PrivateLink service
ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure supports integration with the or service. You can use PrivateLink to establish secure, private communication between ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure environments with services and applications hosted on external systems. Both the ÃÛ¶¹ÊÓƵ Commerce application and external systems must be accessible through Virtual Private Cloud (VPC) endpoints configured on the same cloud platform (AWS or Azure) within the same cloud region.
Features and support
The PrivateLink service integration for ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure projects includes the following features and support:
-
A secure connection between a customer Virtual Private Cloud (VPC) and the ÃÛ¶¹ÊÓƵ VPC on the same cloud platform (AWS or Azure) within the same Cloud region.
-
Support for unidirectional or bidirectional communication between endpoint services available at ÃÛ¶¹ÊÓƵ and Customer VPCs.
-
Service enablement:
- Open required ports in the ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure environment
- Establish the initial connection between the customer and ÃÛ¶¹ÊÓƵ VPCs
- Troubleshoot connection issues during enablement
Limitations
- Support for PrivateLink is available on Pro Production and Staging environments only. It is not available on local or integration environments, or on Starter projects.
- You cannot establish SSH connections using PrivateLink. See Enable SSH keys.
- ÃÛ¶¹ÊÓƵ Commerce support does not cover troubleshooting AWS PrivateLink issues beyond initial enablement.
- Customers are responsible for costs associated with managing their own VPC.
- You cannot use the HTTPS protocol (port 443) to connect to ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure over Azure Private Link due to Fastly origin cloaking. This limitation does not apply to AWS PrivateLink.
- PrivateDNS is not available.
PrivateLink connection types
There are two PrivateLink connection types available—shown in the following network diagram—to establish secure communication between your store and external systems hosted outside of the Cloud environment.
Choose one of the PrivateLink connection types best suited for your ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure environments:
-
Unidirectional PrivateLink–Choose this configuration to retrieve data securely from an ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure store.
-
Bidirectional PrivateLink–Choose this configuration to establish secure connections to and from systems outside of the ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure environment. The bidirectional option requires two connections:
- A connection between the customer VPC and the ÃÛ¶¹ÊÓƵ VPC
- A connection between the ÃÛ¶¹ÊÓƵ VPC and the customer VPC
Request PrivateLink enablement
Prerequisites
Gather the following data required for PrivateLink enablement:
-
Customer Cloud account number (AWS or Azure)—Must be in the same region as the ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure instance
-
Cloud region—Provide the Cloud region where the account is hosted for verification purposes
-
Services and communication ports—ÃÛ¶¹ÊÓƵ must open ports to enable service communication between VPCs, for example SQL port 3306, SFTP port 2222
-
Project ID—Provide the ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure Pro project ID. You can get the Project ID and other project information using the following Cloud CLI command:
magento-cloud project:info -
Connection type—Specify unidirectional or bidirectional for connection type
-
Endpoint service—For bidirectional PrivateLink connections, provide the DNS URL for the VPC endpoint service that ÃÛ¶¹ÊÓƵ must connect to, for example:
com.amazonaws.vpce.<cloud-region>.vpce-svc-<service-id> -
Endpoint service access granted—To connect to external service, allow the endpoint service access to the following AWS account principal:
arn:aws:iam::402592597372:rootnote warning WARNING If access to the endpoint service is not provided, then the bidirectional PrivateLink connection to the service in your VPC is not added, which delays the setup.
Additional prerequisites specific to Azure Private Link enablement
-
Provide the cluster ID; using SSH, log in to the remote and use the command:
cat /etc/platform_cluster -
For an external service to connect to your ÃÛ¶¹ÊÓƵ Commerce Pro cluster, you need:
- A list of ports on your Pro cluster to expose to the new external Private Endpoint
- A list of Azure subscription IDs for the Private Endpoint connections
-
To connect your ÃÛ¶¹ÊÓƵ Commerce Pro cluster to an external service, you need:
- A list of resource IDs for the target services. External Private Link service IDs look similar to the following:
code language-text /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/privateLinkServices/{svcNameID}
Enablement workflow
The following workflow outlines the enablement process for PrivateLink integration with ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure.
-
Customer submits a support ticket requesting PrivateLink enablement with the subject line
PrivateLink support for <company>. Include the data required for enablement in the ticket. ÃÛ¶¹ÊÓƵ uses the Support ticket to coordinate communication during the enablement process. -
ÃÛ¶¹ÊÓƵ enables customer account access to the endpoint service in the ÃÛ¶¹ÊÓƵ VPC.
- Update the ÃÛ¶¹ÊÓƵ endpoint service configuration to accept requests initiated from the customer AWS or Azure account.
- Update the Support ticket to provide the service name for the ÃÛ¶¹ÊÓƵ VPC endpoint to connect to, for example
com.amazonaws.vpce.<cloud-region>.vpce-svc-<service-id>.
-
Customer adds the ÃÛ¶¹ÊÓƵ endpoint service to their Cloud account (AWS or Azure), which triggers a connection request to ÃÛ¶¹ÊÓƵ. See the Cloud platform documentation for instructions:
- For AWS, see .
- For Azure, see .
-
ÃÛ¶¹ÊÓƵ approves the connection request.
-
After connection request approval, the customer verifies the connection between their VPC and the ÃÛ¶¹ÊÓƵ VPC.
-
Additional steps to enable bidirectional connections:
-
ÃÛ¶¹ÊÓƵ supplies the ÃÛ¶¹ÊÓƵ account principal (root user for AWS or Azure account) and requests access to the customer VPC endpoint service.
-
Customer enables ÃÛ¶¹ÊÓƵ access to the endpoint service in the customer VPC. This assumes that the ÃÛ¶¹ÊÓƵ account principal has access to
arn:aws:iam::402592597372:root, as previously described in the Endpoint service access granted prerequisite.-
Update the customer endpoint service configuration to accept requests initiated from the ÃÛ¶¹ÊÓƵ account. See the Cloud platform documentation for instructions:
- For AWS, see .
- For Azure, see
-
Provide ÃÛ¶¹ÊÓƵ with the endpoint service name for the customer VPC.
-
-
ÃÛ¶¹ÊÓƵ adds the customer endpoint service to ÃÛ¶¹ÊÓƵ platform account (AWS or Azure), which triggers a connection request to customer VPC.
-
Customer approves the connection request from ÃÛ¶¹ÊÓƵ to complete the setup.
-
Customer verifies the connection from the ÃÛ¶¹ÊÓƵ VPC.
-
Test VPC endpoint service connection
You can use the Telnet application to test the connection to the VPC endpoint service.
To test the connection to the VPC endpoint service:
-
From the project root directory, check out the Staging or Production environment configured to access the PrivateLink endpoint service.
code language-bash magento-cloud environment:checkout <environment-id> -
Run the following CURL command:
code language-bash curl -v telnet://<endpoint-service-dns-url>:<port>/Example:
code language-none $ curl -v telnet://vpce-007ffnb9qkcnjgult-yfhmywqh.vpce-svc-083cqvm2ta3rxqat5v.us-east-1.vpce.amazonaws.com:80 -vvvSample successful response:
code language-none * Rebuilt URL to: telnet://vpce-007ffnb9qkcnjgult-yfhmywqh.vpce-svc-083cqvm2ta3rxqat5v.us-east-1.vpce.amazonaws.com:80 * Connected to vpce-0088d56482571241d-yfhmywqh.vpce-svc-083cqvm2ta3rxqat5v.us-east-1.vpce. amazonaws.com (191.210.82.246) port 80 (#0)Sample failed response:
code language-none Failed to connect to vpce-007ffnb9qkcnjgult-yfhmywqh.vpce-svc-083cqvm2ta3rxqat5v.ap-southeast-1.vpce.amazonaws.com port 80: Connection timed out * Closing connection 0 -
Verify that the service is listening on VM.
code language-bash netstat -na | grep <port> -
Check the packages flow.
code language-bash tcpdump -i <ethernet-interface> -tt -nn port <destination-port> and host <source-host>Check the following internal settings to ensure that the configuration is valid:
- Endpoint and endpoint services settings
- Network Load Balancer (NLB) settings
- The target groups in NLB and verify they are healthy
- The netcat/curl endpoint URL from each VM (listed above)
See the following articles for help with troubleshooting connection issues:
If you cannot resolve the errors, update the ÃÛ¶¹ÊÓƵ Commerce Support ticket to request help establishing the connection.
Change PrivateLink configuration
Submit an ÃÛ¶¹ÊÓƵ Commerce Support ticket to change an existing PrivateLink configuration. For example, you can request changes like the following:
- Remove the PrivateLink connection from the ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure Pro Production or Staging environment.
- Change the customer Cloud platform account number for accessing the ÃÛ¶¹ÊÓƵ endpoint service.
- Add or remove PrivateLink connections from the ÃÛ¶¹ÊÓƵ VPC to other endpoint services available in the customer VPC environment.
Set up for bidirectional PrivateLink connections
The customer VPC must have the following resources available to support bidirectional PrivateLink connections:
- A Network Load Balancer (NLB)
- An endpoint service configuration that enables access to an application or service from the customer VPC
- An (AWS) or (Azure) that allows ÃÛ¶¹ÊÓƵ to connect to endpoint services hosted in your VPC
If these resources are not available in the customer VPC, you must sign into your Cloud platform account to add the configuration.
- Amazon VPC console–
https://console.aws.amazon.com/vpc/ - Azure portal–
https://portal.azure.com
See your Cloud platform documentation for PrivateLink set up instructions:
-
AWS PrivateLink documentation
-
Azure PrivateLink documentation