PrivateLink service

Adobe Commerce on cloud infrastructure supports integration with the AWS PrivateLink or Azure Private Link service to allow Cloud customers to establish secure, private communication between Adobe Commerce on cloud infrastructure environments and services and applications hosted on external systems. Both the Adobe Commerce application and external systems must be accessible through private VPC endpoints configured within the same Cloud region (AWS or Azure).

Features and support

The PrivateLink service integration for Adobe Commerce on cloud infrastructure projects includes the following features and support:

  • A secure connection between a customer Virtual Private Cloud (VPC) and the Adobe VPC within the same Cloud region.
  • Support for unidirectional or bidirectional communication between endpoint services available in Adobe and Customer VPCs.
  • Service enablement–
    • Open required ports in the Adobe Commerce on cloud infrastructure environment
    • Establish the initial connection between the customer and Adobe VPCs
    • Troubleshoot connection issues during enablement

Limitations

  • Support for PrivateLink is available on Pro plan Production and Staging environments only. It is not available on local or integration environments, or on Starter plan projects.
  • You cannot establish SSH connections using PrivateLink. For SSH, use the SSH capabilities. See Enable SSH keys.
  • Adobe Commerce support does not cover troubleshooting AWS PrivateLink issues beyond initial enablement.
  • Customers are responsible for costs associated with managing their own VPC.
  • You cannot use the HTTPS protocol (port 443) to connect to Adobe Commerce on cloud infrastructure over PrivateLink.
  • PrivateDNS is not available.

The following network diagram shows the PrivateLink connection types available to establish secure communication between your store and external systems hosted outside of the Cloud environment.

PrivateLink network diagram

You must determine the PrivateLink connection type required for your Adobe Commerce on cloud infrastructure environments:

  • Unidirectional PrivateLink–Choose this configuration to retrieve data securely from a Adobe Commerce on cloud infrastructure store.
  • Bidirectional PrivateLink–Choose this configuration to establish secure connections to and from systems outside of the Adobe Commerce on cloud infrastructure environment. The bidirectional option requires two connections:
    • A connection between the customer VPC and the Adobe VPC
    • A connection between the Adobe VPC and the customer VPC

Work with your network administrator or Cloud platform provider for help selecting the PrivateLink connection type, or help with VPC setup and administration. Also, see your Cloud platform PrivateLink documentation AWS PrivateLink, Azure Private Link.

Enabling PrivateLink can take up to 5 business days. Providing incomplete, or inaccurate information can delay the process.

Prerequisites

  • A Cloud account (AWS or Azure) in the same region as the Adobe Commerce on cloud infrastructure instance
  • A VPC in the customer environment that hosts the services to connect via PrivateLink. See the AWS or Azure documentation for help with VPC set up or contact your network administrator.
  • For bidirectional PrivateLink connections, you must create the endpoint service configuration for your application or service, and create an endpoint in your VPC environment before requesting PrivateLink enablement. See Set up for bidirectional PrivateLink connections.
  • Gather the following data required for PrivateLink enablement:

    • Customer Cloud account number (AWS or Azure)–Must be in the same region as the Adobe Commerce on cloud infrastructure instance
    • Cloud region–Provide the Cloud region where the account is hosted for verification purposes
    • Services and communication ports–Adobe must open ports to enable service communication between VPCs, for example Webserver, HTTP port 80, SFTP port 2222
    • Project ID–Provide the Adobe Commerce on cloud infrastructure Pro project ID. You can get the Project ID and other project information using the folllowing Magento Cloud CLI command: magento-cloud project:info
    • Connection type–Specify unidirectional or bidirectional for connection type
    • Endpoint service–For bidirectional PrivateLink connections, provide the DNS URL for the VPC endpoint service that Adobe must connect to, for example com.amazonaws.vpce.<cloud-region>.vpce-svc-<service-id>.
    • Endpoint service access granted-Provide the Adobe account principal with access to this endpoint service: arn:aws:iam::402592597372:root. If access to the endpoint service is not provided, the bidirectional PrivateLink connection to the service in your VPC is not added, which delays the setup.

Enablement workflow

The following workflow outlines the enablement process for PrivateLink integration with Adobe Commerce on cloud infrastructure.

  1. Customer submits a support ticket requesting PrivateLink enablement with the subject line PrivateLink support for <company>. Include the data required for enablement in the ticket.

    We use the Support ticket to coordinate communication during the enablement process.

  2. Adobe enables customer account access to the endpoint service in the Adobe VPC.

    • Update the Adobe endpoint service configuration to accept requests initiated from the customer AWS or Azure account.

    • Update the Support ticket to provide the service name for the Adobe VPC endpoint to connect to, for example com.amazonaws.vpce.<cloud-region>.vpce-svc-<service-id>.

  3. Customer adds the Adobe endpoint service to their Cloud account (AWS or Azure), which triggers a connection request to Adobe. See the Cloud platform documentation for instructions:

  4. Adobe approves the connection request.

  5. After connection request approval, the customer verifies the connection between their VPC and the Adobe VPC.

  6. Additional steps to enable bidirectional connections:

    • Adobe supplies the Adobe account principal (root user for AWS or Azure account) and requests access to the customer VPC endpoint service.

    • Customer enables Adobe access to the endpoint service in the customer VPC. This assumes that the Adobe account principal has access to arn:aws:iam::402592597372:root, as previously described in the Endpoint service access granted prerequisite.

    • Adobe adds the customer endpoint service to Adobe platform account (AWS or Azure), which triggers a connection request to customer VPC.

    • Customer approves the connection request from Adobe to complete the setup.

    • Customer verifies the connection from the Adobe VPC.

Test VPC endpoint service connection

You can use the Telnet application to test the connection to the VPC endpoint service.

For help installing and using Telnet, see Telnet How-To in the Telnet documentation.

To test the connection to the VPC endpoint service:

  1. Log in to Adobe Commerce on cloud infrastructure project, and checkout the Staging or Production environment.

    1
    
    magento-cloud login
    
  2. From the project root directory, checkout the environment configured to access the PrivateLink endpoint service.

    1
    
    magento-cloud environment:checkout <environment-id>
    
  3. Run the following CURL command:

    1
    
    curl -v telnet://<endpoint-service-dns-url>:<port>/
    

    Example:

    1
    
    $ curl -v telnet://vpce-007ffnb9qkcnjgult-yfhmywqh.vpce-svc-083cqvm2ta3rxqat5v.us-east-1.vpce.amazonaws.com:80 -vvv
    

    If the connection succeeds, the following output displays:

    1
    2
    
    * Rebuilt URL to: telnet://vpce-007ffnb9qkcnjgult-yfhmywqh.vpce-svc-083cqvm2ta3rxqat5v.us-east-1.vpce.amazonaws.com:80
    * Connected to vpce-0088d56482571241d-yfhmywqh.vpce-svc-083cqvm2ta3rxqat5v.us-east-1.vpce. amazonaws.com (191.210.82.246) port 80 (#0)
    

    If the connection fails, the following output displays:

    1
    2
    
    Failed to connect to vpce-007ffnb9qkcnjgult-yfhmywqh.vpce-svc-083cqvm2ta3rxqat5v.ap-southeast-1.vpce.amazonaws.com port 80: Connection timed out
    * Closing connection 0
    
  4. Run the following command to ensure the service is listening on VM:

    1
    
    netstat -na |grep <port>
    
  5. Run the following command to check the packages flow:

    1
    
    tcpdump -i <ethernet interface> -tt -nn port <destination port> and host <source host>
    

    Check the following internal settings to ensure that the configuration is valid:

    • Endpoint and endpoint services settings
    • NLB settings
    • The target groups in NLB and verify they are healthy
    • The netcat/curl endpoint URL from each VM ( listed above)

    See the following articles for help troubleshooting connection issues:

    If you cannot resolve the errors, update the Adobe Commerce Support ticket to request help establishing the connection.

Submit a Adobe Commerce Support ticket to change an existing PrivateLink configuration. For example, you can request changes like the following:

  • Remove the PrivateLink connection from the Adobe Commerce on cloud infrastructure Pro Production or Staging environment.
  • Change the customer Cloud platform account number for accessing the Adobe endpoint service.
  • Add or remove PrivateLink connections from the Adobe VPC to other endpoint services available in the customer VPC environment.

The customer VPC must have the following resources available to support bidirectional PrivateLink connections:

  • A Network Load Balancer (NLB)
  • An endpoint service configuration that enables access to an application or service from the customer VPC
  • An interface endpoint (AWS) or private endpoint (Azure) that allows Adobe to connect to endpoint services hosted in your VPC

If these resources are not available in the customer VPC, you must sign into your Cloud platform account to add the configuration.

  • Amazon VPC console– https://console.aws.amazon.com/vpc/
  • Azure portal– https://portal.azure.com

See your Cloud platform documentation for PrivateLink set up instructions: