By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

private connection for partner VPC

0

Hi team,

we want to exchange presigned URLs to securely retrieve and upload client files, as well as to exchange API call responses. These interactions will occur through

  • an API Gateway and
  • a Lambda function within our VPC communicating directly with Salesforce in the partner VPC.

we would like to know what is the best option to keep this traffic secure between our VPC and salesforce VPC.

  • whitelisting on firewalls and security groups or
  • privateLink connection or
  • site to site VPN

in the case of privateLink the process is to create :

  • a VPC Endpoints (Interface) for the API Gateway service within the partner VPC. Subsequently, we extract the VPC endpoint ID (from the partner VPC), which we then incorporate into the resource policy of our API Gateway (in our VPC). so that our API GW can accept connection only from that vpce.
  • a VPC Endpoint (Interface) inside our VPC for lambda function service, so that they can accept calls only from our lambda function

is this a correct process to establish private connectivity/private Link to exchange API calls between our VPC and partner VPC?

is whitelibsting and going over the public internet still a solution to look at?

Thank you so much for your guidance.

Topics
Networking & Content DeliveryServerlessComputeFront-End Web & MobileAWS Well-Architected Framework
Tags
Amazon VPCAWS LambdaAmazon API GatewayNetworking & Content DeliverySecurity
Language
English
JessDL
asked 8 months ago247 views
2 Answers
1

In your question you have mentioned you "want to exchange presigned URLs to securely retrieve and upload client files, as well as to exchange API call responses." Breaking down your requirements in 2 parts here:

  1. Allow Salesforce to make API calls to your service hosted on a Lambda function hosted behind a API-Gateway in your VPC.
  2. Allow you to upload & donwload files to Salesforce VPC.

A key factor to remember when using PrivateLink, it operates on Service Provider and Consumer model. This means if you configure your side as service provider by creating VPC endpoint service for your API gateway. You can share this service with Salesforce and they can send request to this service by creating VPC Interface Endpoint for this service in their VPC.

This blog explains using VPC links in Amazon API Gateway. Once deployed Salesforce can make API calls to your service securely to your service and you can send a response, but you can use this infra to send requests to any APIs that you may want consume in Salesforce's VPC. To do this Salesforce must create a VPC endpoint Service and share it with you and you will create interface endpoint for the service. You can use Endpoint Policies to control access to the service.

You might also consider using VPC Lattice, it can also provide this connectivity. This blog discusses building private serverless APIs and working with VPC Lattice.

For upload & download of files you might work with PrivateLink or will have to consider alternate approach, it is hard to make a recommendation with the information I have here from the question. I will suggest to raise this with your AWS account representative or open a support case if you would need further guidence.

profile pictureAWS
Azeem Ayaz
answered 8 months ago
0

Hello.
I think your way is the most common way to use PrivateLink.
PrivateLink is useful for use cases where services in a VPC are exposed to the VPC of another AWS account.
PrivateLink can be used to allow secure access only to specific services from within a VPC.
https://docs.aws.amazon.com/vpc/latest/privatelink/what-is-privatelink.html

profile picture
EXPERT
Riku_Kobayashi
answered 8 months ago
profile picture
EXPERT
Gary Mclean
reviewed 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content