Deribit AWS Endpoint Service instruction

Create VPC Endpoint

In order to connect to the Deribit service, you first have to create a VPC Endpoint which will be connected through PrivateLink to the Deribit VPC Endpoint Service. In order to create this VPC Endpoint log in to the AWS Console, go to the AWS Account in which to create the VPC Endpoint, choose the appropriate AWS region and go to the VPC from which you want to access the Deribit service. From the menu choose ‘Endpoints’, ‘Create Endpoint’. Select ‘PrivateLink Ready partner services’: 

Fill in the name belonging to your specific region and click ‘Verify Service’:

The following status should appear indicating that the Deribit service was successfully located:

In order to connect to the Endpoint using custom private DNS (explained further), make sure default private DNS is not enabled under Additional settings: 

Now select the VPC in which the VPC Endpoint should be created, followed by the Availability Zones in which to enable the VPC Endpoint. For redundancy/high availability purposes, Deribit has made its service available in two Availability Zones per region:

We recommend creating the VPC Endpoint in both AZ’s and recommend your application is also available in both AZ’s. 

You can create and attach a Security Group to the VPC Endpoint for security purposes, and add Tags according to your company policies. If you do not define a Security Group, the Default Security Group will be associated: 

Make sure the associated Security Group has Inbound Rules allowing traffic from your VPC to access the Endpoint. To edit go to the ‘Inbound Rules’ tab, click ‘Edit Inbound Rules’. Click ‘Add rule’ and define which traffic is allowed to access the Deribit backend. For example in this case my entire VPC with CIDR range 10.0.0.0/16 over destination port 8020: 

Click ‘Save rules’. Click ‘Create Endpoint’ to finalize. 

Connection Acceptance

The connection request that was created in Step 1, has to be accepted in the Deribit AWS account, until that happens the VPC Endpoint in your account will remain in the ‘pending acceptance’ state:

In order to inform Deribit you have created a connection request, please send an email to ‘aws-support@sentillia.com’ following the below guidelines:

Deribit will then accept the connection request, inform you by email and after a few minutes the status of the VPC Endpoint will change to ‘available’. It is now ready for use:

Route network traffic to VPC Endpoint

The next step is to enable services within your VPC, like for example EC2 instances or Lambdas, to access the VPC Endpoint. We recommend the use of a Private Hosted Zone in the Route53 AWS DNS service. If you will be accessing the Deribit service over TCP port 443 your DNS record needs to be ‘gateway’ in the ‘deribit.com’ hosted zone, in order for the SSL certificate to match ‘gateway.deribit.com’. If you are using any of the other TCP ports (8020, 8021, 8022 or 8025), there is no SSL certificate so you can choose your own record and zone.

Go to Route53 in the AWS Console, create a Private Hosted Zone if you don’t have one already, otherwise use one you were already using. For this example we will use the zone ‘deribit.int’ (‘deribit.com’ if you are using TCP 443).

Within that hosted zone choose ‘Create record’, select the ‘Simple Routing’ policy:

Click Next and choose ‘Define simple record’. Fill in the record details:

Select ‘Define simple record’ and ‘Create records’. It is being created and will take a few minutes to become available.

Test the connection

From your EC2 instance or Lambda service test the connection with for example telnet, using the created private DNS record in Step 3 followed by one of the TCP ports (In our example: ‘telnet test.deribit.int 8020’). The test should result in an active connection, it is now available for your regular requests for the Deribit backend.