Establish an Outbound Connection with AWS
An outbound connection allows you to send traffic from Salesforce to your AWS Virtual Private Cloud (VPC) using Named Credentials.
Required Editions
| Available in: Lightning Experience |
| Available in: Enterprise, Performance, Unlimited, and Developer Editions |
Overview
From the AWS Regions dropdown in the Private Connect Setup
page, copy the IAM Role that corresponds to your AWS VPC region. In AWS, add the copied IAM
Role to the Whitelisted Principals tab of the VPC Endpoint Service you want to connect to.
Then, copy the Endpoint Service DNS Name, and use it to create an Outbound Connection in the
Setup wizard within Salesforce. Provision the connection when you are ready to use it.
Register your endpoint URL within a Named Credential, and reference the Outbound Connection
using the new OutboundNetworkConnection field. All
callouts from Salesforce using this Named Credential are routed through the private
connection.
- From Setup, in the Quick Find box, enter Private Connect and select it.
- To open a dropdown menu of the available regions, IAM Roles, and Service Names, click AWS Regions.
- Find the region in which your VPC is hosted, and copy the corresponding IAM Role.
- In the AWS Console, add the IAM Role to the Whitelisted Principals tab of your VPC Endpoint Service. This grants AWS access to the Salesforce-managed VPC.
- After saving the Endpoint Service, copy the VPC Endpoint Service Name and the DNS Name of the Endpoint Service’s Network Load Balancer (NLB).
- From the Private Connect Setup page, click Create Outbound Connection.
- Select the AWS PrivateLink Connection Type.
- Enter the Connection Name, Description, and the VPC Endpoint Service Name you copied in Step 5.
- Save your changes. Your connection appears on the Outbound Connections list with the Status field as Unprovisioned.
- Click the arrow under the Actions field that corresponds to your connection on the
Outbound Connections list, and then click Sync.
Warning After the Status field changes to Ready, it can take an extra few minutes for the connection to be fully prepared for runtime callouts. Wait up to 5 minutes before making callouts. - Register your AWS VPC Endpoint Service Name as a Named Credential using the new
OutboundNetworkConnection lookup field. Make sure that the hostname matches the
certificate of the endpoint service.
The URL should contain the VPC Endpoint Service DNS Name from Step 5 and the port of the destination service, separated by a colon. If your target group is attached to a port that is different than the default for the protocol, you must specify the port in the URL. AN HTTP URL defaults to Port 80 and an HTTPS URL defaults to port 443.
After you create an outbound connection, follow these tips to manage it properly.
- If you update a developer-controlled field of a private connection during a package upgrade, such as service name, endpoint ID, or region, you risk breaking the connection.
- If you make any external changes to a connection, sync the connection again in Salesforce to retrieve the latest status or catch runtime errors.
- If your Network Load Balancer (NLB) configuration includes security group rules to control traffic, we recommend that you don't apply these rules to traffic sent through AWS PrivateLink. See Update the security groups for your Network Load Balancer in the AWS documentation.
UnprovisionedAllocatingPendingAcceptancePendingActivationRejectedRemotelyDeletedRemotelyTeardownInProgressReady
