The long-term strategic partnership between Salesforce and AWS opens a new world of promising cross-cloud capabilities. One of the first capabilities that we, at Deloitte, have implemented for a large client is Salesforce Private Connect.
Virtual Private Clouds
As more and more businesses move their operations to the cloud, the need for secure and private connections has become increasingly important. Virtual Private Clouds (VPCs) have emerged as a solution to this challenge by providing an isolated set of cloud resources within a vendor’s shared infrastructure. Salesforce Private Connect takes this a step further by allowing Salesforce to be treated as another virtual cloud on AWS’s infrastructure, enabling integrations between the two platforms to take place over a fully managed private AWS connection instead of over the public internet. With the increasing sophistication of cyber-attacks, the need for robust security measures has never been greater.
Private Connections
With private connections, data is transmitted over private physical AWS connections instead of over the public internet, reducing the risk of data breaches and unauthorized access. This added layer of security ensures that sensitive data is protected and transmitted securely, giving clients peace of mind when it comes to data security.
Private Connect Architecture
Salesforce Transit VPC
Let’s understand the architecture underlying this product. When we decide to integrate our Salesforce org with an application in an AWS VPC we must begin by configuring inbound and outbound entries for Salesforce Private Connect in our org via the setup menu. There is no apex code needed. A Salesforce Transit VPC is then automatically made available by Salesforce on the AWS infrastructure. We are then able to make both inbound and outbound connections with our Transit VPC. On the AWS side, their VPC will connect with the Salesforce Transit VPC using their own technology called PrivateLink.
Private Connect in action
- AWS to Salesforce: When the AWS application tries to connect with an API endpoint containing the domain of our salesforce org, the VPC peering logic (this is the naming convention on the AWS side) will redirect the request to the Salesforce Transit VPC gateway instead of the public internet. The Transit VPC then routes the request straight to our salesforce environment.
- Salesforce to AWS : When we want a Salesforce callout to use Private Connect, we need the endpoint in our named credential to refer to the Private Connect URL. This will ensure that the request is redirected to the Salesforce Transit VPC and then to AWS via the internal network.
Benefits of Private Connect
- Security at the forefront: Communicating over a private connection protects the data in transit from external attacks for data or credential theft.
- Simple setup: This powerful Salesforce integration product is wrapped behind an easy to use interface. On the Salesforce side, the setup consists of a handful of click-to-configure steps where we enter the details of the AWS VPC that we want to integrate with. An additional license and some straightforward configurations set the wheels in motion for Salesforce to share a private connection with AWS.
Additional Considerations
- For outbound integrations, Private connect only works with ones that use named credentials.
- An additional license is needed to make use of Private Connect. One license is needed per AWS region. This license takes care of both inbound and outbound integrations over Private Connect.
- Private connect service is available in limited regions.
- This technology is only supported in full copy and partial copy sandboxes at the moment.