Establish private connectivity between Salesforce and your on-premises network using AWS Direct Connect

Salesforce is an AWS Partner and a trusted global leader in customer relationship management (CRM). Hyperforce is the next-generation Salesforce architecture, built on Amazon Web Services (AWS).

When business applications developed on Hyperforce are integrated with on-premises systems, traffic in both directions will flow over the internet. For customers in heavily regulated industries such as the public sector and financial services, programmatic access of the Salesforce APIs hosted on Hyperforce from on-premises systems is required to traverse a private connection. Conversely, accessing on-premises systems from business applications running in Hyperforce is required to use a private connection.

In this post, we describe how AWS Direct Connect and AWS Transit Gateway can be used in conjunction with Salesforce Private Connect to facilitate the private, bidirectional exchange of organizational data.

Architectural overview

In a previous post, you learned how to use AWS Direct Connect to establish a dedicated, managed, and reliable connection to Hyperforce. The approach used a public virtual interface to facilitate connectivity to public Hyperforce endpoints.

The approach in this post demonstrates the use of a private or transit virtual interface to establish a dedicated, private connection to Hyperforce using Salesforce Private Connect.

Approach

AWS Direct Connect is set up between the on-premises network and a virtual private cloud (VPC) residing inside a customer’s AWS account to provide connectivity from the on-premises network to AWS.

The exchange of data between the customer VPC and Salesforce’s transit VPC is facilitated through the Salesforce Private Connect feature, based on AWS PrivateLink technology. AWS PrivateLink allows consumers to securely access a service located in a service provider’s VPC as if it were located in the consumer’s VPC. Using Salesforce Private Connect, traffic is routed through a fully managed network connection between your Salesforce organization and your VPC instead of over the internet.

The following table shows the definitions of inbound and outbound connections in the context of Salesforce Private Connect:

This pattern can only be adopted for Salesforce services supported by Salesforce Private Connect, such as Experience Cloud, Financial Services Cloud, Health Cloud, Platform Cloud, Sales Cloud, and Service Cloud. Check the latest Salesforce documentation for the specific Salesforce services that are supported. Furthermore, this architecture is only applicable to the inbound and outbound exchange of data and does not pertain to the access of the Salesforce UI.

The following diagram shows the end-to-end solution of how private connectivity is facilitated bidirectionally. In this example, on-premises servers located on the 10.0.1.0/26 network are required to privately exchange data with applications running on the Hyperforce platform.

Figure 1: Using AWS Direct Connect and Salesforce Private Connect to establish private, bidirectional connectivity

Prerequisites

In order to implement this solution, the following prerequisites are required on both the Salesforce and AWS side.

Salesforce

• Use of a supported Salesforce service (for inbound connectivity to Salesforce API).
• Salesforce Private Connect license. Each Salesforce Private Connect license allows for one provisioned connection in each direction, inbound and outbound.
• Salesforce organization configured with My Domain.

Refer to Salesforce documentation for detailed requirements on migrating your Salesforce organization to Hyperforce.

AWS

• AWS account
• AWS Direct Connect using a private or transit virtual interface (VIF)
• Transit Gateway

Network flow between on-premises data center and Salesforce API

The following figure shows how both inbound and outbound traffic flows through the architecture.

Figure 2: Network flow between on-premises data center and Salesforce

Inbound

1. An application running on premises needs to reach the Salesforce API privately. Traffic from on-premises systems to AWS traverse Direct Connect using either a transit or private VIF.
2. The traffic is targeted at the VPC endpoint residing in the customer’s VPC using a custom DNS record. This record resolves to the IP addresses of the VPC endpoint created for you.
3. The inbound VPC endpoint is associated with the PrivateLink of Salesforce’s inbound Private Connect configuration, which provides private access to supported Salesforce APIs. The private endpoint also supports authentication flows by facilitating access to the Auth2 token endpoint (/services/oauth2/token) required to programmatically retrieve a bearer token. The token is used in subsequent interactions with the Salesforce REST API (for example, /services/data/v60.0/sobjects/Case for case objects). Refer to Salesforce documentation Establish an Inbound Connection with AWS for the steps required to set up the Salesforce configuration.

Outbound

1. An application running on Salesforce needs to reach an on-premises resource privately. Traffic from Salesforce leaves through the Salesforce transit VPC and reaches the customer’s internal Network Load Balancer, which is part of the Salesforce outbound Private Connect configuration. Refer to Salesforce documentation Establish an Outbound Connection with AWS for the steps required to set up the Salesforce configuration.
2. The Network Load Balancer is configured with a target group consisting of one or more IP addresses of on-premises resources. Traffic is forwarded to these IP addresses through the target group.
3. The Transit Gateway routes traffic back to the on-premises resources over the AWS Direct Connect connection.

Considerations

Before you set up the private, bidirectional exchange of organizational data with AWS Direct Connect, AWS Transit Gateway, and Salesforce Private Connect, review these considerations.

Resiliency

We recommend that you set up multiple AWS Direct Connect connections to provide resilient communication paths to the AWS Region, especially if the traffic between your on-premises resources and Hyperforce is business-critical. Refer to the AWS documentation on how to achieve high and maximum resiliency for your AWS Direct Connect deployments.

For inbound traffic flow, we recommend that the VPC endpoint is configured across Availability Zones for high availability. Configure customer DNS records for the Salesforce API with IP addresses associated with the VPC endpoint and implement the DNS failover or load-balancing mechanism on the customer side.

For outbound traffic flow, we recommend that you configure your Network Load Balancer with two or more Availability Zones for high availability.

Security

For inbound traffic flow, source IP addresses used by the incoming connection are displayed in the Salesforce Private Connect inbound configuration. We recommend that these IP ranges be used in Salesforce configurations that permit the enforcement of source IP. Refer to the Salesforce documentation Restrict Access to Trusted IP Ranges for a Connected App to learn how you can use these IP ranges can to control access to the Salesforce APIs.

You access Salesforce APIs using an encrypted TLS connection. AWS Direct Connect also offers a number of additional data in transit encryption options, including support for private IP VPNs over AWS Direct Connect and MAC security. An IP virtual private network (VPN) encrypts end-to-end traffic using an IPsec VPN tunnel, while MAC Security (MACsec) provides point-to-point encryption between devices.

For outbound traffic flow, we recommend that you configure TLS listeners on your Network Load Balancers to ensure that traffic to the Network Load Balancer is encrypted.

Cost optimization

If your use case is to solely facilitate access to Salesforce, you can use a virtual private gateway and a private VIF instead to optimize deployment costs. However, if you plan to implement a hub-spoke network transit hub interconnecting multiple VPCs, we recommend the use of a transit gateway and a transit VIF for a more scalable approach. Refer to the Amazon Virtual Private Cloud Connectivity Options whitepaper and AWS Direct Connect Quotas for the pros and cons of each approach.

Conclusion

Salesforce and AWS continue to innovate together to provide multiple connectivity approaches to meet customer requirements. This post demonstrated how AWS Direct Connect can be used in conjunction with Salesforce Private Connect to secure end-to-end exchanges of data in industries where the use of the internet is not an option.

Reach out to your Salesforce or AWS representative or an AWS Direct Connect Partner to learn more.

A correction was made on August 6, 2024: An earlier version of this post included an incorrect diagram for Figure 1. This diagram has been updated.

About the Authors