Contact Us 1-800-596-4880
  1. Homepage
  2. CloudHub 2.0
  3. Features of CloudHub 2.0
  4. Private Spaces

  5. Outbound Private Link

Setting Up an Outbound Private Link Connection

AWS Private Link provides private connectivity between a CloudHub 2.0 private space and services hosted on AWS and supported AWS services.

CloudHub 2.0 supports two private connectivity options: Virtual Private Network (VPN) and Transit Gateway (TGW). Both operate at Open Systems Interconnection (OSI) layer 3, the network layer.

Private Link operates at OSI layer 4 and offers better isolation. The virtual service appears inside the same network, but the CloudHub 2.0 private space network and your on-prem network aren’t interconnected. Private Link is also service specific. Each service must be explicitly defined in the private space to prevent accidental exposure of sensitive applications.

The advantages of Private Link are:

  • Secure access to services without going through the internet

  • Better isolation between your network and CloudHub 2.0

  • Smaller blast radius if something goes wrong

  • Service level control on what services available to CloudHub 2.0

Typical use cases for Private Link are:

  • Private Link from CloudHub 2.0 private space to a service hosted in AWS by your organization

  • Private Link from CloudHub 2.0 private space to a supported AWS service (for example, S3 and Kinesis)

  • Private Link from CloudHub 2.0 private space to third-party services hosted in AWS

    • For example, Private Connect, which enables private connectivity between CloudHub 2.0 and Salesforce

Before You Begin

  1. Provision a private space in CloudHub 2.0.

  2. Obtain a bearer token for calling APIs.

    Follow the instructions from Anypoint identity or external identity to get a bearer access token for your Anypoint organization.

    The token owner must have permissions to manage private spaces.

Configure the Outbound Connections

Follow these steps to set up an outbound Private Link connection from your CloudHub 2.0 private space:

  1. Gather private space availability zones (AZs) and AWS Account ID.

    1. Retrieve information about availability zones for your private space.

      curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/azs -H "Authorization:$AUTHTOKEN"

      Example output:

      [
  "use1-az1",
  "use1-az2",
  "use1-az5"
]

    2. Retrieve information about accounts associated with your private space.

      curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/accounts -H "Authorization:$AUTHTOKEN"

      Example output:

      328752079326

  2. Make your services Private Link ready.

    Verify that your services are properly configured for Private Link connectivity before establishing connections:

    AWS S3 Service

    AWS S3 service is already Private Link ready with regional VPC endpoints and a global access endpoint. For cross-region connections, use the global access endpoint.

    Regional Endpoint: com.amazonaws.{region}.s3
Global Access Endpoint: com.amazonaws.s3-global.accesspoint

    For a complete list of AWS services ready for private link, see AWS PrivateLink-supported services.

    Salesforce Private Connect

    Salesforce Private Connect requires activation as an add-on. After activation:

    1. In Salesforce, go to Setup, enter Private Connect in the Quick Find box, and select Private Connect.

    2. On the Private Connect page, click AWS Regions to reveal available regions.

    3. Select the AWS region that matches your private space region.

    4. Copy the service name for later use.

    Custom Services (Self-Hosted)

    To prepare custom services:

    1. Deploy your service in at least one private space AZ. For high availability, configure 2 AZs.

    2. Expose the service via a network load balancer or application load balancer.

    3. Create an endpoint service following AWS guidance.

    4. Set Acceptance required to Yes to prevent unauthorized connections.

    5. Optionally, configure a private DNS name for your service. CloudHub 2.0 private space automatically picks up the private DNS and makes it available to Mule applications.

      If the service is hosted in the same region as the private space, set up the services in the same availability zone as the private space obtained in Configure the Outbound Connections. For cross-region services, you don’t need AZ alignment. Validation for cross-region connectivity isn’t yet complete; its success depends on the configuration.

  3. Share the VPC endpoint services with your CloudHub 2.0 private space:

    1. Configure an endpoint service.

    2. From VPC Endpoint services, select Allow principals. Add arn:aws:iam::{accountId}:root as principal.

      The {accountId} is the account ID obtained in Configure the Outbound Connections.

  4. Gather this information for the API:

    1. Service Name: The endpoint service name, for example:

      1. Customer-hosted endpoint service: com.amazonaws.vpce.us-east-1.vpce-svc-xxxxxxxxxxxxxxxx

      2. AWS hosted service: com.amazonaws.us-west-2.s3

    2. Service Region: The region where the VPC endpoint service is located.

    3. Service Owner: The owner of the VPC endpoint service.

      1. Account ID of the endpoint service. For services like Salesforce Private Connect, you can acquire the service owner account ID using the AWS CLI command:

        aws ec2 describe-vpc-endpoint-services --service-names {your-service-name} --region {your-service-region}

        The account ID is in the Owner field.

      2. amazon, if it’s an Amazon service.

    4. Availability Zone IDs: The IDs of the availability zones where you want to establish the private link.

      Check that the AZ IDs match those obtained in Configure the Outbound Connections, and verify the VPC endpoint service uses those AZs.

      Alternatively, specify countOfAzs with an integer value (1 or 2) to have CloudHub 2.0 automatically assign the required number of availability zones. Provide either azIds or countOfAzs, not both.

  5. Create a VPC endpoint in CloudHub 2.0 via API:

    See these specific examples for different service types:

    AWS S3 Endpoint

    To configure an S3 endpoint for your private space, the serviceOwner is amazon. Configure at least two AZs. Because AWS services are available in all its AZs, you can pick any AZs from your private space.

    curl -XPOST https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/vpces -H "Authorization:bearer {your-token}" -H "Content-Type:application/json" -d '{
  "name": "S3-Global",
  "serviceName": "com.amazonaws.s3-global.accesspoint",
  "serviceRegion": "us-east-1",
  "serviceOwner": "amazon",
  "azIds": ["use1-az1", "use1-az2"]
}'

Alternatively, use countOfAzs to let CloudHub 2.0 select the availability zones automatically:

curl -XPOST https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/vpces -H "Authorization:bearer {your-token}" -H "Content-Type:application/json" -d '{
  "name": "S3-Global",
  "serviceName": "com.amazonaws.s3-global.accesspoint",
  "serviceRegion": "us-east-1",
  "serviceOwner": "amazon",
  "countOfAzs": 2
}'

Salesforce Private Connect Endpoint

To create a Private Connect endpoint, provide the serviceName, serviceRegion, and the account ID hosting the VPC endpoint service.

+

curl -XPOST https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/vpces -H "Authorization:bearer {your-token}" -H "Content-Type:application/json" -d '{
  "name": "Private Connect",
  "serviceName": "{your-service-name-for-salesforce-private-connect}",
  "serviceRegion": "{your-salesforce-region}",
  "serviceOwner": "{your-salesforce-service-account-id}",
  "azIds": ["use1-az1", "use1-az2"]
}'
Custom Service Endpoint

For custom services, if you didn’t create your service in the same AZs as the CloudHub 2.0 private space, make sure that the chosen AZs exist in both your service network and the private space.

curl -XPOST https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/vpces -H "Authorization:bearer {your-token}" -H "Content-Type:application/json" -d '{
  "name": "Custom Service",
  "serviceName": "{your-service-name}",
  "serviceRegion": "{your-service-region}",
  "serviceOwner": "{your-service-account-id}",
  "azIds": ["use1-az1", "use1-az2"]
}'

If the VPC endpoint is successfully created, the API returns a vpceId. Get the VPC endpoint status in CloudHub 2.0 using the API:

curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/vpces/{vpceid} -H "Authorization:$AUTHTOKEN"

If successful, it returns the DNS names of the VPC endpoint. It also returns the provisioning status:

  • Invalid: VPCE creation failed

  • Valid: VPCE is being provisioned

  • Available

  • PendingAcceptance

    Use this command to update a VPC endpoint:

    curl -XPATCH https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/vpces/{vpceId} -H "Authorization:$AUTHTOKEN"  -H "Content-Type:application/json"  -d '{
	"name": "{any name}",
	"serviceName": "{service name}",
	"serviceRegion": "{service region}",
	"serviceOwner": "{service owner}",
	"azIds": [{aws-az-id1}, {aws-az-id2}]
}'

    You can use "countOfAzs": 2 (valid values: 1 or 2) instead of the azIds array. When you specify countOfAzs, CloudHub 2.0 automatically selects which availability zones to use. Provide either azIds or countOfAzs, not both.

    Use this command to delete a VPC endpoint:

    curl -XDELETE https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/vpces/{vpceid} -H "Authorization:$AUTHTOKEN"

After creating the endpoints, establish the connection. List all configured endpoints.

curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/vpces -H "Authorization:bearer {your-token}"

Example output:

[
  {
    "name": "S3-Global",
    "vpceId": "ec6a2988-5529-4fac-9262-9b9962ce0b50",
    "serviceName": "com.amazonaws.s3-global.accesspoint",
    "serviceRegion": "us-east-1",
    "serviceOwner": "amazon",
    "azIds": [
      "use1-az1",
      "use1-az2"
    ]
  },
  {
    "name": "Private Connect",
    "vpceId": "b7e73b1c-b0ba-489d-b525-8c29a1702186",
    "serviceName": "com.amazonaws.vpce.us-east-1.vpce-svc-03fa74d9c231a52aa",
    "serviceRegion": "us-east-1",
    "serviceOwner": "784556874502",
    "azIds": [
      "use1-az1",
      "use1-az2"
    ]
  },
  {
    "name": "Custom Service",
    "vpceId": "fc5c9c55-d943-4383-88ac-cc2b51446d54",
    "serviceName": "com.amazonaws.vpce.us-east-1.vpce-svc-03cef49533264d928",
    "serviceRegion": "us-east-1",
    "serviceOwner": "055970264539",
    "azIds": [
      "use1-az1"
    ]
  }
]
AWS S3 Service

Because AWS manages these services, it establishes the connection automatically.

Salesforce Private Connect

To establish the Private Connect connection, retrieve the endpoint ID using this API command:

curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/vpces/{vpce-id} -H "Authorization:bearer {your-token}"

Example output:

{
  "name": "Private Connect",
  "vpceId": "b7e73b1c-b0ba-489d-b525-8c29a1702186",
  "serviceName": "com.amazonaws.vpce.us-east-1.vpce-svc-03fa74d9c231a52aa",
  "serviceRegion": "us-east-1",
  "serviceOwner": "784556874502",
  "azIds": [
    "use1-az1",
    "use1-az2"
  ],
  "status": "pendingAcceptance",
  "provisioningMessage": "",
  "awsId": "vpce-06b4ba2047c41be17",
  "dnsEntries": [
    "vpce-06b4ba2047c41be17-1lnhhl4b.vpce-svc-03fa74d9c231a52aa.us-east-1.vpce.amazonaws.com",
    "vpce-06b4ba2047c41be17-1lnhhl4b-us-east-1d.vpce-svc-03fa74d9c231a52aa.us-east-1.vpce.amazonaws.com",
    "vpce-06b4ba2047c41be17-1lnhhl4b-us-east-1a.vpce-svc-03fa74d9c231a52aa.us-east-1.vpce.amazonaws.com"
  ]
}

The endpoint status shows Pending Acceptance. Complete the connection:

  1. Note the awsId from the endpoint.

  2. Go to Private Connect and click create inbound connections.

  3. Select AWS and configure the connection using the awsId (VPC Endpoint ID).

  4. Click Save.

    Within a few minutes, the endpoints sync and the status changes to Ready in Private Connect and Available in CloudHub 2.0.

Custom Services

Fetch the endpoint information:

curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/vpces/{vpce-id} -H "Authorization:bearer {your-token}"

Example output:

{
  "name": "Custom Service",
  "vpceId": "fc5c9c55-d943-4383-88ac-cc2b51446d54",
  "serviceName": "com.amazonaws.vpce.us-east-1.vpce-svc-03cef49533264d928",
  "serviceRegion": "us-east-1",
  "serviceOwner": "055970264539",
  "azIds": [
    "use1-az1"
  ],
  "status": "pendingAcceptance",
  "provisioningMessage": "",
  "awsId": "vpce-0d971d98cb910b3b1",
  "dnsEntries": [
    "vpce-0d971d98cb910b3b1-oyattu6z.vpce-svc-03cef49533264d928.us-east-1.vpce.amazonaws.com",
    "vpce-0d971d98cb910b3b1-oyattu6z-us-east-1d.vpce-svc-03cef49533264d928.us-east-1.vpce.amazonaws.com"
  ]
}

The custom service VPC endpoint status shows Pending Acceptance. Accept the connection:

  1. In the AWS console go to VPC > Endpoint Services.

  2. Select your service and open the Endpoint Connection tab.

  3. Verify the Endpoint ID and Owner match your private space in CloudHub 2.0.

  4. Accept the connection.

After establishing Private Link connections with Available status, the VPC endpoint API returns DNS entries for the service.

To talk to the S3 endpoint, use this DNS entry:

"dnsEntries": [
    "*.vpce-0bb8410c774666218-yajqbur2.accesspoint.s3-global.us-east-1.vpce.amazonaws.com",
    "*.vpce-0bb8410c774666218-yajqbur2-us-east-1d.accesspoint.s3-global.us-east-1.vpce.amazonaws.com",
    "*.vpce-0bb8410c774666218-yajqbur2-us-east-1a.accesspoint.s3-global.us-east-1.vpce.amazonaws.com",
    "accesspoint.s3-global.amazonaws.com",
    "*.accesspoint.s3-global.amazonaws.com"
  ]

To talk to the private connect, use this DNS entry:

"dnsEntries": [
    "vpce-06b4ba2047c41be17-1lnhhl4b.vpce-svc-03fa74d9c231a52aa.us-east-1.vpce.amazonaws.com",
    "vpce-06b4ba2047c41be17-1lnhhl4b-us-east-1d.vpce-svc-03fa74d9c231a52aa.us-east-1.vpce.amazonaws.com",
    "vpce-06b4ba2047c41be17-1lnhhl4b-us-east-1a.vpce-svc-03fa74d9c231a52aa.us-east-1.vpce.amazonaws.com"
  ]

To talk to the custom service, use this DNS entry:

"dnsEntries": [
    "vpce-0d971d98cb910b3b1-oyattu6z.vpce-svc-03cef49533264d928.us-east-1.vpce.amazonaws.com",
    "vpce-0d971d98cb910b3b1-oyattu6z-us-east-1d.vpce-svc-03cef49533264d928.us-east-1.vpce.amazonaws.com"
  ]

Entitlements

Each VPC endpoint consumes one network connection entitlement per AZ.

To configure high availability, set up the Private Link connection with at least two availability zones. This consumes two network connection entitlements.

Limitations

  • Outbound connections have a contractual limit of 56.48 GB of data transferred per root organization per hour.

  • This configuration supports interface endpoints only.

  • This configuration doesn’t support CloudHub VPCs.

  • This configuration doesn’t support CloudHub 2.0 private spaces that are upgraded from CloudHub VPCs.

  • Network connections are subject to these limits:

    • VPNs per private space: 10

    • TGW per private space: 5

    • VPC endpoints per private space: 20

See Also