AWS Partner Network (APN) Blog

Private Integration Between Salesforce and Amazon API Gateway

By Pete Davis, Partner Solution Architect – AWS
By Arnaud Lauer, Partner Solutions Architect – AWS
By Fianko Buckle, Associate Product Manager – Salesforce

Salesforce-AWS-Partners-2023

Integrations between Salesforce software as a service (SaaS) solutions and Amazon Web Services (AWS) extend each platform with new capabilities that enable organizations to solve unique business challenges. For example, customers are leveraging Salesforce to build modern user journeys or workflows and AWS for implementing backend services, integrating with external systems, or leveraging data and analytics services to extract data insights.

By integrating Salesforce and AWS, customers can benefit from the use of automation and tightly integrated services to meet security and connectivity needs. Typically, this will be achieved through asynchronous integrations using services such as Amazon AppFlow or Amazon EventBridge.

Using an asynchronous approach ensures the Salesforce resources can be released while the request is being processed. With such patterns, customers can build data pipelines to move data from Salesforce to AWS for near real-time analytics or enrich Salesforce data with AWS machine learning (ML) capabilities such as personalization.

For some use cases, such as where a user is waiting for a response in Salesforce Experience Cloud, a synchronous request may be preferred. Synchronous integrations should be used for requests which will be responded to in a short amount of time and are not called excessively to prevent Salesforce resources being exhausted. In addition, customers are looking for critical data to be transferred in a private, secure, and scalable manner.

Salesforce is an AWS Specialization Partner and widely used platform allowing organizations to rapidly build functional business applications. Low-code solutions can help you build customized apps by integrating ready-made components such as API services, data integration services, authentication, event log framework, analytics, and collaboration.

Salesforce External Services allows you to connect your Salesforce organization to an external API using zero lines of code. External Services can be used in Flow Builder, a tool that provides declarative process automation for every experience within the Salesforce platform with point-and-click automation.

In this post, we provide an overview of how to implement a secure private integration between Salesforce and a private Amazon API Gateway using AWS PrivateLink technology to support a synchronous user experience while meeting security and performance requirements.

For a detailed step-by-step walkthrough, including how the integration can be leveraged in a Salesforce Flow, please follow the steps in the accompanying GitHub repository.

Architecture Overview

The architecture below shows how the Salesforce features Salesforce Private Connect, Named Credentials, and External Services are leveraged to simplify the setup of a secure, private, authenticated connection between your Salesforce and AWS environments.

Salesforce Private Connect provides a secure private connection with AWS using AWS PrivateLink. Named Credentials allows authentication tokens for external services to be stored in the Salesforce organization’s encrypted credential store.

By using these features, critical data can flow from the Salesforce environment to AWS without using the public internet. The traffic will be routed from the Salesforce managed virtual private cloud (VPC) through an API Gateway VPC endpoint before being routed to the private API in the customer account.

Architecture Diagram

Figure 1 – Solution overview.

Solution Walkthrough

You can implement this solution using this detailed walkthrough in GitHub. You’ll be able to rapidly set up Salesforce Private Connect, create an invocable action, and build a Flow without writing any code. The Flow will call the Amazon API Gateway.

Key features of the solution are:

  1. Salesforce External Services allows you to upload an OpenAPI specification exported from Amazon API Gateway to automatically generate invocable actions that can be used in Flow Builder to make callouts to the API Gateway.
  2. Salesforce Private Connect leverages AWS PrivateLink to provide a secure private connection between a Salesforce managed VPC and your AWS account.
  3. Named Credentials remove the need to embed a physical URL into your Flow and manage authentication tokens in unencrypted data stores. Invocable actions generated by an External Service will look up the Named Credential at runtime to configure the physical endpoint along with the authorization credentials from an encrypted credential store. You can securely store your AWS credentials in the Named Credential, and only Admins will have access to this.
  4. The interface VPC endpoint allows you to access a private API isolated from the public internet.
  5. Amazon API Gateway will be used to provide a REST interface for applications to access data, business logic, or functionality from your backend services. It can be integrated with a number of different integration endpoints such as AWS Lambda functions, HTTP endpoints, or other AWS services. A private API is only accessible from a VPC; so in this example, using a Salesforce managed VPC.
  6. Before invoking Amazon API Gateway, AWS Security Token Service (AWS STS) will be used to exchange the credentials stored in the External Credential for short-term credentials that have been granted access to the API Gateway.
  7. The AWS Lambda function is used to execute the business logic of the request in this example.

With this solution, customers can build applications that require synchronous responses to business integration logic hosted in AWS. Customers benefit from higher performance since the traffic is routed over the AWS backbone rather than the public internet.

Conclusion

The long-standing collaboration between Salesforce and AWS delivers integrations that can be implemented at low cost, reduces total cost of ownership (TCO), and uses applications already integrated into the Salesforce platform. These integrations between Salesforce and AWS solutions enable better control of business-critical processes.

In this post, we explained how you can leverage Salesforce Private Connect to implement real-time secure and performant synchronous integration between Salesforce and AWS for use cases that require these patterns. If you want to learn more about the other integration patterns, please refer to this whitepaper.