Standard/Best Practices
Use Cases
Connecting to on-prem systems

AWS PrivateLink

Advanced on-prem options are available to:

  • Team customers as an optional add-on

  • Enterprise customers as standard

This setup will allow specific Tray connectors to reach your services hosted on AWS.

VPC Endpoints are what facilitate this type of connectivity - using a technology called PrivateLink.

PrivateLink enables private connectivity between VPCs and supported AWS services hosted by other AWS accounts, as well as third-party services on AWS Marketplace.

  • Traffic will stay within the AWS backbone and hence won’t be exposed to the public internet

  • A VPC endpoint does not require an internet gateway, virtual private gateway, NAT device, VPN connection, or AWS Direct Connect connection or any other networking component hence we are looking at a simplified buildout topology and less costs.

  • There is no option to natively encrypt this traffic, unless we use application-level tools such as TLS.

Basic required info

Details Notes
Customer Name
Geographic location The region in which your VPC is locatedWe will locate the VPC in a region that is optimal in terms of latency when connecting
Tray OrgID
Your AWS Account number
VPC Endpoint Service fully qualified name
VPC Endpoint Service ports

The setup process

  1. We set up a separate Tray VPC network which does not overlap with your network and will not require you to reserve a large chunk of routes

  2. We deploy the relevant connectors inside that dedicated VPC

  3. We then create and host a VPC Endpoint

  4. This endpoint will request connectivity to your network which normally requires manual acceptance by your AWS admins ('auto-accept' is not a recommended security practice)

  5. Once accepted, our connectors will be able to reach the services hosted in your VPC

Technical considerations

  • In this scenario:

  • Tray will become a Service Consumer

  • You become a Service Producer

  • As per the above diagram Tray hosts the VPC Endpoint and will point it towards a fully qualified service name that is provided to us by you.

  • Your VPC endpoint service which supports integration with PrivateLink should be put behind a Network Load Balancer