Salesforce customers utilizing Hyperforce, the advanced infrastructure architecture hosted on Amazon Web Services (AWS), can access their services through the public internet. However, certain customers may have specific compliance, reliability, or other requirements that necessitate a dedicated, managed connection. While customers hosted in Salesforce’s first-party environment can obtain Salesforce Express Connect (SEC) via telecom partners, this option is not available for Hyperforce.
For customers needing direct network connectivity from their on-premises environments to Hyperforce, AWS Direct Connect presents an effective solution. This service provides reliable access to the AWS cloud, ensuring guaranteed bandwidth and a connectivity service-level agreement (SLA). In this article, we will outline how to leverage AWS Direct Connect for accessing Hyperforce and share best practices for deployment from both Salesforce and AWS.
Salesforce is recognized as an AWS Specialization Partner and is a global leader in customer relationship management (CRM). Their cloud-based software solutions are designed to help businesses identify new prospects, close more deals, and deliver exceptional customer service.
Overview of AWS Direct Connect
AWS Direct Connect (DX) is the most efficient way to access AWS resources, offering options for both private access (to a virtual private cloud) and public access (for services available over the public internet like Hyperforce). Depending on speed requirements and future usage, customers can choose between hosted or dedicated Direct Connect connections. Dedicated DX connections are available in speeds of 1, 10, and 100 Gbps and are directly ordered from AWS. These connections support multiple virtual interfaces (VIFs), enabling private connectivity to customer environments deployed on AWS (i.e., resources in VPCs).
Conversely, hosted connections offer various speed options, potentially leading to cost savings while being limited to a single VIF per connection. These can be acquired through existing SEC providers, who are also partners in DX delivery, or from other partners.
Upon acquiring their DX connections (hosted or dedicated) and establishing an AWS account, customers must configure a public virtual interface. This configuration provides access to all public AWS services and those deployed under public IP addresses, including Hyperforce.
For clarity, the accompanying diagram illustrates the structure of private, transit, and public VIFs.
Connecting to Hyperforce via AWS Direct Connect
Location Considerations
AWS Direct Connect is available at various locations, and customers must coordinate with DX delivery partners to establish Layer 2 connectivity. If resources are located in the same data center, working with the data center owner is ideal. For hosted Direct Connect, additional options may be available from the hosting partner. To minimize last-mile connection costs, it’s advisable to connect to the nearest geographical locations.
Ensuring Resiliency and Reliability
A best practice is to establish diverse Direct Connect circuits from multiple on-premises locations to various DX locations. If utilizing hosted DX, consider using different DX partners to enhance resiliency. The number of circuits should be evaluated based on capacity needs and potential failure scenarios. For production environments, we recommend implementing high or maximum resiliency models as outlined in the Direct Connect Resiliency Recommendations. Depending on the architecture chosen, various SLAs are available.
Enhancing Security
The connection between a customer’s location and the Direct Connect site operates as a Layer 2, Ethernet-based link. To bolster data security in transit, employing MACsec on the connection is advisable. This encryption will secure the link between the customer’s edge router and the DX router. AWS suggests a multi-layered approach to data encryption, which complemented by application-layer encryption methods like Transport Security Layer (TLS), offers better security overall.
Optimizing Failover
Routing information between the AWS network and the customer’s router is dynamically exchanged via Border Gateway Protocol (BGP). To enhance failover times, we recommend implementing Bidirectional Forwarding Detection (BFD).
Routing Security Measures
To utilize a public VIF, customers must connect to AWS through public IP addresses. It is wise to advertise a public IP address space to AWS that is not visible on the public internet, ensuring that traffic from AWS is routed solely through these IPs via Direct Connect. Customers can also add IP prefixes designated for a DX connection to their organization’s trusted IP ranges, ensuring that access to Hyperforce occurs exclusively through the DX connection.
AWS will not announce any IP addresses advertised through Direct Connect to the public internet, but other AWS customers may still route to these ranges.
Routing Prioritization Over AWS Direct Connect
Public IP prefixes for Hyperforce are advertised through the public VIF on a DX connection and made available to the internet. As a result, customers may receive routing information for both DX and ISP connections. If the same prefixes are learned, it is recommended to set appropriate routing policies in on-premises routers to prefer the DX connection.
Frequently Asked Questions
Can I control my AWS Direct Connect Connection to allow traffic only to/from Salesforce?
To ensure uninterrupted access to Salesforce services on Hyperforce, please follow the best practices outlined in this help article. As Hyperforce continues to scale rapidly, managing IP allow lists can become cumbersome, so referring to this blog post will be beneficial.
For more authoritative insights, you can also check out this resource on the topic. Furthermore, if you’re interested in exploring career opportunities, this job posting offers excellent resources.
Leave a Reply