Tray Platform / Connecting to on-prem systems / Configuring AWS options / VPC peering
Allows Tray connectors to reach inside your private network using routes established via attachment of a Tray-owned VPC, as if both our VPCs were inside the same network.
This option will therefore only work if you are (at least partially) hosted on AWS.
Key points in using VPC peering
- A Tray and customer VPC can communicate as if in the same network
- No additional infrastructure (i.e. VPN servers) required
- VPCs can be in different regions
- No separate piece of physical hardware is required
- No gateway is required
- There is no single point of failure, or bandwidth bottleneck
- VPC resources including EC2 instances, Amazon RDS databases and Lambda functions can communicate with each other using private IP addresses
- All inter-region traffic is encrypted
- Traffic never traverses the public internet - reduced threats from common expolits and DDoS attacks
- There is no option to natively encrypt this traffic, unless we use application-level tools such as TLS
Setting up VPC Peering
Basic required info
|Geographic location||The region in which your VPC is located|
We will locate the Tray.io VPC in a region that is optimal in terms of latency when connecting
|Your AWS Account number|
|Your VPC ID|
|Your subnet CIDR ranges||Tray uses 10.200.0.0/25 by default|
This cannot overlap with your VPC CIDR range
In the unlikely event that it does, you should notify us so we can update it to be in another range
The setup process
- We set up a separate Tray VPC network which does not overlap with your network and will not require you to reserve a large chunk of routes
- This endpoint will request connectivity to your target network which normally requires manual acceptance by you ('auto-accept' is not a recommended security practice)
- Once accepted, our connectors will be able to reach the services hosted in your network
Once the request is accepted, you can still explicitly limit Tray’s access to the different corners of your network by using NACLs and Security Groups.
If you use Transit Gateway to manage your network governance - as opposed to individual VPCs and route tables - we would recommend using our Transit Gateway offering.