The Salesforce Platform has many ways to connect to external resources and to integrate with other technologies. Private Connect and Event Relay are two new tools in the toolbox to make integrating with Salesforce and Amazon Web Services (AWS) easier and more secure. These options open the door for totally new ways to expand your Salesforce Solutions.
Why Use Private Connect?
Private Connect allows you to establish a dedicated,private network connection between Salesforce data centers and third party public clouds like AWS. Private Connect enables customers to bypass the public internet and establish a direct, secure, and high-bandwidth connection between Salesforce and a customer’s systems.
Behind the scenes, Private Connect is powered by an AWS feature called PrivateLink. PrivateLink provides private connectivity between Virtual Private Clouds (VPC) and some AWS services like S3, Dynamodb and others. Another AWS feature called DirectConnect enables you to connect your company’s on premise network to AWS through private connections. When DirectConnect is combined with Private Connect, you get the ability to expose your company’s private network to Salesforce without any exposure to the public internet.
To use Salesforce Private Connect, you first need to create a Virtual Private Cloud (VPC) in AWS. Once you have created your VPC, you can create a Private Connect connection in Salesforce. Salesforce will then create a dedicated network connection between your VPC and Salesforce using AWS PrivateLink.
Private Connect’s bi-directional connectivity allows you to handle a variety of customer use cases. Salesforce can privately access data in AWS services and applications/services running in AWS, and AWS can securely communicate with Salesforce APIs. Since Salesforce has layered standard permission management on top of this, access management to this service is a breeze.
Private Connect is available as an add-on service in most of the AWS regions. Please check here to see additional considerations like data rate limit, connection limit etc.
Benefits of Private Connect
- Security – All http/s traffic is routed through private connections. This offers enhanced security and reduces chance of brute force attacks, man-in-the-middle attacks, or denial-of-service attacks as there is no publicly exposed IP address.
- Performance – PrivateConnect offers dedicated bandwidth from 225 MB/hr to 56.48 GB/hr. This provides improved performance because your network packets don’t need to compete with the traffic in the public internet.
- Simple Setup – You can set up a Private Connect connection using the user-friendly point-and-click setup in Salesforce, which abstracts many of the error-prone setup steps related to AWS Private Link away from the end user. This makes the overall process quick and easy.
- Compliance – Data traveling through Private Connect is not exposed to the general internet. This allows companies to be more compliant with regulations that require private data transfer.
Event Relay For the Handoff
Salesforce Event Relay enables you to send platform events and change data capture events from Salesforce to AWS EventBridge. This bidirectional service allows AWS to send events back to Salesforce as well. Keeping the platform specific terms aside, at a high level, Event Relay is connecting a messaging queue(Platform Event/Change Data Capture) in Salesforce with a messaging queue(Event Bus) in AWS.
Event Relay is a native platform listener that listens to platform events or change data capture events. The listener delivers these events to the AWS EventBridge in real time. Once configured, Salesforce admins and developers will be able to use code/no-code tools to publish platform events, and publish those events automatically to AWS EventBridge. EventBridge is integrated with over 25 services in AWS, supporting a wide array of use cases:
- Trigger an Amazon Lambda function to do serverless processing (Alternative for using Salesforce functions)
- Store change data capture data in AWS storage mechanisms for archival, audit logs, analytics etc
- Triggering email/SMS/push notifications with the help of Amazon services like Simple Notification Service(SNS)
Many other SaaS platforms are already integrated with the AWS EventBridge. EventBridge can be used to seamlessly integrate Salesforce with these partner systems in a scalable way. A list of all EventBridge partners can be found here.
AWS EventBridge supports API destinations as a target and are highly configurable. You can configure this to authenticate to Salesforce and send events from the EventBridge back to Salesforce. As part of this configuration you will be creating a connected app in Salesforce and transforming payloads to match the structure expected by the Salesforce REST APIs. Data can be sent to any standard Salesforce REST API endpoint or custom apex REST endpoints. If you are expecting a high volume of events, configure the standard REST endpoint corresponding to a platform event (instead of a custom/standard object) as the API destination. EventBridge offers automatic retries for up to 24 hours with exponential backoff delay. Detailed step by step instructions to setup event data flow from the AWS EventBridge to Salesforce can be found here.
This two-way nature of Event Relay allows us to offload heavy processing to AWS services and get an update in Salesforce when the processing is done.
Since Event Relay acts as an event listener inside the Salesforce platform, it has the same restrictions/governor limits around the platform events. Based on available documentation, there are no additional platform restrictions around Event Relay. If you are setting up Event Bridge for connecting to multiple Salesforce orgs, you need to keep a rew of considerations in mind:
- API destination establishes a regular OAuth connection to individual Salesforce orgs.
- There is no support for certificate/JWT based authentication.
- Every target org needs to be configured separately.
Summary
Private Connect and Event Relay are just two examples of tighter integration between Salesforce and AWS. Salesforce is making more such services from AWS directly accessible inside Salesforce. More possibilities:
- Use custom machine learning (ML) models in Amazon SageMaker from Salesforce (details)
- Power Service Cloud Voice with Amazon Connect. (details).
We can expect this trend to continue and and expand the abilities of Salesforce users to leverage the power of AWS directly from Salesforce with the familiar no-code/code tools.
Leverage the Experts
Salesforce authentication and authorization is a big topic whether we speak about inbound or outbound scenarios but I hope that this topic highlighted some helpful design considerations for outbound auth. Whether you are a Salesforce customer or partner, if you require support to design and build intuitive identity solutions then feel free to reach out. As a Master Product Development Organization (PDO), CodeScience has deep and extensive experience in solving a diverse range of identity and access challenges.
