# AWS PrivateLink

  This setup will allow specific Tray connectors to reach your services hosted on AWS. VPC Endpoints are what facilitate this type of connectivity - using a technology called PrivateLink.

## AWS PrivateLink

![privatelink](https://tray.ai/documentation/images/platform/connectivity/on-premise-systems/aws-connectivity/aws-privatelink/12f768d2-eadd3920_privatelink.png)
This setup will allow specific Tray connectors to reach your services hosted on AWS.
VPC Endpoints are what facilitate this type of connectivity - using a technology called PrivateLink.
PrivateLink enables private connectivity between VPCs and supported AWS services hosted by other AWS accounts, as well as third-party services on AWS Marketplace.

### Key points in using PrivateLink

* Traffic will stay within the AWS backbone and hence **won’t be exposed** to the public internet
* **A VPC endpoint does not require** an internet gateway, virtual private gateway, NAT device, VPN connection, or AWS Direct Connect connection or any other networking component hence we are looking at a simplified buildout topology and less costs.
* There is **no option to natively encrypt** this traffic, unless we use **application-level tools such as TLS**.

### AWS PrivateLink required info

| Details                                   | Notes                                                                                                                                 |
| ----------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- |
| Customer Name                             |                                                                                                                                       |
| Geographic location                       | The region in which your VPC is locatedWe will locate the Tray.io VPC in a region that is optimal in terms of latency when connecting |
| Tray OrgID                                |                                                                                                                                       |
| Your AWS Account number                   |                                                                                                                                       |
| VPC Endpoint Service fully qualified name |                                                                                                                                       |
| VPC Endpoint Service ports                |                                                                                                                                       |

### AWS PrivateLink setup process

1. We set up a **separate Tray VPC network** which does not overlap with your network and will not require you to reserve a large chunk of routes
2. We deploy the **relevant connectors** inside that dedicated VPC
3. We then create and host a VPC Endpoint
4. This endpoint will **request connectivity** to your network which normally requires **manual acceptance by your AWS admins** ('auto-accept' is not a recommended security practice)
5. Once accepted, our connectors will be able to reach the services hosted in your VPC

### AWS PrivateLink technical considerations

* In this scenario:
* Tray will become a **Service Consumer**
* You become a **Service Producer**
* As per the above diagram Tray hosts the VPC Endpoint and will point it towards a fully qualified service name that is provided to us by you.
* Your VPC endpoint service which supports integration with PrivateLink should be put **behind a Network Load Balancer**