direct Worker / Client traffic to your PSC endpoint, as described below. +* If the Worker / Client is not using the Namespace Endpoint, it may need to set the `server_name` config to the Namespace Endpoint string, as described below. ## Creating a Private Service Connect connection @@ -131,7 +133,7 @@ This approach is **optional**; Temporal Cloud works without it. It simply stream | ------------------------------------------ | ---------------------------------- | ---------------------------------------------- | | Single-region namespace with mTLS auth | `.tmprl.cloud` | `payments.abcde.tmprl.cloud` ↔ `X.X.X.X` | | Single-region namespace with API-key auth | `.api.temporal.io` | `us-central1.gcp.api.temporal.io` ↔ `X.X.X.X` | -| Multi-region namespace | `region.tmprl.cloud` | `gcp-us-central1.region.tmprl.cloud` ↔ `X.X.X.X` | +| Multi-region namespace | `.api.temporal.io` | `us-central1.gcp.api.temporal.io` ↔ `X.X.X.X` | ### Step-by-step instructions @@ -152,7 +154,7 @@ Save the internal IP -- you will point the A record at it. 1. Open _Network Services → Cloud DNS → Create zone_. 2. Select zone type **Private**. 3. Enter a **Zone name** (e.g., `temporal-cloud`). -4. Enter a **DNS name** based on the table above (e.g., `payments.abcde.tmprl.cloud` or `aws-us-east-1.region.tmprl.cloud`). +4. Enter a **DNS name** based on the table above (e.g., `payments.abcde.tmprl.cloud` or `us-east-1.aws.api.temporal.io`). 5. Select **Add networks** and choose the Project and Network that contains your PSC endpoint. 6. Click **Create**. diff --git a/docs/cloud/connectivity/index.mdx b/docs/cloud/connectivity/index.mdx index df17e245c8..4694a91063 100644 --- a/docs/cloud/connectivity/index.mdx +++ b/docs/cloud/connectivity/index.mdx @@ -223,7 +223,7 @@ The TLS server name override depends on your authentication method: | -------------- | ---------------------- | | mTLS (single-region Namespace) | The Namespace Endpoint, e.g. `my-namespace.my-account.tmprl.cloud` | | API key (single-region Namespace) | The regional API endpoint, e.g. `us-east-1.aws.api.temporal.io` or `us-central1.gcp.api.temporal.io` | -| Multi-region Namespace (mTLS or API key) | The active region endpoint, e.g. `aws-us-east-1.region.tmprl.cloud` | +| Multi-region Namespace (mTLS or API key) | The active region endpoint, e.g. `us-east-1.aws.api.temporal.io` | If you authenticate with an API key over PrivateLink/PSC and use the wrong server name, the TLS handshake will fail with errors such as `connection reset by peer` even though `nc` reports the port as open. diff --git a/docs/cloud/get-started/namespaces.mdx b/docs/cloud/get-started/namespaces.mdx index 80760b50a0..6d664f2f7b 100644 --- a/docs/cloud/get-started/namespaces.mdx +++ b/docs/cloud/get-started/namespaces.mdx @@ -337,6 +337,12 @@ There are two types of gRPC endpoints for accessing a Namespace in Temporal Clou - A Temporal Client can use a regional endpoint to ensure connection to a Namespace always happens within that region. This can be useful in advanced [High Availability](/cloud/high-availability) setups where you want explicit control over which region handles requests. - When using mTLS to authenticate, the Temporal Client must set the `server_name` property to `` in its request to the value of the Namespace endpoint. This tells the client to expect a different SNI header during the TLS handshake, since the request to the regional endpoint is redirected to the specific Namespace. +:::note Update outdated regional endpoints + +The older regional endpoint format ending in `region.tmprl.cloud` (for example, `aws-us-east-1.region.tmprl.cloud`) is outdated. Update any Clients, Workers, and private DNS records to the current format ending in `api.temporal.io` (for example, `us-east-1.aws.api.temporal.io:7233`) to ensure uninterrupted access to your Temporal Cloud Namespaces. + +::: + ### Configuring a Temporal Client with API keys or mTLS To use API keys to connect with the [Temporal CLI](/cli), [Client SDK](/develop), [tcld](/cloud/tcld), diff --git a/docs/cloud/high-availability/failovers.mdx b/docs/cloud/high-availability/failovers.mdx index 5362f33348..8e1689611e 100644 --- a/docs/cloud/high-availability/failovers.mdx +++ b/docs/cloud/high-availability/failovers.mdx @@ -62,7 +62,7 @@ In most scenarios, we recommend you let Temporal handle failovers for you. After failover, be aware of the following points: - When working with Multi-region Namespaces, your CNAME may change. - For example, it may switch from aws-us-west-1.region.tmprl.cloud to aws-us-east-1.region.tmprl.cloud. + For example, it may switch from us-west-1.aws.api.temporal.io to us-east-1.aws.api.temporal.io. This change doesn't affect same-region Namespaces. - Your Namespace endpoint _will not change_. diff --git a/docs/cloud/high-availability/ha-connectivity.mdx b/docs/cloud/high-availability/ha-connectivity.mdx index 3d12931827..4bb3e5659b 100644 --- a/docs/cloud/high-availability/ha-connectivity.mdx +++ b/docs/cloud/high-availability/ha-connectivity.mdx @@ -25,7 +25,7 @@ A Namespace with High Availability features has two replicas — a primary and a Temporal Cloud expresses the active replica through DNS: - The Namespace DNS record (`..tmprl.cloud`) is a CNAME. -- It points to the active region's regional record (`-.region.tmprl.cloud`). +- It points to the active region's regional record (`..api.temporal.io`). - On failover, Temporal Cloud rewrites the CNAME target. Namespace DNS records have a 15-second TTL. Clients should converge to the new region within roughly 30 seconds (about twice the TTL) once their resolver cache expires. @@ -40,19 +40,19 @@ For private connectivity, your job is to make sure that: This is the most common setup: both replicas live in AWS regions, and Workers connect via AWS PrivateLink. When using PrivateLink, you connect to Temporal Cloud through a VPC Endpoint, which uses addresses local to your network. -Temporal treats each `region.tmprl.cloud` zone as a separate zone, so you override resolution per region. +Temporal treats each `aws.api.temporal.io` zone as a separate zone, so you override resolution per region. Before failover, with the active region being `aws-us-west-2`: | Record name | Record type | Value | | ----------------------------------- | ----------- | -------------------------------- | -| ha-namespace.account-id.tmprl.cloud | CNAME | aws-us-west-2.region.tmprl.cloud | +| ha-namespace.account-id.tmprl.cloud | CNAME | us-west-2.aws.api.temporal.io | After a failover to `aws-us-east-1`, Temporal Cloud rewrites the CNAME: | Record name | Record type | Value | | ----------------------------------- | ----------- | -------------------------------- | -| ha-namespace.account-id.tmprl.cloud | CNAME | aws-us-east-1.region.tmprl.cloud | +| ha-namespace.account-id.tmprl.cloud | CNAME | us-east-1.aws.api.temporal.io | The Temporal-managed CNAME changed from us-west-2 to us-east-1 — your private DNS does not need to change. @@ -64,16 +64,16 @@ The Temporal-managed CNAME changed from us-west-2 to us-east-1 — your private ### Setting up the DNS override (AWS) -In AWS, use a Route 53 private hosted zone for `region.tmprl.cloud` to override resolution per region: +In AWS, use a Route 53 private hosted zone for `aws.api.temporal.io` to override resolution per region: | Record name | Record type | Value (your VPC Endpoint DNS) | | ------------------------------------ | ----------- | ------------------------------------------------------------ | -| `aws-us-west-2.region.tmprl.cloud` | CNAME | `vpce-...-us-west-2.vpce.amazonaws.com` | -| `aws-us-east-1.region.tmprl.cloud` | CNAME | `vpce-...-us-east-1.vpce.amazonaws.com` | +| `us-west-2.aws.api.temporal.io` | CNAME | `vpce-...-us-west-2.vpce.amazonaws.com` | +| `us-east-1.aws.api.temporal.io` | CNAME | `vpce-...-us-east-1.vpce.amazonaws.com` | Link the private zone to every VPC where Workers run. -When your Workers connect to the Namespace, they first resolve `..tmprl.cloud`, which CNAMEs to `.region.tmprl.cloud`, which then resolves to your local VPC Endpoint. +When your Workers connect to the Namespace, they first resolve `..tmprl.cloud`, which CNAMEs to `.aws.api.temporal.io`, which then resolves to your local VPC Endpoint. You also need to decide how Workers reach whichever region becomes active. Either: @@ -82,12 +82,12 @@ You also need to decide how Workers reach whichever region becomes active. Eithe ## Single-cloud HA on GCP Private Service Connect -For GCP-only HA, the same model applies, but use a Cloud DNS private zone for `region.tmprl.cloud` and point each `gcp-.region.tmprl.cloud` record at the local PSC endpoint IP address. +For GCP-only HA, the same model applies, but use a Cloud DNS private zone for `gcp.api.temporal.io` and point each `.gcp.api.temporal.io` record at the local PSC endpoint IP address. | Record name | Record type | Value (your PSC endpoint IP) | | ---------------------------------------- | ----------- | ----------------------------------- | -| `gcp-us-central1.region.tmprl.cloud` | A | `10.x.x.x` (PSC endpoint IP) | -| `gcp-us-east1.region.tmprl.cloud` | A | `10.x.x.x` (PSC endpoint IP) | +| `us-central1.gcp.api.temporal.io` | A | `10.x.x.x` (PSC endpoint IP) | +| `us-east1.gcp.api.temporal.io` | A | `10.x.x.x` (PSC endpoint IP) | A Connectivity Rule is required for each PSC connection — see [GCP PSC setup](/cloud/connectivity/gcp-connectivity) and [Connectivity Rules](/cloud/connectivity#connectivity-rules). @@ -97,7 +97,7 @@ If your replicas span clouds — for example, AWS `us-east-1` (active) and GCP ` Plan for these three things: -1. **DNS overrides for both clouds.** Your private DNS for `region.tmprl.cloud` needs entries for both the AWS region (CNAME → AWS VPCE) and the GCP region (A → PSC IP). This typically means a Route 53 private hosted zone in your AWS Worker VPCs *and* a Cloud DNS private zone in your GCP Worker network — both for the same `region.tmprl.cloud` parent — each with the records relevant to the cloud the Workers run in. +1. **DNS overrides for both clouds.** Your private DNS needs entries for both the AWS region (CNAME → AWS VPCE under `aws.api.temporal.io`) and the GCP region (A → PSC IP under `gcp.api.temporal.io`). This typically means a Route 53 private hosted zone for `aws.api.temporal.io` in your AWS Worker VPCs *and* a Cloud DNS private zone for `gcp.api.temporal.io` in your GCP Worker network — each with the records relevant to the cloud the Workers run in. 2. **Worker reachability across clouds.** Your AWS-resident Workers must be able to reach the GCP PSC endpoint when GCP is active, and vice versa. Options include: - Run Workers in both clouds (preferred — simplest, lowest latency, matches the failover model). - Establish cross-cloud connectivity (e.g., AWS Transit Gateway + GCP Cloud Interconnect, or a third-party transit) so Workers in one cloud can resolve and reach the other cloud's private endpoint. @@ -149,6 +149,6 @@ The following tables list the available Temporal regions and the DNS record over -When using a Namespace with High Availability features, the Namespace's DNS record `..tmprl.cloud` points to a regional DNS record in the format `-.region.tmprl.cloud`, where `-` is the currently active region for your Namespace. +When using a Namespace with High Availability features, the Namespace's DNS record `..tmprl.cloud` points to a regional DNS record in the format `..api.temporal.io`, where `` and `` correspond to the currently active region for your Namespace. During failover, Temporal Cloud changes the target of the Namespace DNS record from one region to another. Namespace DNS records are configured with a 15-second TTL. Any DNS cache should re-resolve the record within this time. As a rule of thumb, receiving an updated DNS record takes about twice (2x) the TTL — clients should converge to the newly targeted region within, at most, a 30-second delay, assuming their resolver and language runtime honor the TTL. diff --git a/docs/cloud/references/regions/awsregions.md b/docs/cloud/references/regions/awsregions.md index 34033888e1..20c1cd3f33 100644 --- a/docs/cloud/references/regions/awsregions.md +++ b/docs/cloud/references/regions/awsregions.md @@ -1,7 +1,7 @@ ### Asia Pacific - Tokyo (`ap-northeast-1`) - **Cloud API Code**: `aws-ap-northeast-1` -- **Regional Endpoint**: `ap-northeast-1.aws.api.temporal.io` +- **Regional Endpoint**: `ap-northeast-1.aws.api.temporal.io:7233` - **PrivateLink Endpoint Service**: `com.amazonaws.vpce.ap-northeast-1.vpce-svc-08f34c33f9fb8a48a` - **Same Region Replication**: Not Available - **Multi-Region Replication**: @@ -16,7 +16,7 @@ ### Asia Pacific - Seoul (`ap-northeast-2`) - **Cloud API Code**: `aws-ap-northeast-2` -- **Regional Endpoint**: `ap-northeast-2.aws.api.temporal.io` +- **Regional Endpoint**: `ap-northeast-2.aws.api.temporal.io:7233` - **PrivateLink Endpoint Service**: `com.amazonaws.vpce.ap-northeast-2.vpce-svc-08c4d5445a5aad308` - **Same Region Replication**: Not Available - **Multi-Region Replication**: @@ -31,7 +31,7 @@ ### Asia Pacific - Mumbai (`ap-south-1`) - **Cloud API Code**: `aws-ap-south-1` -- **Regional Endpoint**: `ap-south-1.aws.api.temporal.io` +- **Regional Endpoint**: `ap-south-1.aws.api.temporal.io:7233` - **PrivateLink Endpoint Service**: `com.amazonaws.vpce.ap-south-1.vpce-svc-0ad4f8ed56db15662` - **Same Region Replication**: Not Available - **Multi-Region Replication**: @@ -46,7 +46,7 @@ ### Asia Pacific - Hyderabad (`ap-south-2`) - **Cloud API Code**: `aws-ap-south-2` -- **Regional Endpoint**: `ap-south-2.aws.api.temporal.io` +- **Regional Endpoint**: `ap-south-2.aws.api.temporal.io:7233` - **PrivateLink Endpoint Service**: `com.amazonaws.vpce.ap-south-2.vpce-svc-08bcf602b646c69c1` - **Same Region Replication**: Not Available - **Multi-Region Replication**: @@ -61,7 +61,7 @@ ### Asia Pacific - Singapore (`ap-southeast-1`) - **Cloud API Code**: `aws-ap-southeast-1` -- **Regional Endpoint**: `ap-southeast-1.aws.api.temporal.io` +- **Regional Endpoint**: `ap-southeast-1.aws.api.temporal.io:7233` - **PrivateLink Endpoint Service**: `com.amazonaws.vpce.ap-southeast-1.vpce-svc-05c24096fa89b0ccd` - **Same Region Replication**: Not Available - **Multi-Region Replication**: @@ -76,7 +76,7 @@ ### Asia Pacific - Sydney (`ap-southeast-2`) - **Cloud API Code**: `aws-ap-southeast-2` -- **Regional Endpoint**: `ap-southeast-2.aws.api.temporal.io` +- **Regional Endpoint**: `ap-southeast-2.aws.api.temporal.io:7233` - **PrivateLink Endpoint Service**: `com.amazonaws.vpce.ap-southeast-2.vpce-svc-0634f9628e3c15b08` - **Same Region Replication**: Available - **Multi-Region Replication**: @@ -91,7 +91,7 @@ ### Europe - Frankfurt (`eu-central-1`) - **Cloud API Code**: `aws-eu-central-1` -- **Regional Endpoint**: `eu-central-1.aws.api.temporal.io` +- **Regional Endpoint**: `eu-central-1.aws.api.temporal.io:7233` - **PrivateLink Endpoint Service**: `com.amazonaws.vpce.eu-central-1.vpce-svc-073a419b36663a0f3` - **Same Region Replication**: Not Available - **Multi-Region Replication**: @@ -103,7 +103,7 @@ ### Europe - Ireland (`eu-west-1`) - **Cloud API Code**: `aws-eu-west-1` -- **Regional Endpoint**: `eu-west-1.aws.api.temporal.io` +- **Regional Endpoint**: `eu-west-1.aws.api.temporal.io:7233` - **PrivateLink Endpoint Service**: `com.amazonaws.vpce.eu-west-1.vpce-svc-04388e89f3479b739` - **Same Region Replication**: Not Available - **Multi-Region Replication**: @@ -115,7 +115,7 @@ ### Europe - London (`eu-west-2`) - **Cloud API Code**: `aws-eu-west-2` -- **Regional Endpoint**: `eu-west-2.aws.api.temporal.io` +- **Regional Endpoint**: `eu-west-2.aws.api.temporal.io:7233` - **PrivateLink Endpoint Service**: `com.amazonaws.vpce.eu-west-2.vpce-svc-0ac7f9f07e7fb5695` - **Same Region Replication**: Not Available - **Multi-Region Replication**: @@ -128,7 +128,7 @@ - **Cloud API Code**: `aws-ca-central-1` - **PrivateLink Endpoint Service**: `com.amazonaws.vpce.ca-central-1.vpce-svc-080a781925d0b1d9d` -- **Regional Endpoint**: `ca-central-1.aws.api.temporal.io` +- **Regional Endpoint**: `ca-central-1.aws.api.temporal.io:7233` - **Same Region Replication**: Not Available - **Multi-Region Replication**: - `aws-us-east-1` @@ -142,7 +142,7 @@ ### North America - Northern Virginia (`us-east-1`) - **Cloud API Code**: `aws-us-east-1` -- **Regional Endpoint**: `us-east-1.aws.api.temporal.io` +- **Regional Endpoint**: `us-east-1.aws.api.temporal.io:7233` - **PrivateLink Endpoint Service**: `com.amazonaws.vpce.us-east-1.vpce-svc-0822256b6575ea37f` - **Same Region Replication**: Available - **Multi-Region Replication**: @@ -157,7 +157,7 @@ ### North America - Ohio (`us-east-2`) - **Cloud API Code**: `aws-us-east-2` -- **Regional Endpoint**: `us-east-2.aws.api.temporal.io` +- **Regional Endpoint**: `us-east-2.aws.api.temporal.io:7233` - **PrivateLink Endpoint Service**: `com.amazonaws.vpce.us-east-2.vpce-svc-01b8dccfc6660d9d4` - **Same Region Replication**: Not Available - **Multi-Region Replication**: @@ -172,7 +172,7 @@ ### North America - Oregon (`us-west-2`) - **Cloud API Code**: `aws-us-west-2` -- **Regional Endpoint**: `us-west-2.aws.api.temporal.io` +- **Regional Endpoint**: `us-west-2.aws.api.temporal.io:7233` - **PrivateLink Endpoint Service**: `com.amazonaws.vpce.us-west-2.vpce-svc-0f44b3d7302816b94` - **Same Region Replication**: Available - **Multi-Region Replication**: @@ -187,7 +187,7 @@ ### South America - São Paulo (`sa-east-1`) - **Cloud API Code**: `aws-sa-east-1` -- **Regional Endpoint**: `sa-east-1.aws.api.temporal.io` +- **Regional Endpoint**: `sa-east-1.aws.api.temporal.io:7233` - **PrivateLink Endpoint Service**: `com.amazonaws.vpce.sa-east-1.vpce-svc-0ca67a102f3ce525a` - **Same Region Replication**: Not Available - **Multi-Region Replication**: diff --git a/static/json/privatelink_services_aws.json b/static/json/privatelink_services_aws.json new file mode 100644 index 0000000000..6910ad0e1b --- /dev/null +++ b/static/json/privatelink_services_aws.json @@ -0,0 +1,19 @@ +{ + "columns":["Region","PrivateLink Service Name","DNS Record Override"], + "rows":[ + ["ap-northeast-1","com.amazonaws.vpce.ap-northeast-1.vpce-svc-08f34c33f9fb8a48a"], + ["ap-northeast-2","com.amazonaws.vpce.ap-northeast-2.vpce-svc-08c4d5445a5aad308"], + ["ap-south-1","com.amazonaws.vpce.ap-south-1.vpce-svc-0ad4f8ed56db15662"], + ["ap-south-2","com.amazonaws.vpce.ap-south-2.vpce-svc-08bcf602b646c69c1"], + ["ap-southeast-1","com.amazonaws.vpce.ap-southeast-1.vpce-svc-05c24096fa89b0ccd"], + ["ap-southeast-2","com.amazonaws.vpce.ap-southeast-2.vpce-svc-0634f9628e3c15b08"], + ["ca-central-1","com.amazonaws.vpce.ca-central-1.vpce-svc-080a781925d0b1d9d"], + ["eu-central-1","com.amazonaws.vpce.eu-central-1.vpce-svc-073a419b36663a0f3"], + ["eu-west-1","com.amazonaws.vpce.eu-west-1.vpce-svc-04388e89f3479b739"], + ["eu-west-2","com.amazonaws.vpce.eu-west-2.vpce-svc-0ac7f9f07e7fb5695"], + ["sa-east-1","com.amazonaws.vpce.sa-east-1.vpce-svc-0ca67a102f3ce525a"], + [ "us-east-1","com.amazonaws.vpce.us-east-1.vpce-svc-0822256b6575ea37f"], + [ "us-east-2","com.amazonaws.vpce.us-east-2.vpce-svc-01b8dccfc6660d9d4"], + ["us-west-2","com.amazonaws.vpce.us-west-2.vpce-svc-0f44b3d7302816b94"] + ] +} \ No newline at end of file