AWS PrivateLink

This setup will allow specific Tray connectors to reach your services hosted on AWS.

VPC Endpoints are what facilitate this type of connectivity - using a technology called PrivateLink.

PrivateLink enables private connectivity between VPCs and supported AWS services hosted by other AWS accounts, as well as third-party services on AWS Marketplace.

  • Traffic will stay within the AWS backbone and hence won’t be exposed to the public internet

  • A VPC endpoint does not require an internet gateway, virtual private gateway, NAT device, VPN connection, or AWS Direct Connect connection or any other networking component hence we are looking at a simplified buildout topology and less costs.

  • There is no option to natively encrypt this traffic, unless we use application-level tools such as TLS.

Details Notes
Customer Name
Geographic location The region in which your VPC is locatedWe will locate the Tray.io VPC in a region that is optimal in terms of latency when connecting
Tray OrgID
Your AWS Account number
VPC Endpoint Service fully qualified name
VPC Endpoint Service ports
  1. We set up a separate Tray VPC network which does not overlap with your network and will not require you to reserve a large chunk of routes

  2. We deploy the relevant connectors inside that dedicated VPC

  3. We then create and host a VPC Endpoint

  4. This endpoint will request connectivity to your network which normally requires manual acceptance by your AWS admins ('auto-accept' is not a recommended security practice)

  5. Once accepted, our connectors will be able to reach the services hosted in your VPC

  • In this scenario:

  • Tray will become a Service Consumer

  • You become a Service Producer

  • As per the above diagram Tray hosts the VPC Endpoint and will point it towards a fully qualified service name that is provided to us by you.

  • Your VPC endpoint service which supports integration with PrivateLink should be put behind a Network Load Balancer