Articles

Security

End-to-End Encryption

Tunnel from Transcend to your Private Database


## Overview

For database integrations, we recommend customers self-host Sombra where it can directly connect to their databases. This is the most secure method, as it:

- Lets you use your own encryption keys, so Transcend cannot access the data in your database.
- Keeps your database private, with the only ingress change being that Sombra can connect to it.
- Lets you fully control the region where Sombra resides, ensuring compliance with regional data tenancy requirements.
- Ensures data classification occurs within your firewall if desired.

However, if you cannot or choose not to self-host Sombra, you can use Transcend's multi-tenant Sombra instance to connect to your databases. In this case, ensure that your databases remain protected.

With Transcend, you have the following options:

- If your database has public endpoints, no action is needed, and you can connect directly to your database. **We strongly discourage this option!**
- If you're comfortable with IP address allowlisting, follow [this guide](/_docs/security/end-to-end-encryption/ip-allowlisting.mdx) to allow our Sombra to connect to your database.
- If you prefer a private tunnel and use AWS, you can set up AWS PrivateLink endpoints using this guide.

## Using AWS PrivateLink

[AWS PrivateLink](https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-share-your-services.html) is an Amazon service for opening communication channels between AWS Accounts.

In this case, our multi-tenant Sombra instances need to communicate with your databases. We'll open a tunnel from our AWS account to yours.

To start, set up a PrivateLink endpoint service by following [this guide](https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-share-your-services.html).

Make sure to:

- Allowlist our AWS Account ID: `829095311197`, so we can open connections to your service.
- Contact our customer support and provide your service endpoint address.
- Set up the endpoint service in `us-east-1` if using our US backend or `eu-west-1` if using our EU backend.
  - If your database is not in one of these regions, you can set up a VPC in the appropriate region and use VPC peering, as described [here](https://docs.aws.amazon.com/whitepapers/latest/aws-privatelink/aws-privatelink.html).
- Approve our client if your PrivateLink service requires approval for incoming connections.

Once our VPCs connect to your endpoint service, you can set up database integrations from [the Admin Dashboard](https://app.transcend.io).
