Tray Platform / Connecting to on-prem systems / Configuring AWS alternatives / VPC peering

VPC peering

vpc-peering

Allows Tray connectors to reach inside your private network using routes established via attachment of a Tray-owned VPC, as if both our VPCs were inside the same network.

This option will therefore only work if you are (at least partially) hosted on AWS.

Key points in using VPC peering

  • A Tray and customer VPC can communicate as if in the same network

  • No additional infrastructure (i.e. VPN servers) required

  • VPCs can be in different regions

  • No separate piece of physical hardware is required

  • No gateway is required

  • There is no single point of failure, or bandwidth bottleneck

  • VPC resources including EC2 instances, Amazon RDS databases and Lambda functions can communicate with each other using private IP addresses

  • All inter-region traffic is encrypted

  • Traffic never traverses the public internet - reduced threats from common expolits and DDoS attacks

  • There is no option to natively encrypt this traffic, unless we use application-level tools such as TLS

Setting up VPC Peering

Basic required info

Details Notes
Customer Name
Geographic location The region in which your VPC is locatedWe will locate the Tray.io VPC in a region that is optimal in terms of latency when connecting
Tray OrgID
Your AWS Account number
Your VPC ID
Your subnet CIDR ranges Tray uses 10.200.0.0/25 by defaultThis cannot overlap with your VPC CIDR rangeIn the unlikely event that it does, you should notify us so we can update it to be in another range

The setup process

  1. We set up a separate Tray VPC network which does not overlap with your network and will not require you to reserve a large chunk of routes

  2. This endpoint will request connectivity to your target network which normally requires manual acceptance by you ('auto-accept' is not a recommended security practice)

  3. Once accepted, our connectors will be able to reach the services hosted in your network

Technical considerations

  • Once the request is accepted, you can still explicitly limit Tray’s access to the different corners of your network by using NACLs and Security Groups.

  • If you use Transit Gateway to manage your network governance - as opposed to individual VPCs and route tables - we would recommend using our Transit Gateway offering.