AWS PrivateLink Communication
If you would like traffic between your self-hosted Sombra and our backend to occur over private DNS instead of the public internet, you can make use of AWS Privatelink to securely connect with our backend services. In doing so, you can bypass needing to allowlist our backend IP addresses, which can be a security improvement.
As a limitation, this does only work for customers hosting their Sombras in AWS, and only for those Sombras in a region supported by our backend.
When self-hosting the Transcend Security Gateway (AKA "Sombra"), you can have that Sombra communicate with our backend via PrivateLink and private DNS.
To do so, the first step is to reach out to your Transcend Support team member and ask to be placed on our allowlist of AWS Account IDs that can talk to our PrivateLink endpoint. Please include your AWS account ID in the message (the one that Sombra is deployed in), and we will confirm once we've allowlisted your ID(s).
Next, create a VPC endpoint:
To do so, you'll want to pick the service endpoint of ours based on the region of your Sombra VPC:
Region | Service Endpoint |
---|---|
eu-west-1 | com.amazonaws.vpce.eu-west-1.vpce-svc-0128a9fee2752ad0f |
us-east-1 | com.amazonaws.vpce.us-east-1.vpce-svc-0c7a345d4e783e626 |
If you add this endpoint in the same VPC as your Sombra instance, your Sombra will be able to communicate to our backend over private DNS.
To enable this communication, set the TRANSCEND_URL
environment variable on your Sombra to https://private-api.transcend.io
in the EU or https://private-api.us.transcend.io
for the US.
If you would like to have data from our backend to your Sombra use private DNS, PrivateLink is a great way to do so, just in the reverse of the above section. You would be responsible for:
- Asking us for our AWS Account ID to allowlist
- Setting up a PrivateLink endpoint using this guide
- Let us know your service endpoint and the private DNS endpoint of your service you created
- We will create a VPC endpoint on our end that points to your Private Link service, and will communicate to Sombra via that endpoint.
- Optional: If you set up your PrivateLink service such that you must approve all incoming clients, you would need to approve our client.