Cloud adoption continues to gain momentum with more and more customers running business-critical enterprise applications in the cloud. This transition presents a different set of challenges customers must overcome to ensure the security, performance, and reliability of these applications in a cloud environment. A fundamental change for most customers is the requirement to send a major portion of their cloud traffic through the public internet while still abiding by the various regulating bodies for their industries. This is especially challenging for SaaS applications that live in the cloud. How do we minimize the attack surface presented by the internet when trying to integrate between SaaS applications and public cloud infrastructure?
To address these challenges for our customers, we are excited to announce the general launch of Salesforce Private Connect, a new addition to the Customer 360 Platform that provides secure, private communications to public clouds. We are launching the Private Connect service with our partner, AWS, for the Summer ’20 release in North America. The service will be initially available to us-east-1 and us-west-2.
Salesforce Private Connect provides the following benefits:
- Private communications by creating a secure connection between Salesforce Data Centers and third party public clouds without exposing your HTTP/S traffic to the public internet.
- Trusted enterprise security enabled with Salesforce managing the end-to-end connections and streamlining access controls.
- Improved productivity through simplified setup, configuration, and new user interfaces for administrators and developers.
Private Connect Overview
So what are the nuts and bolts of the Salesforce Private Connect feature? The diagram below illustrates a Salesforce managed Virtual Private Cloud (VPC) inside an AWS region that has direct connectivity to Salesforce First Party Data centers. Customers connect their existing or new AWS VPCs to our managed AWS VPC service by using an AWS feature called PrivateLink. AWS PrivateLink provides secure private connectivity between VPCs, AWS services, and on-premise applications on the Amazon network.
Private Connection between a Salesforce First Party Data Center and an AWS Region
Since the Salesforce Private Connect service is bi-directional, we can accommodate a variety of customer use cases. You can make private API callouts from Salesforce to a service running in AWS such as S3 or DynamoDB to send or retrieve data. You can integrate with other PrivateLink partners like Heroku Postgres through the service. You can even make API calls to the Salesforce APIs through the service from within AWS. Lastly, Salesforce Private Connect also supports Amazon AppFlow allowing you to automate the workflow of connecting to a Salesforce org from within AWS over the private connection.
Security and peace of mind is achieved by routing your HTTP/s traffic through Salesforce Private Connect and AWS PrivateLink. Salesforce Private Connect is an encrypted connection and acts as a pass through for your already encrypted mTLS packets. We can greatly reduce the chances of you experiencing brute force attacks, man-in-the-middle attacks, or denial-of-service attacks as there is no publicly exposed IP address. Additionally, Salesforce Private Connect is actively completing rigorous audits to obtain ISO, SOC II, HIPAA, and PCI compliance to support our customers in highly regulated industries such as Financial Services and Healthcare.
Salesforce Private Connect greatly simplifies the setup for Network Administrators by eliminating the need to define such things as Internet Gateways, NAT Devices, Route Tables and Network Devices, as this is achieved through PrivateLink. Another simple but powerful benefit is the elimination of defining firewall rules, which when misconfigured, have led to large data loss events in the past for some cloud providers. Lastly, we provide a setup experience for Salesforce Administrators to provision the PrivateLinks from within Salesforce. This allows for a separation of duties between your Salesforce Administrators and AWS Administrators, enhancing control.
Conclusion
Salesforce Private Connect is the latest addition to the Salesforce Customer 360 platform, providing security-conscious customers private connectivity with their AWS investments. Today, without the use of Salesforce Private Connect, it is not possible to make a secure, private, VPN-like connection between Salesforce and AWS. The bi-directional nature of the service and the user-friendly point-and-click setup are some of the differentiators that set this service apart.
Salesforce Private Connect will be generally available as part of the Summer ’20 release in July for North American orgs. To get started now, reach out to your Salesforce Account Executive to join the pilot. Interested in the architecture? Learn more by watching the AWS Private Connections recorded Dreamforce session to also see a demo in action. Stay tuned, in our next blog post we will walk you through how to create the private connections and help you get started in your sandbox environment!