# Tutorial: Connect to Amazon Keyspaces using an interface VPC endpoint
This tutorial walks you through setting up and using an interface VPC endpoint for Amazon Keyspaces.
*Interface VPC endpoints* enable private communication between your virtual private cloud (VPC) running in Amazon VPC and Amazon Keyspaces. Interface VPC endpoints are powered by AWS PrivateLink, which is an AWS service that enables private communication between VPCs and AWS services. For more information, see [Using Amazon Keyspaces with interface VPC endpoints](vpc-endpoints.md).
**Topics**
+ [Tutorial prerequisites and considerations](vpc-endpoints-tutorial.before-you-begin.md)
+ [Step 1: Launch an Amazon EC2 instance](vpc-endpoints-tutorial.launch-ec2-instance.md)
+ [Step 2: Configure your Amazon EC2 instance](vpc-endpoints-tutorial.configure-ec2-instance.md)
+ [Step 3: Create a VPC endpoint for Amazon Keyspaces](vpc-endpoints-tutorial.create-endpoint.md)
+ [Step 4: Configure permissions for the VPC endpoint connection](vpc-endpoints-tutorial.permissions.md)
+ [Step 5: Configure monitoring with CloudWatch](vpc-endpoints-tutorial.monitoring.md)
+ [Step 6: (Optional) Best practices to configure the connection pool size for your application](vpc-endpoints-tutorial.connections.md)
+ [Step 7: (Optional) Clean up](vpc-endpoints-tutorial.clean-up.md)
# Tutorial prerequisites and considerations
Before you start this tutorial, follow the AWS setup instructions in [Accessing Amazon Keyspaces (for Apache Cassandra)](accessing.md). These steps include signing up for AWS and creating an AWS Identity and Access Management (IAM) principal with access to Amazon Keyspaces. Take note of the name of the IAM user and the access keys because you'll need them later in this tutorial.
Create a keyspace with the name `myKeyspace`and at least one table to test the connection using the VPC endpoint later in this tutorial. You can find detailed instructions in [Getting started with Amazon Keyspaces (for Apache Cassandra)](getting-started.md).
After completing the prerequisite steps, proceed to [Step 1: Launch an Amazon EC2 instance](vpc-endpoints-tutorial.launch-ec2-instance.md).
# Step 1: Launch an Amazon EC2 instance
In this step, you launch an Amazon EC2 instance in your default Amazon VPC. You can then create and use a VPC endpoint for Amazon Keyspaces.
**To launch an Amazon EC2 instance**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. Choose **Launch Instance** and do the following:
From the EC2 console dashboard, in the **Launch instance** box, choose **Launch instance**, and then choose **Launch instance** from the options that appear.
Under **Name and tags**, for **Name**, enter a descriptive name for your instance.
Under **Application and OS Images (Amazon Machine Image)**:
+ Choose **Quick Start**, and then choose Ubuntu. This is the operating system (OS) for your instance.
+ Under **Amazon Machine Image (AMI)**, you can use the default image that is marked as **Free tier eligible**. An *Amazon Machine Image (AMI)* is a basic configuration that serves as a template for your instance.
Under **Instance Type**:
+ From the **Instance type** list, choose the **t2.micro** instance type, which is selected by default.
Under **Key pair (login)**, for **Key pair name**, choose one of the following options for this tutorial:
+ If you don't have an Amazon EC2 key pair, choose **Create a new key pair** and follow the instructions. You will be asked to download a private key file (*.pem* file). You will need this file later when you log in to your Amazon EC2 instance, so take note of the file path.
+ If you already have an existing Amazon EC2 key pair, go to **Select a key pair** and choose your key pair from the list. You must already have the private key file ( *.pem* file) available in order to log in to your Amazon EC2 instance.
Under **Network Settings**:
+ Choose **Edit**.
+ Choose **Select an existing security group**.
+ In the list of security groups, choose **default**. This is the default security group for your VPC.
Continue to **Summary**.
+ Review a summary of your instance configuration in the **Summary** panel. When you're ready, choose **Launch instance**.
1. On the completion screen for the new Amazon EC2 instance, choose the **Connect to instance** tile. The next screen shows the necessary information and the required steps to connect to your new instance. Take note of the following information:
+ The sample command to protect the key file
+ The connection string
+ The **Public IPv4 DNS** name
After taking note of the information on this page, you can continue to the next step in this tutorial ([Step 2: Configure your Amazon EC2 instance](vpc-endpoints-tutorial.configure-ec2-instance.md)).
**Note**
It takes a few minutes for your Amazon EC2 instance to become available. Before you go on to the next step, ensure that the **Instance State** is `running` and that all of its **Status Checks** have passed.
# Step 2: Configure your Amazon EC2 instance
When your Amazon EC2 instance is available, you can log into it and prepare it for first use.
**Note**
The following steps assume that you're connecting to your Amazon EC2 instance from a computer running Linux. For other ways to connect, see [Connect to your Linux instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstances.html) in the *Amazon EC2 User Guide*.
**To configure your Amazon EC2 instance**
1. You need to authorize inbound SSH traffic to your Amazon EC2 instance. To do this, create a new EC2 security group, and then assign the security group to your EC2 instance.
1. In the navigation pane, choose **Security Groups**.
1. Choose **Create Security Group**. In the **Create Security Group** window, do the following:
+ **Security group name** – Enter a name for your security group. For example: `my-ssh-access`
+ **Description** – Enter a short description for the security group.
+ **VPC** – Choose your default VPC.
+ In the **Inbound rules** section, choose **Add Rule** and do the following:
+ **Type** – Choose **SSH**.
+ **Source** – Choose **My IP**.
+ Choose **Add rule**.
On the bottom of the page, confirm the configuration settings and choose **Create Security Group**.
1. In the navigation pane, choose **Instances**.
1. Choose the Amazon EC2 instance that you launched in [Step 1: Launch an Amazon EC2 instance](vpc-endpoints-tutorial.launch-ec2-instance.md).
1. Choose **Actions**, choose **Security**, and then choose **Change Security Groups**.
1. In **Change Security Groups**, go to **Associated security groups** and enter the security group that you created earlier in this procedure (for example, `my-ssh-access`). The existing `default` security group should also be selected. Confirm the configuration settings and choose **Save**.
1. Use the following command to protect your private key file from access. If you skip this step, the connection fails.
```
chmod 400 path_to_file/my-keypair.pem
```
1. Use the `ssh` command to log in to your Amazon EC2 instance, as in the following example.
```
ssh -i path_to_file/my-keypair.pem ubuntu@public-dns-name
```
You need to specify your private key file (*.pem* file) and the public DNS name of your instance. (See [Step 1: Launch an Amazon EC2 instance](vpc-endpoints-tutorial.launch-ec2-instance.md)).
The login ID is `ubuntu`. No password is required.
For more information about allowing connections to your Amazon EC2 instance and for AWS CLI instructions, see [Authorize inbound traffic for your Linux instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html) in the *Amazon EC2 User Guide*.
1. Download and install the latest version of the AWS Command Line Interface.
1. Install `unzip`.
```
sudo apt install unzip
```
1. Download the `zip` file with the AWS CLI.
```
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
```
1. Unzip the file.
```
unzip awscliv2.zip
```
1. Install the AWS CLI.
```
sudo ./aws/install
```
1. Confirm the version of the AWS CLI installation.
```
aws --version
```
The output should look like this:
```
aws-cli/2.9.19 Python/3.9.11 Linux/5.15.0-1028-aws exe/x86_64.ubuntu.22 prompt/off
```
1. Configure your AWS credentials, as shown in the following example. Enter your AWS access key ID, secret key, and default Region name when prompted.
```
aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-east-1
Default output format [None]:
```
1. Add rules to your VPCs security group that allow inbound HTTP, HTTPS, and SSH access from IPv6 addresses.
1. To confirm that your VPC endpoint has been configured correctly, you have to use a `cqlsh` connection to Amazon Keyspaces. If you use your local environment or the Amazon Keyspaces CQL editor in the AWS Management Console, the connection automatically goes through the public endpoint instead of your VPC endpoint. To use `cqlsh` to test your VPC endpoint connection in this tutorial, complete the setup instructions in [Using `cqlsh` to connect to Amazon Keyspaces](programmatic.cqlsh.md).
You are now ready to create a dual-stack VPC endpoint for Amazon Keyspaces.
# Step 3: Create a VPC endpoint for Amazon Keyspaces
In this step, you create a dual-stack VPC endpoint for Amazon Keyspaces using the AWS CLI. To create the VPC endpoint using the VPC console, you can follow the [ Create a VPC endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html#create-interface-endpoint) instructions in the *AWS PrivateLink Guide*. When filtering for the ** Service name**, enter **Cassandra**.
**To create a VPC endpoint using the AWS CLI**
1. Before you begin, verify that you can communicate with Amazon Keyspaces using its public endpoint.
```
aws keyspaces list-tables --keyspace-name 'myKeyspace'
```
The output shows a list of Amazon Keyspaces tables that are contained in the specified keyspace. If you don't have any tables, the list is empty.
```
{
"tables": [
{
"keyspaceName": "myKeyspace",
"tableName": "myTable1",
"resourceArn": "arn:aws:cassandra:us-east-1:111122223333:/keyspace/catalog/table/myTable1"
},
{
"keyspaceName": "myKeyspace",
"tableName": "myTable2",
"resourceArn": "arn:aws:cassandra:us-east-1:111122223333:/keyspace/catalog/table/myTable2"
}
]
}
```
1. Verify that Amazon Keyspaces is an available service for creating VPC endpoints in the current AWS Region. (The command is shown in bold text, followed by example output.)
```
aws ec2 describe-vpc-endpoint-services
{
"ServiceNames": [
"com.amazonaws.us-east-1.cassandra",
"com.amazonaws.us-east-1.cassandra-fips"
"api.aws.us-east-1.cassandra-streams"
]
}
```
If Amazon Keyspaces is one of the available services in the output of the command, you can proceed with creating a VPC endpoint.
1. To connect to Amazon Keyspaces using IPv6 enabled dual-stack endpoints, confirm that your VPC supports IPv6 and configure subnets with IPv6 support. To add IPv6 support to an existing VPC that currently only supports IPv4, see [ IPv6 support for your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/) in the *Amazon VPC User Guide;*.
1. Determine your VPC identifier.
```
aws ec2 describe-vpcs
{
"Vpcs": [
{
"OwnerId": "111122223333",
"InstanceTenancy": "default",
"Ipv6CidrBlockAssociationSet": [
{
"AssociationId": "vpc-cidr-assoc-0000aaa0a00a00aa0",
"Ipv6CidrBlock": "2600:1f18:e19:7d00::/56",
"Ipv6CidrBlockState": {
"State": "associated"
},
"NetworkBorderGroup": "us-east-1",
"Ipv6Pool": "Amazon",
"Ipv6AddressAttribute": "public",
"IpSource": "amazon"
}
],
"CidrBlockAssociationSet": [
{
"AssociationId": "vpc-cidr-assoc-00a0000a",
"CidrBlock": "111.11.0.0/16",
"CidrBlockState": {
"State": "associated"
}
}
],
"IsDefault": true,
"BlockPublicAccessStates": {
"InternetGatewayBlockMode": "off"
},
"VpcId": "vpc-a1234bcd",
"State": "available",
"CidrBlock": "111.11.0.0/16",
"DhcpOptionsId": "dopt-a00aaaaa"
}
]
}
```
In the example output, the VPC ID is `vpc-a1234bcd`.
1. Use a filter to gather details about the subnets of the VPC.
```
aws ec2 describe-subnets --filters "Name=vpc-id,Values=vpc-a1234bcd"
{
"Subnets": [
{
"AvailabilityZoneId": "use1-az1",
"MapCustomerOwnedIpOnLaunch": false,
"OwnerId": "111122223333",
"AssignIpv6AddressOnCreation": false,
"Ipv6CidrBlockAssociationSet": [
{
"AssociationId": "subnet-cidr-assoc-05d75732736740283",
"Ipv6CidrBlock": "***********************",
"Ipv6CidrBlockState": {
"State": "associated"
},
"Ipv6AddressAttribute": "public",
"IpSource": "amazon"
}
],
"SubnetArn": "arn:aws:ec2:us-east-1:111122223333:subnet/subnet-70b24b16",
"EnableDns64": false,
"Ipv6Native": false,
"PrivateDnsNameOptionsOnLaunch": {
"HostnameType": "ip-name",
"EnableResourceNameDnsARecord": false,
"EnableResourceNameDnsAAAARecord": false
},
"BlockPublicAccessStates": {
"InternetGatewayBlockMode": "off"
},
"SubnetId": "subnet-70b24b16",
"State": "available",
"VpcId": "vpc-a1234bcd",
"CidrBlock": "**********/20",
"AvailableIpAddressCount": 4089,
"AvailabilityZone": "us-east-1a",
"DefaultForAz": true,
"MapPublicIpOnLaunch": true
},
{
"AvailabilityZoneId": "use1-az2",
"MapCustomerOwnedIpOnLaunch": false,
"OwnerId": "111122223333",
"AssignIpv6AddressOnCreation": false,
"Ipv6CidrBlockAssociationSet": [
{
"AssociationId": "subnet-cidr-assoc-0ec6fb253e05b17eb",
"Ipv6CidrBlock": "***********************",
"Ipv6CidrBlockState": {
"State": "associated"
},
"Ipv6AddressAttribute": "public",
"IpSource": "amazon"
}
],
"SubnetArn": "arn:aws:ec2:us-east-1:111122223333:subnet/subnet-c63ffbe7",
"EnableDns64": false,
"Ipv6Native": false,
"PrivateDnsNameOptionsOnLaunch": {
"HostnameType": "ip-name",
"EnableResourceNameDnsARecord": false,
"EnableResourceNameDnsAAAARecord": false
},
"BlockPublicAccessStates": {
"InternetGatewayBlockMode": "off"
},
"SubnetId": "subnet-c63ffbe7",
"State": "available",
"VpcId": "vpc-a1234bcd",
"CidrBlock": "***********/20",
"AvailableIpAddressCount": 4087,
"AvailabilityZone": "us-east-1b",
"DefaultForAz": true,
"MapPublicIpOnLaunch": true
}
]
}
```
In the example output, there are two available subnet IDs: `subnet-70b24b16` and `subnet-c63ffbe7`.
1. Create the VPC endpoint. For the `--vpc-id` parameter, specify the VPC ID from the previous step. For the `--subnet-ids` parameter, specify the subnet IDs from the previous step. Use the `--vpc-endpoint-type` parameter to define the endpoint as an interface. To create a dual-stack endpoint, use `--ip-address-type dualstack`. For more information about the command, see [https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc-endpoint.html](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc-endpoint.html) in the *AWS CLI Command Reference*.
```
aws ec2 create-vpc-endpoint \
--vpc-endpoint-type Interface \
--vpc-id vpc-a1234bcd \
--ip-address-type dualstack \
--service-name com.amazonaws.us-east-1.cassandra \
--subnet-ids subnet-70b24b16 subnet-c63ffbe7
{
"VpcEndpoint": {
"VpcEndpointId": "vpce-000000abc111d2ef3",
"VpcEndpointType": "Interface",
"VpcId": "vpc-a1234bcd",
"ServiceName": "com.amazonaws.us-east-1.cassandra",
"State": "pending",
"RouteTableIds": [],
"SubnetIds": [
"subnet-70b24b16",
"subnet-c63ffbe7"
],
"Groups": [
{
"GroupId": "sg-0123456789",
"GroupName": "default"
}
],
"IpAddressType": "dualstack",
"DnsOptions": {
"DnsRecordIpType": "dualstack"
},
"PrivateDnsEnabled": true,
"RequesterManaged": false,
"NetworkInterfaceIds": [
"eni-08cd525f72ea6f1fa",
"eni-07b1f6c895169d8fb"
],
"DnsEntries": [
{
"DnsName": "vpce-0000000000-1234567.cassandra.us-east-1.vpce.amazonaws.com",
"HostedZoneId": "Z7HUB22UULQXV"
},
{
"DnsName": "vpce-0000000000-1234567-us-east-1a.cassandra.us-east-1.vpce.amazonaws.com",
"HostedZoneId": "Z7HUB22UULQXV"
},
{
"DnsName": "cassandra.us-east-1.amazonaws.com",
"HostedZoneId": "ZONEIDPENDING"
},
{
"DnsName": "cassandra.us-east-1.api.aws",
"HostedZoneId": "ZONEIDPENDING"
}
],
"CreationTimestamp": "2025-09-19T15:19:19.266000+00:00",
"OwnerId": "111122223333",
"ServiceRegion": "us-east-1"
}
}
```
# Step 4: Configure permissions for the VPC endpoint connection
The procedures in this step demonstrate how to configure rules and permissions for using the VPC endpoint with Amazon Keyspaces.
**To configure an inbound rule for the new endpoint to allow TCP inbound traffic**
1. In the Amazon VPC console, on the left-side panel, choose **Endpoints** and choose the endpoint you created in the earlier step.
1. Choose **Manage security groups** and then choose the security group associated with this endpoint.
1. Choose **Inbound rules** and then choose **Edit inbound rules**.
1. Add an inbound rule with **Type** as **CQLSH / CASSANDRA**. This sets the **Port range**, automatically to **9142**.
1. To save the new inbound rule, choose **Save rules**.
**To configure IAM user permissions**
1. Confirm that the IAM user used to connect to Amazon Keyspaces has the appropriate permissions. In AWS Identity and Access Management (IAM), you can use the AWS managed policy `AmazonKeyspacesReadOnlyAccess` to grant the IAM user read access to Amazon Keyspaces.
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. On the IAM console dashboard, choose **Users**, and then choose your IAM user from the list.
1. On the **Summary** page, choose **Add permissions**.
1. Choose **Attach existing policies directly**.
1. From the list of policies, choose **AmazonKeyspacesReadOnlyAccess**, and then choose **Next: Review**.
1. Choose **Add permissions**.
1. Verify that you can access Amazon Keyspaces through the VPC endpoint.
```
aws keyspaces list-tables --keyspace-name 'my_Keyspace'
```
If you want, you can try some other AWS CLI commands for Amazon Keyspaces. For more information, see the [AWS CLI Command Reference](https://docs.aws.amazon.com/cli/latest/reference/).
**Note**
The minimum permissions required for an IAM user or role to access Amazon Keyspaces are read permissions to the system table, as shown in the following policy. For more information about policy-based permissions, see [Amazon Keyspaces identity-based policy examples](security_iam_id-based-policy-examples.md).
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"cassandra:Select"
],
"Resource":[
"arn:aws:cassandra:us-east-1:111122223333:/keyspace/system*"
]
}
]
}
```
1. Grant the IAM user read access to the Amazon EC2 instance with the VPC.
When you use Amazon Keyspaces with VPC endpoints, you need to grant the IAM user or role that accesses Amazon Keyspaces *read-only permissions to your Amazon EC2 instance and the VPC to gather endpoint and network interface data*. Amazon Keyspaces stores this information in the `system.peers` table and uses it to manage connections.
**Note**
The managed policies `AmazonKeyspacesReadOnlyAccess_v2` and `AmazonKeyspacesFullAccess` include the required permissions to let Amazon Keyspaces access the Amazon EC2 instance to read information about available interface VPC endpoints.
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. On the IAM console dashboard, choose **Policies**.
1. Choose **Create policy**, and then choose the **JSON** tab.
1. Copy the following policy and choose **Next: Tags**.
```
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"ListVPCEndpoints",
"Effect":"Allow",
"Action":[
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeVpcEndpoints"
],
"Resource": "*"
}
]
}
```
1. Choose **Next: Review**, enter the name `keyspacesVPCendpoint` for the policy, and choose **Create policy**.
1. On the IAM console dashboard, choose **Users**, and then choose your IAM user from the list.
1. On the **Summary** page, choose **Add permissions**.
1. Choose **Attach existing policies directly**.
1. From the list of policies, choose **keyspacesVPCendpoint**, and then choose **Next: Review**.
1. Choose **Add permissions**.
1. To verify that the Amazon Keyspaces `system.peers` table is getting updated with VPC information, run the following query from your Amazon EC2 instance using `cqlsh`. If you haven't already installed `cqlsh`on your Amazon EC2 instance in step 2, follow the instructions in [Using the `cqlsh-expansion` to connect to Amazon Keyspaces](programmatic.cqlsh.md#using_cqlsh).
```
SELECT * FROM system.peers;
```
The output returns nodes with private IPv6 IP addresses, depending on your VPC and subnet setup in your AWS Region.
```
peer | data_center | host_id | preferred_ip | rack | release_version | rpc_address | schema_version | tokens
-----------------------------------------+-------------+--------------------------------------+-----------------------------------------+-----------+-----------------+-----------------------------------------+--------------------------------------+---------------------------------------------
2600:1111:2222:3333:283b:8e6:d04f | us-east-1 | dddddddd-7a22-3582-a73d-49338a686a53 | 2600:1111:2222:3333:283b:8e6:d04f | us-east-1 | 3.11.2 | 2600:1111:2222:3333:283b:8e6:d04f | 05deae2d-6405-494d-a965-c0e5836bcb3c | {'85070591730234615865843651857942052863'}
2600:1111:2222:4444:7d26:5a09:1b44 | us-east-1 | 66666666-035d-37ef-a247-19a6a867ab09 | 2600:1111:2222:4444:7d26:5a09:1b44 | us-east-1 | 3.11.2 | 2600:1111:2222:4444:7d26:5a09:1b44 | 05deae2d-6405-494d-a965-c0e5836bcb3c | {'170141183460469231731687303715884105726'}
```
**Note**
You have to use a `cqlsh`connection to Amazon Keyspaces to confirm that your VPC endpoint has been configured correctly. If you use your local environment or the Amazon Keyspaces CQL editor in the AWS Management Console, the connection automatically goes through the public endpoint instead of your VPC endpoint. If you see nine IP addresses, these are the entries Amazon Keyspaces automatically writes to the `system.peers` table for public endpoint connections.
# Step 5: Configure monitoring with CloudWatch
This step shows you how to use Amazon CloudWatch to monitor the VPC endpoint connection to Amazon Keyspaces.
AWS PrivateLink publishes data points to CloudWatch about your interface endpoints. You can use metrics to verify that your system is performing as expected. The `AWS/PrivateLinkEndpoints` namespace in CloudWatch includes the metrics for interface endpoints. For more information, see [CloudWatch metrics for AWS PrivateLink](https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-cloudwatch-metrics.html) in the *AWS PrivateLink Guide*.
**To create a CloudWatch dashboard with VPC endpoint metrics**
1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. In the navigation pane, choose **Dashboards**. Then choose **Create dashboard**. Enter a name for the dashboard and choose **Create**.
1. Under **Add widget**, choose **Number**.
1. Under **Metrics**, choose **AWS/PrivateLinkEndpoints**.
1. Choose **Endpoint Type, Service Name, VPC Endpoint ID, VPC ID**.
1. Select the metrics `ActiveConnections` and `NewConnections`, and choose **Create Widget**.
1. Save the dashboard.
The `ActiveConnections` metric is defined as the number of concurrent active connections that the endpoint received during the last one-minute period. The `NewConnections` metric is defined as the number of new connections that were established through the endpoint during the last one-minute period.
For more information about creating dashboards, see [Create dashboard](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/create_dashboard.html) in the *CloudWatch User Guide*.
# Step 6: (Optional) Best practices to configure the connection pool size for your application
In this section, we outline how to determine the ideal connection pool size based on the query throughput requirements of your application.
Amazon Keyspaces allows a maximum of 3,000 CQL queries per second per TCP connection. So there's virtually no limit on the number of connections that a driver can establish with Amazon Keyspaces. However, we recommend that you match the connection pool size to the requirements of your application and consider the available endpoints when you're using Amazon Keyspaces with VPC endpoint connections.
You configure the connection pool size in the client driver. For example, based on a local pool size of **2** and a VPC interface endpoint created across **3** Availability Zones, the driver establishes **6** connections for querying (7 in total, which includes a control connection). Using these 6 connections, you can support a maximum of 18,000 CQL queries per second.
If your application needs to support 40,000 CQL queries per second, work backwards from the number of queries that are needed to determine the required connection pool size. To support 40,000 CQL queries per second, you need to configure the local pool size to be at least 5, which supports a minimum of 45,000 CQL queries per second.
You can monitor if you exceed the quota for the maximum number of operations per second, per connection by using the `PerConnectionRequestRateExceeded` CloudWatch metric in the `AWS/Cassandra` namespace. The `PerConnectionRequestRateExceeded` metric shows the number of requests to Amazon Keyspaces that exceed the quota for the per-connection request rate.
The code examples in this step show how to estimate and configure connection pooling when you're using interface VPC endpoints.
------
#### [ Java ]
You can configure the number of connections per pool in the Java driver. For a complete example of a Java client driver connection, see [Using a Cassandra Java client driver to access Amazon Keyspaces programmatically](using_java_driver.md).
When the client driver is started, first the control connection is established for administrative tasks, such as for schema and topology changes. Then the additional connections are created.
In the following example, the local pool size driver configuration is specified as 2. If the VPC endpoint is created across 3 subnets within the VPC, this results in 7 `NewConnections` in CloudWatch for the interface endpoint, as shown in the following formula.
```
NewConnections = 3 (VPC subnet endpoints created across) * 2 (pool size) + 1 ( control connection)
```
```
datastax-java-driver {
basic.contact-points = [ "cassandra.us-east-1.amazonaws.com:9142"]
advanced.auth-provider{
class = PlainTextAuthProvider
username = "ServiceUserName"
password = "ServicePassword"
}
basic.load-balancing-policy {
local-datacenter = "us-east-1"
slow-replica-avoidance = false
}
advanced.ssl-engine-factory {
class = DefaultSslEngineFactory
truststore-path = "./src/main/resources/cassandra_truststore.jks"
truststore-password = "my_password"
hostname-validation = false
}
advanced.connection {
pool.local.size = 2
}
}
```
If the number of active connections doesn’t match your configured pool size (aggregation across subnets) \$1 1 control connection, something is preventing the connections from being created.
------
#### [ Node.js ]
You can configure the number of connections per pool in the Node.js driver. For a complete example of a Node.js client driver connection, see [Using a Cassandra Node.js client driver to access Amazon Keyspaces programmatically](using_nodejs_driver.md).
The code example below uses the *keyspaces-bundle.pem* file for the digital certicate. See [Before you begin](using_nodejs_driver.md#using_nodejs_driver.BeforeYouBegin) for more information.
For the following code example, the local pool size driver configuration is specified as 1. If the VPC endpoint is created across 4 subnets within the VPC, this results in 5 `NewConnections` in CloudWatch for the interface endpoint, as shown in the following formula.
```
NewConnections = 4 (VPC subnet endpoints created across) * 1 (pool size) + 1 ( control connection)
```
```
const cassandra = require('cassandra-driver');
const fs = require('fs');
const types = cassandra.types;
const auth = new cassandra.auth.PlainTextAuthProvider('ServiceUserName', 'ServicePassword');
const sslOptions1 = {
ca: [
fs.readFileSync('/home/ec2-user/keyspaces-bundle.pem', 'utf-8')],
host: 'cassandra.us-east-1.amazonaws.com',
rejectUnauthorized: true
};
const client = new cassandra.Client({
contactPoints: ['cassandra.us-east-1.amazonaws.com'],
localDataCenter: 'us-east-1',
pooling: { coreConnectionsPerHost: { [types.distance.local]: 1 } },
consistency: types.consistencies.localQuorum,
queryOptions: { isIdempotent: true },
authProvider: auth,
sslOptions: sslOptions1,
protocolOptions: { port: 9142 }
});
```
------
# Step 7: (Optional) Clean up
If you want to delete the resources that you have created in this tutorial, follow these procedures.
**To remove your VPC endpoint for Amazon Keyspaces**
1. Log in to your Amazon EC2 instance.
1. Determine the VPC endpoint ID that is used for Amazon Keyspaces. If you omit the `grep` parameters, VPC endpoint information is shown for all services.
```
aws ec2 describe-vpc-endpoint-services | grep ServiceName | grep cassandra
{
"VpcEndpoint": {
"PolicyDocument": "{\"Version\":\"2000-00-00",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"*\",\"Resource\":\"*\"}]}",
"VpcId": "vpc-a1234bcd",
"State": "available",
"ServiceName": "com.amazonaws.us-east-1.cassandra",
"RouteTableIds": [],
"VpcEndpointId": "vpce-1a23b4c5",
"CreationTimestamp": "2025-07-26T22:00:14Z"
}
}
```
In the example output, the VPC endpoint ID is *vpce-1a23b4c5*. Make sure to replace this value with your own.
1. Delete the VPC endpoint.
```
aws ec2 delete-vpc-endpoints --vpc-endpoint-ids vpce-1a23b4c5
{
"Unsuccessful": []
}
```
The empty array `[]` indicates success (there were no unsuccessful requests).
**To terminate your Amazon EC2 instance**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **Instances**.
1. Choose your Amazon EC2 instance.
1. Choose **Actions**, choose **Instance State**, and then choose **Terminate**.
1. In the confirmation window, choose **Yes, Terminate**.