AWS Partner Network (APN) Blog
How to Access Salesforce Hyperforce Securely and Reliably with AWS Direct Connect
By Marc de Bruijn, Principal Network Engineer, Infrastructure Architecture – Salesforce
By Sławek Balcerzak, Sr. Network Specialist Solutions Architect – AWS
 |
Salesforce customers who are hosted on Hyperforce (the next-generation Salesforce infrastructure architecture deployed on Amazon Web Services) can access their services over the public internet. However, some customers may have bespoke compliance, reliability, or other requirements for a dedicated, managed, connection.
When hosted in Salesforce’s first-party environment, customers can obtain Salesforce Express Connect (SEC) provided via a telecom partner, but this is not compatible with Hyperforce.
When customers require direct network connectivity from their on-premises environment to Hyperforce, AWS Direct Connect is a practical option. This enables access into the AWS cloud with guaranteed bandwidth and a connectivity service-level agreement (SLA).
In this post, we describe how to use AWS Direct Connect to access Hyperforce, and provide the Salesforce and AWS best practices how to deploy it.
Salesforce is an AWS Specialization Partner and trusted global leader in customer relationship management (CRM). Salesforce makes cloud-based software designed to help businesses find more prospects, close more deals, and wow customers with amazing service.
AWS Direct Connect Basics
AWS Direct Connect (DX) offers the most direct way to access resources on AWS and can be configured to provide private access (into a virtual private cloud) and/or public access (for services accessible via the public internet such as Hyperforce).
Depending on the required speed and planned use in the future, customers can obtain either hosted or dedicated Direct Connect connections. Dedicated DX connections are offered in speeds of 1, 10, and 100 Gbps and are ordered directly from AWS. Dedicated connections can handle multiple virtual interfaces (VIF), so it can be used for private connectivity to a customer’s environment deployed on AWS (resources in VPCs), if desired.
Hosted connections, on the other hand, can be deployed in more speed variants, which provides a better match for bandwidth needs and potentially offers cost savings. Each connection of this type can host only one VIF, however, and customers can obtain them through their existing SEC providers (who are also DX delivery partners) or from a variety of other partners.
Once a customer obtains their DX connections (hosted or dedicated) and creates an AWS account, they must set up a public virtual interface which gives them access to all public AWS services and services that are deployed under public IP addresses on AWS, and Hyperforce in particular.
For completeness, the diagram below shows the differences and structure of private, transit, and public VIFs.
Figure 1 – AWS Direct Connect connection (dedicated) with public, private, and transit VIF deployed.
In Figure 1, the green path (Private Virtual Interface) is used for connectivity from customer locations to a virtual private cloud (VPC). In case the optional Direct Connect Gateway (DX-GW) is deployed, one VIF can provide connectivity to several VPCs.
The second option is a Transit Virtual Interface (orange path), which provides connectivity from customer location and router to AWS Transit Gateway (TGW). Because TGW can be attached to a high number of VPCs, this method scales up the number of VPCs that can communicate with customer location.
Finally, the third type of VIF is the main focus of this article. It’s the blue path (Public Virtual Interface) which is used for Hyperforce connectivity. Traffic is sent from the customer location, and after it arrives at a Direct Connect location can be routed through the AWS network to either AWS public services or services deployed on the AWS cloud which are accessible via Elastic IP addresses (such as Hyperforce).
Each dedicated Direct Connect connection can serve multiple VIFs at the same time. Check the AWS Direct Connect Quotas to find the limits for the service in terms of the maximum number of VPCs, TGWs, and routes that are supported.
Connecting to Hyperforce via AWS Direct Connect
Locations
AWS Direct Connect is offered in a number of locations, and customers need to work with DX delivery partners to obtain Layer 2 connectivity to them or with their data center owner if they have resources deployed in the same facility. When using hosted Direct Connect, additional options may be available from the hosting partner. It’s best to connect to the closest geographical locations to minimize cost of last-mile connection.
Resiliency and Reliability
Another best practice is to obtain diverse Direct Connect circuits from multiple on-premises locations into multiple DX locations. If hosted DX is planned, using diverse DX partners is a way to improve resiliency.
The exact number of circuits must be evaluated with your own capacity needs and failure scenarios, but for production environments we suggest using either high or maximum resiliency models as described in Direct Connect Resiliency Recommendations. Depending on selected architecture, various SLAs are offered.
Encryption
Connection between a customer location and Direct Connect location is a Layer 2, Ethernet-based link. Therefore, in order to increase security of data in transit it’s best to use MACsec on the connection. This provides encryption between the customer’s edge router and DX router when traversing the L2 link.
From there, traffic is encrypted transparently between AWS data centers on the physical level. AWS recommends a multi-level approach to data encryption, so this is not to replace any other methods such as application-layer encryption via Transport Security Layer (TLS) or others.
Fast Failover
Routing information between the AWS network and customer’s router is exchanged dynamically through Border Gateway Protocol (BGP). To improve failover times, we suggest customers implement Bidirectional Forwarding Detection (BFD).
Routing Security
In order to use a public VIF, customers must connect to AWS using public IP addresses. Customers may consider to advertise to AWS a public IP address space that’s not advertised to the public internet, as this will ensure traffic from AWS will only route to these IPs using the Direct Connect connections. To ensure users access Hyperforce only through the DX connection, customers can add IP prefixes selected for a DX connection to the trusted IP ranges for their organization.
Note that AWS will not announce to the internet any IP addresses advertised via DX connection, but other customers that have resources deployed on AWS can route to these ranges.
Prioritizing Routing Over AWS Direct Connect
Public IP prefixes used by Hyperforce are advertised through public VIF on a DX connection and to the internet. Therefore, customers may receive routing information about both through DX connection and their ISP connection. In case they learn the same prefixes, it’s best to set proper routing policies in the on-premises environment (routers), so a DX connection is preferred.
FAQ
Can I control my AWS Direct Connect Connection to allow traffic only to/from Salesforce?
Please follow the best practices identified in this help article to retain uninterrupted access to Salesforce services on Hyperforce.
As Hyperforce rapidly scales, the manual overhead of maintaining IP allow lists will become unmanageable for customers and, as a result, may cause service disruptions. Due to the large number of non-contiguous public IP addresses used by Salesforce in AWS, IP allow listing is not supported at this time. Also, maintaining IP allow lists is no longer a Salesforce security best practice.
If you need to control traffic via allow lists, then domain-based control is recommended and you need to allow the required domains. Secure access to these domains is enforced through the use of HTTPS and Secure Sockets Layer (SSL) client certificates.
I have services in Hyperforce and in Salesforce’s on-premises data centers—can I use both SEC and AWS Direct Connect?
Yes. SEC and DX are separate services and can be run in parallel. Some telco partners may be able to provide access to both over the same physical connection. For details, please contact your Salesforce Express Connect provider.
Can I connect to AWS Direct Connect using my existing Salesforce Express Connect partner?
All Salesforce Express Connect partners support AWS Direct Connect connectivity in some form or fashion. For details, please contact your Salesforce Express Connect provider.
Once AWS Direct Connect has been deployed, are there any changes that need to be made in my Salesforce Org to enable network traffic to flow through DX?
No specific changes are required, as everything happens at the network level.
How can I expose an internal service to my Salesforce instance?
Customers may consider routing public IP address space to AWS that’s not advertised to the public internet. This ensures traffic from the AWS network will only route to these IPs using the AWS Direct Connect connections. Customers can also add these IPs to the trusted IP ranges for their organization. Note that this means AWS, and all AWS customers, will be aware of these IP prefixes. Appropriate filtering will be required (mTLS, or other authorization methods).
How is AWS Direct Connect different than Private Connect?
Private Connect is used to securely connect a Salesforce Org to a customer’s AWS services for cross-cloud integrations between the two. More information can be found Salesforce Organization documentation.
SEC and DX are direct network connectivity products providing access from customer’s end users and on-premises applications to Salesforce and the AWS network, respectively.
Conclusion
In this post, we shared best practices for customers who have direct connectivity requirements and need to get to Hyperforce. Salesforce Express Connect (SEC) is not supported in Hyperforce, and AWS Direct Connect with a Public Virtual Interface (VIF) is an option that may work for some customers.
We also included answers to frequently asked questions regarding direct connectivity and Hyperforce, tailored towards customers who use SEC today.
.
.
Salesforce – AWS Partner Spotlight
Salesforce is an AWS Specialization Partner and trusted global leader in CRM. Salesforce makes cloud-based software designed to help businesses find more prospects, close more deals, and wow customers with amazing service.