AWS PrivateLink

This setup will allow specific Tray connectors to reach your services hosted on AWS.

VPC Endpoints are what facilitate this type of connectivity - using a technology called PrivateLink.

PrivateLink enables private connectivity between VPCs and supported AWS services hosted by other AWS accounts, as well as third-party services on AWS Marketplace.

Key points in using PrivateLink

Copy

• Traffic will stay within the AWS backbone and hence won’t be exposed to the public internet

• A VPC endpoint does not require an internet gateway, virtual private gateway, NAT device, VPN connection, or AWS Direct Connect connection or any other networking component hence we are looking at a simplified buildout topology and less costs.

• There is no option to natively encrypt this traffic, unless we use application-level tools such as TLS.

Setting up PrivateLink

Copy

Basic required info

Copy

The setup process

Copy

1. We set up a separate Tray VPC network which does not overlap with your network and will not require you to reserve a large chunk of routes

2. We deploy the relevant connectors inside that dedicated VPC

3. We then create and host a VPC Endpoint

4. This endpoint will request connectivity to your network which normally requires manual acceptance by your AWS admins ('auto-accept' is not a recommended security practice)

5. Once accepted, our connectors will be able to reach the services hosted in your VPC

Technical considerations

Copy

• In this scenario:

• Tray will become a Service Consumer

• You become a Service Producer

• As per the above diagram Tray hosts the VPC Endpoint and will point it towards a fully qualified service name that is provided to us by you.

• Your VPC endpoint service which supports integration with PrivateLink should be put behind a Network Load Balancer