Considerations for Private Connect with AWS
Before provisioning an inbound or outbound connection with an AWS VPC (Virtual Private Cloud), check these considerations.
Required Editions
| Available in: Lightning Experience |
| Available in: Enterprise, Performance, Unlimited, and Developer Editions |
Required User Permissions
Users who aren’t admins can modify inbound and outbound Private Connections using the Tooling, Metadata, and Connect APIs. They can also use third-party tools that are built on these APIs, such as Amazon AppFlow. But before users can use these APIs or tools to modify Private Connections, they must be assigned these user permissions.
- Allow user to modify Private Connections
- Modify Metadata Through Metadata API Functions
Enable these user permissions by creating or modifying a permission set and assigning it to the user. In Setup, these permissions are listed in the System Permissions section of the Permission Sets page. Creating a separate permission set with these permissions is useful for users who use third-party tools to modify Private Connections but don’t need other administrative permissions.
Current Availability
For a list of the supported AWS regions, see this knowledge article.
Private Connect inbound supports only port 443 (HTTPS). Private Connect inbound doesn’t support port 8443, because that port is used by mTLS.
Supported Salesforce Services
- Experience Cloud
- Financial Services Cloud
- Health Cloud
- Platform Cloud
- Sales Cloud
- Service Cloud
Supported Salesforce Features
- Inbound: All supported public APIs
- Outbound:
- Agent Actions backed by External Services
- Apex Callouts
- Change Data Capture
- External Services
- OData 4.01 adapter for Salesforce Connect
- Platform Events
- Salesforce Connect Custom Adapter
- Salesforce Connect SQL adapter for Amazon Athena
- CRM Analytics
Unsupported Salesforce Features
Licensing
Each Private Connect license allows for one provisioned connection in each direction, inbound and outbound. Each connection represents a one-to-one mapping between an org ID and a VPC Endpoint ID. Every provisioned connection requires a Private Connect license. For example, four inbound connections require four licenses, leaving four available outbound connections.
There’s a per-org limit of 1,000 connections per direction. Connections in an unprovisioned state don’t count toward your license.
Rate Limits
The data rate limit is managed on an hourly basis. Data doesn’t roll over after an hour or accumulate. Rate limits are managed separately for inbound connections and outbound connections.
- Inbound connections are used by tools like MuleSoft or Amazon AppFlow to call in to the standard enterprise APIs.
- Outbound connections are used by Apex code or platform tools like Flow and External Services to fetch data from external systems.
The initial license purchase entitles the org to 225 MB of data per hour. Usage is expressed
in hourly terms because the PrivateConnectOutboundCalloutHourlyLimitMB limit returned by the Limits API allows you to track the
remaining outbound allocation on a per-hour basis.
If you reach the outbound connection limit, outbound traffic stops until the counter resets at the beginning of the next hour. The inbound connection limit is contractual, not technical. You must monitor and enforce the inbound connection limit for your Salesforce org. Standard enterprise API limits also apply to inbound connections.
Contact Salesforce to purchase a separate add-on license for more data. Outbound connections can’t transfer more than 56.48 GB of data per hour.
| Direction | Default Rate Limit Per Org Per Hour | Max Rate Limit Per Org Per Hour |
|---|---|---|
| Inbound | 225 MB | 56.48 GB |
| Outbound | 225 MB | 56.48 GB |
Sandbox, Scratch Org, and Developer Org Limitations
| Environment | Limitations |
|---|---|
| Full and Partial Copy Sandboxes | Private connections aren’t copied from production orgs and must be recreated in sandbox environments. You can create and provision connections. |
| Developer and Developer Pro Sandboxes | Private connections aren’t copied from production orgs and must be recreated in sandbox environments. You can create connections, but you can’t provision them. |
| Scratch Orgs | You can create connections, but you can’t provision them. |
| Developer Orgs | You can create connections, but you can’t provision them unless you file a case. |
Standards Compliance
Private Connect maintains compliance with these standards:
- ISO 27001, 27017, 27018
- SOC 2 Type II
- ASIP Santé HDS
- NEN 7510
- PCI-DSS
If you want to build Health Care applications on Salesforce that comply with the US Health Insurance Portability and Accountability Act (HIPAA), contact your account representative about signing a Business Associate Addendum.
See Compliance engineered for the Cloud for more information about these standards.
