Skip to main content
Version: v4.12

Configuring DNS for your sidecar

After you have deployed your sidecar and bound at least one repository to it, Cyral recommends creating a CNAME record or A record that maps to your chosen sidecar domain. By doing this, you provide a stable alias address where users can always reach their repositories. Even if your underlying sidecar address changes (for example during an upgrade), the address can remain the same for users.

To use a repository through the Cyral sidecar, database users will connect at its sidecar domain address (in this example, db-access.example.com). To support this, your sidecar's domain should have a corresponding CNAME record or A record that maps it to the domain name or IP address of the sidecar’s load balancer.

To set this up:

  1. Make sure you've assigned at least one repository to your sidecar, as explained in Bind a repository to a sidecar.

  2. Find the sidecar load balancer address: In the Cyral management console, click Sidecars, and click the name of your sidecar. In the Data Repositories tab, you can find your sidecar's load balancer address displayed in the Endpoint Address column. Keep this tab open. In this example, we'll assume the sidecar load balancer address is cyral-jkhcst-lb-e9febb0b738722.elb.us-east-2.amazonaws.com

  3. Choose user-facing a name for your sidecar domain. We'll refer to this as your sidecar domain name. This is the base URL where your repository users will connect to all repositories protected by the sidecar. In this example, we'll assume the sidecar domain name address is db-access.example.com

  4. In your DNS routing service, such as Amazon Route 53 or Microsoft Azure DNS, create an entry that maps your sidecar domain name to the sidecar load balancer address:

    • If your sidecar load balancer has a name, like the cyral-jkhcst-lb-e9febb0b738722.elb.us-east-2.amazonaws.com name we're using in this example, create a CNAME record and point to that.
    • If the address you retrieved for your sidecar load balancer is an IP address, then create a regular A record to point to the address.
  5. If you intend to manage Snowflake access using the sidecar, you also need to add a wildcard DNS record to point everything under your sidecar domain to the load balancer. For example, if you defined sidecar.example.com as your sidecar's hostname, you should create a record *.sidecar.example.com pointing to the same target. This way, if someone wants to resolve cyral-123xyz.sidecar.example.com, your DNS server will return the sidecar address.

  6. In Cyral, edit the sidecar to use the new alias: In the Cyral management console, click Sidecars, and click the name of your sidecar. Click the edit icon, and in the Edit Sidecar window, activate the Endpoint Alias option and type the sidecar domain in the field that appears. For example, we might specify db-access.example.com. Click Save.



All repository users should connect to the repository using the sidecar name you've created. When users search for a repository in the Cyral Console, (to do this, they click Connect and then copy the Connection URI) the console will show them the repository’s connection URI, including the CNAME record or A record address you've created.

Next steps