You are here:
Private Connect Considerations
Private Connect for Data 360 establishes a secure connection between Virtual Private Clouds (VPC), bypassing the public internet and enhancing security.
Privately Connecting Your VPC
A VPC is a private network within a public cloud. It allows cloud providers like Amazon to create a secure, isolated space for their data and apps. To prevent public internet access, data lakes typically use secure measures such as a VPC. However, this measure also restricts access for Data 360. Private Connect for Data 360 provides a solution by establishing private network access, making sure that traffic remains off the public internet.
Private Connect for Data 360 currently supports AWS PrivateLink to create a secure point-to-point connection between the Data 360 AWS VPC and your AWS VPC. This private connection is exclusive to individual tenants, permitting you to grant access solely to your Data 360 while maintaining internet restrictions.
Private Connect for Data 360 Architecture
Private Connect for Data 360 uses a high performing, scalable architecture, which provides each tenant with dedicated capacity and security. This architecture supports a wide range of use cases, including high-volume initial ingestion of unstructured data and low-latency queries for analytics.
Private Connect and Private Connect for Data 360 Are Different Products
Salesforce Private Connect and Private Connect for Data 360 are distinct products with different features and pricing structures. Salesforce Private Connect isn’t compatible with Data 360. Private Connect for Data 360, however, supports Data 360.
Data Kit Support for Private Connect
Currently, data kits don’t support Private Connect but there’s a manual workaround available for both Snowflake and Redshift. This manual workaround doesn’t block the use of data kits for other use cases.
Solution for Snowflake
This workaround requires you to create a PNR in your target org and to activate it as follows:
- Deploy DevOps data kit on the target org. The deployment fails, which isn’t an issue.
- Create a Private Connect Private Network Route (PNR) in the target org.
- Go to Data Cloud Setup and locate the Snowflake connection. It is in an INACTIVE
state. Activate it as follows:
- Turn on the toggle for Private Connect.
- Select the PNR that you created.
- Enter the URL, keys, and other details as directed.
- The setup connection shows an ACTIVE state.
- Go to App Launcher, select Data Cloud, and select Data Streams. The data stream shows an error state.
- Click the error symbol and try the stream creation again. The connection succeeds and the data stream moves to an ACTIVE state.
Solution for Redshift
This workaround requires you to create a PNR, but it unblocks the transfer of other components,
such as connectors and data streams. After you’ve downloaded the data kit that you need,
open it, open the DataKitObject template, and update the outboundnetworkconnection
value.
- Create a Private Connect Private Network Route (PNR) in the target org. As you create the PNR, copy and save the Private Network Route ID. You need it for step 4.
- On the target org, use Salesforce CLI to fetch the data kit.
- In the retrieved package, open the DataKitObjectTemplate.
- Locate the parameter named
outboundnetworkconnection.Replace its value with the Private Network Route ID you collected in step 1. For example:{"paramName":"outboundnetworkconnection","value":"<PNR-ID>"}. - Post the Data Kit deployment using a UI/Change set. The connection succeeds and moves to an INACTIVE state. Activate it as follows:
-
- Turn on the toggle for Private Connect.
- Select the PNR that you created.
- Enter the URL, keys, and other details as directed.
- The setup connection shows an ACTIVE state.
- Go to App Launcher, select Data Cloud, and select Data Streams. The data stream displays an error state.
- Click the error symbol and try the stream creation again. The connection succeeds and the data stream moves to an ACTIVE state.
Amazon Simple Storage Service (S3)
Data 360 supports private network connectivity with S3 without Private Connect for Data 360. Network traffic occurs via public IP but is guaranteed to stay on the AWS network, remaining on the AWS backbone and not traversing the public internet.
-
Connect an S3 bucket and a Data 360 instance within the same AWS region with a private IP address. Update your bucket policy to include Data 360's AWS VPC endpoint for that region in the allowlist for private S3 access.
-
Access to buckets in a different region from the Data 360 tenant occurs via public IP.
For more information, see AWS PrivateLink for Amazon S3 and IP Addresses Used by Data 360 Services.
Difference Between Private and Public IP Addresses
A public IP address is visible to the internet. But a private IP address isn’t visible because it uses a range of non-internet facing IP addresses typically reserved for an internal network. When using Private Connect for Data 360, allowlisting public IPs is optional. Private Connect utilizes private IP addresses and doesn’t use public IP addresses.
Private Connect for Data 360 Credit Consumption
In general, credit consumption is independent across all types as seen on the rate cards. For example, with Zero Copy Federation, the consumption rate is 70 credits for every million rows accessed. If you’re using a private connection to ingest Zero Copy Federation, the rate is 70 credits per million rows accessed in addition to 500 credits for every GB transferred.
IP Allowlisting for Snowflake
Many organizations prevent access to their Snowflake instance through their Snowflake Network Policies. They also allow access from a select set of IPs or other uniquely identifiable sources. When using Private Connect to create a Data 360 connection to Snowflake, the traffic originates from a single AWS PrivateLink VPC endpoint. This endpoint has one of a wide array of private Data 360 IP addresses. Allowlist the traffic from the VPC endpoint so that Data 360 connects to Snowflake. Use either a Data 360 VPC endpoint ID or the IP range 10.0.0.0/8. We recommend that you allowlist the ID of the VPC endpoint. Retrieve the ID from the details page of an existing Private Network Route.
If you're using an IP range, we recommend adding the full 10.0.0.0/8 range to the allowlist. This range avoids the need for ongoing maintenance and outages caused by network disruption. Data 360 doesn’t support allowlisting by specific IP address because internal private IP addresses can change at any time, without notice.
To
troubleshoot connection issues, you can use dig or
nslookup on the Data 360 VPC endpoint Domain Name System (DNS) available
from the details page of the network route to find associated IP addresses.
Snowflake Data Share
The relationship between a Snowflake Federation connection and a Snowflake Private Network Route occurs when you create the connection. Private Connect behaves differently for Data Share. If a Snowflake Private Network Route and the Data Share Target are using the same URL, the target creation process uses Private Connect. For any other URL types, Data 360 tries to create the target by first using the public internet.
The Data 360 Snowflake Data Share feature uses Snowflake's Secure Data Sharing (SDS) for private Snowflake instances. Verify ownership of the sharing account through an OAuth sign-in when creating a Data Share Target. After it’s verified, Data 360 deletes all sign-in data, including OAuth tokens.
For successful Data Share Target creation, the originating computer must have network access to Snowflake from an accepted network location. A typical setup involves the user connecting to a corporate VPN, with Snowflake configured to allow requests from that network. Other requests do not use this account to sign in. This step usually requires Salesforce Private Connect or temporarily allowlisting the Data 360 public IP addresses so that Data 360 can reach the OAuth API endpoints.
Redshift and Snowflake Data Share Implementation
The implementation of Data Share differs for Redshift and Snowflake. Redshift's implementation doesn't require Private Connect. For Snowflake, Private Connect is necessary during the initial creation of the Data Share Target. This difference means that credit consumption only occurs during creation, requiring approximately 1 credit. No additional credit consumption occurs for Private Connect for Snowflake Data Share, regardless of the volume of data shared or accessed.
For more information, see Harness Zero Copy data sharing from Salesforce Data Cloud to Amazon Redshift for Unified Analytics – Part 2.
Support for Multiple Redshift Instances
Multiple Redshift instances on a single VPC can't use a single Redshift Private Network Route for access. In addition, a one-to-one mapping exists between the Private Network Route (PNR) and the Redshift instance.
