Tray Platform / Connecting to on-prem systems / Configuring AWS options / AWS PrivateLink
This setup will allow specific Tray connectors to reach your services hosted on AWS.
VPC Endpoints are what facilitate this type of connectivity - using a technology called PrivateLink.
PrivateLink enables private connectivity between VPCs and supported AWS services hosted by other AWS accounts, as well as third-party services on AWS Marketplace.
Key points in using PrivateLink
- Traffic will stay within the AWS backbone and hence won’t be exposed to the public internet
- A VPC endpoint does not require an internet gateway, virtual private gateway, NAT device, VPN connection, or AWS Direct Connect connection or any other networking component hence we are looking at a simplified buildout topology and less costs.
- There is no option to natively encrypt this traffic, unless we use application-level tools such as TLS.
Setting up PrivateLink
Basic required info
|Geographic location||The region in which your VPC is located|
We will locate the Tray.io VPC in a region that is optimal in terms of latency when connecting
|Your AWS Account number|
|VPC Endpoint Service fully qualified name|
|VPC Endpoint Service ports|
The setup process
- We set up a separate Tray VPC network which does not overlap with your network and will not require you to reserve a large chunk of routes
- We deploy the relevant connectors inside that dedicated VPC
- We then create and host a VPC Endpoint
- This endpoint will request connectivity to your network which normally requires manual acceptance by your AWS admins ('auto-accept' is not a recommended security practice)
- Once accepted, our connectors will be able to reach the services hosted in your VPC
In this scenario:
- Tray will become a Service Consumer
- You become a Service Producer
As per the above diagram Tray hosts the VPC Endpoint and will point it towards a fully qualified service name that is provided to us by you.
Your VPC endpoint service which supports integration with PrivateLink should be put behind a Network Load Balancer