Tray Platform / Connecting to on-prem systems / Configuring AWS alternatives / VPC peering
Allows Tray connectors to reach inside your private network using routes established via attachment of a Tray-owned VPC, as if both our VPCs were inside the same network.
This option will therefore only work if you are (at least partially) hosted on AWS.
Key points in using VPC peering
A Tray and customer VPC can communicate as if in the same network
No additional infrastructure (i.e. VPN servers) required
VPCs can be in different regions
No separate piece of physical hardware is required
No gateway is required
There is no single point of failure, or bandwidth bottleneck
VPC resources including EC2 instances, Amazon RDS databases and Lambda functions can communicate with each other using private IP addresses
All inter-region traffic is encrypted
Traffic never traverses the public internet - reduced threats from common expolits and DDoS attacks
There is no option to natively encrypt this traffic, unless we use application-level tools such as TLS
Setting up VPC Peering
Basic required info
|Geographic location||The region in which your VPC is locatedWe will locate the Tray.io VPC in a region that is optimal in terms of latency when connecting|
|Your AWS Account number|
|Your VPC ID|
|Your subnet CIDR ranges||Tray uses 10.200.0.0/25 by defaultThis cannot overlap with your VPC CIDR rangeIn the unlikely event that it does, you should notify us so we can update it to be in another range|
The setup process
We set up a separate Tray VPC network which does not overlap with your network and will not require you to reserve a large chunk of routes
This endpoint will request connectivity to your target network which normally requires manual acceptance by you ('auto-accept' is not a recommended security practice)
Once accepted, our connectors will be able to reach the services hosted in your network
Once the request is accepted, you can still explicitly limit Tray’s access to the different corners of your network by using NACLs and Security Groups.
If you use Transit Gateway to manage your network governance - as opposed to individual VPCs and route tables - we would recommend using our Transit Gateway offering.