AWS Private Link -SalesForce to AWS — Part 1

In this blog post, lets discuss setting up private link connectivity between Salesforce and AWS, especially in multi account architecture.

Introduction

AWS PrivateLink provides private connectivity between VPCs, AWS services, and your on-premises networks without exposing your traffic to the public internet. AWS PrivateLink makes it easy to connect services across different accounts and VPCs to significantly simplify your network architecture.

https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-privatelink.html

Centralised Networking pattern

Centralised Networking pattern on AWS is not in the scope of this blog, however in the context of this blog, below architecture is assumed when i mention about centralised networking.

Egress VPC: All outbound connections to internet and interface endpoints are provisioned in this VPC and serves as a central exit point for your private network.

Reference: https://aws.amazon.com/blogs/mt/scale-multi-account-architecture-aws-network-firewall-and-aws-control-tower/

AWS Privatelink with Salesforce

Lets dive into the topic without further delay, I have divided this into 2 parts for ease of following

1. Salesforce to AWS — (Inbound PrivateLink)
2. AWS to Salesforce -(Outbound PrivateLink) will be in upcoming blog.

Salesforce to AWS — (Inbound PrivateLink)

In this scenario AWS is Service provider and Salesforce is the consumer.

Scenario 1:

We have a Private API Gateway in one of the AWS account in a multi account AWS environment, where in centralised Network Account has Egress, Inspection and Ingress is managed. In this scenario the Architecture will look like below;

SalesForce to AWS Private Connect

In this scenario, Salesforce accesses an AWS Private API Gateway through AWS PrivateLink using the AWS PrivateLink VPC endpoint service and the execute-api endpoint service.

The execute-api endpoint is an AWS Interface endpoint that connects to Private API gateways using the API gateway ID, eliminating the need for VPC peering and Transit gateway routing.

Lets look at the traffic flow in a sequence;

1. The Salesforce Application initiates an API call using a URL like https://{restapi_id}.execute-api.{region}.amazonaws.com/{stage_name}/.
2. The traffic is directed to an AWS endpoint service within the Ingress VPC, and since the source is already approved, the traffic proceeds.
3. The traffic reaches a Network Load Balancer, configured with a target group consisting of execute-api interface endpoint IPs as target IPs.
4. The traffic leaves the Ingress VPC, traverses through a Transit Gateway, and is forced to undergo inspection in the Inspections VPC by the AWS Network Firewall.
5. After successful inspection, the traffic is routed back to the Transit Gateway.
6. Now, the traffic arrives at an interface endpoint. Depending on the gateway ID, the traffic is directed to the respective API gateway.

By implementing this approach, multiple applications can access the entire AWS environment’s API Gateways, which reduces administrative efforts and the costs associated with duplicating resources.

Scenario 2:

The first scenario is effective when utilizing API Gateways. However, it raises a question: How can you access a custom application running on EC2, Lambda, or similar services?

SalesForce to AWS inbound

In this case, the key distinction lies in the one-to-one mapping, where one endpoint service corresponds to one application. When Salesforce communicates with AWS endpoint services, Network Load Balancer (NLB) target needs to be configured as an Application Load Balancer (ALB) and set up the ALB to receive traffic.

This necessitates the adjustment of route tables and attachment of the VPC to a Transit Gateway (TGW).

To setup private DNS to be accessible to Salesforce application follow below documentation.

https://repost.aws/knowledge-center/vpc-private-dns-name-endpoint-service

Conclusion:

To summarise, the first scenario works seamlessly for API Gateway use cases, but a more customised one-to-one mapping approach is essential for accessing custom applications running on services such as EC2 or Lambda. This involves setting up an Application Load Balancer, making route table adjustments, and attaching the VPC to a Transit Gateway to ensure efficient communication between Salesforce and AWS. Stay tuned for more scenarios in the upcoming Part 2 of the blog, where we will explore AWS Outbound to Salesforce over a private link.

Part 2 link below:

https://sagarraodonthineni.medium.com/aws-private-link-aws-to-salesforce-part-2-e6593960c9f2

References

Application Load Balancer-type Target Group for Network Load Balancer | Amazon Web Services

Set up a VPC endpoint service to use a custom private DNS name