We're thrilled to announce our new Private Connectivity experience for API Connect on AWS! This update delivers a more intuitive user experience and greater flexibility in managing private connections within your API Connect SaaS instance. In this blog post, we'll walk you through the key improvements and new capabilities that make Private Connectivity an essential tool for enterprise API management, plus show you how to get started.
Instance Settings
A significant enhancement in Private Connectivity v2 is its move from catalog settings to the API Connect on AWS Instance Settings panel. This panel makes it easier to highlight exclusive API Connect on AWS features like Private Connectivity and provides both a fresh design and convenient access throughout the product. Watch this panel for future exciting features.
Multiple Connections
The most significant improvement in v2 is support for multiple private connections. While v1 limited users to a single inbound and outbound connection, Private Connectivity v2 now supports three outbound connections while maintaining one inbound connection. This enhancement offers greater flexibility for organizations with complex networking requirements.
The update also introduces a fresh user experience with a new data table for easier connection management. Users now benefit from more detailed status indicators, providing greater visibility into connection progress. Additionally, the creation flow now supports naming your connections, making it simpler to manage multiple connections effectively.
Public connections
We're also excited to introduce public connections management. This feature lets you toggle public connections on/off for your entire instance while providing granular control over which catalogs allow public connections. When public connections are enabled (the default setting), clicking the edit icon next to the catalogs status allows you to access the Configure catalogs panel. There, you can efficiently batch edit the public connection status for all your catalogs.
Getting started
Configure an inbound connection
Begin by opening the Instance Settings panel by clicking the cloud icon with a cog in the top right in the header bar. Find the “Private connectivity” section and click the “Add +” primary button. Make sure you have the appropriate settings management permissions and your instance is on a Premium plan. If you’re not on a Premium plan, the UI will direct you to the upgrade process if you wish to take advantage of Private connectivity.
This will open the Create a private connectivity connection wizard, where you can select an Inbound connection type and give your connection a name. Once you have done this, click Next.
You will now find that a connection has been created but is not configured. The user is now able to close this wizard if need be, and can return to it by navigating to the “Private connectivity” section once again, locating the connection row in the table, opening the overflow menu, and clicking Continue.
You will now be prompted to enter your Service consumer ARN. An ARN is a unique identifier for an AWS resource, typically containing the resource's location and type. The ARN creating the VPC endpoint in the customer account must be pre-approved to access the VPC endpoint service in the API Connect account. This can be a service role, user role, or even the root ARN for the customer account. See the AWS documentation for more details regarding this value.
Once you have procured the “Service consumer ARN”, enter it in the wizard and click “Next”. Once this value has been provided, we will then begin provisioning the backend infrastructure necessary to establish the PrivateLink, including the VPC endpoint service with the pre-approval that allows the service to be visible to the service consumer. When this has finished, the “Infrastructure” page of the wizard will update from Deploying infrastructure… to Infrastructure deployed.
Click Next.
The service name of the VPC endpoint service and the private DNS name for the API gateway can now be used to complete the private connection.
Now in AWS, create a VPC endpoint as instructed in the Connectivity page of the wizard, using the service name provided above.
Create a private hosted zone in AWS Route53 for the domain of the private DNS name shown in the Connectivity page of the wizard.
Create an alias A record in the private hosted zone pointing to the VPC endpoint DNS name shown in the AWS console.
With these steps completed, the Private DNS name shown in the Connectivity page in the wizard can be used in place of the public DNS name for the API gateway to access an API Connect API privately.
Configure an outbound connection
Begin by opening the Instance Settings panel by clicking the cloud icon with a cog in the top right in the header bar. Find the “Private connectivity” section and click the Add + primary button. Make sure you have the appropriate settings management permissions and your instance is on a Premium plan. If you’re not on a Premium plan, the UI will direct you to the upgrade process if you wish to take advantage of Private connectivity.
This will open the Create a private connectivity connection wizard, where you can select an Outbound connection type and give your connection a name. Once you have done this, click Next.
Create a VPC endpoint service behind which your private app will be accessible. See the AWS documentation linked in the Create private endpoint service page of the wizard for more details.
Once created, make note of the Service name of the endpoint service in the AWS UI.
Click Next and specify the Service name of the endpoint service in the Enter endpoint service details page of the wizard.
Click Next.
Now we’ll authorize the API Connect account to access your VPC endpoint service. Copy the AWS principal ARN from the Pre-authorize AWS Principal page in the wizard.
Navigate to the Allow principals tab of the VPC endpoint service in AWS.
Specify the copied ARN in the Allow principals dialog.
Once done, click Next in the wizard.
Accept the connection request from the API Connect VPC endpoint
Wait for a Pending connection to appear in the Endpoint connections tab of the VPC endpoint service. Accept the connection request.
Wait for the connection state to update to Available.
Click Next in the wizard.
Copy the VPC endpoint private DNS name in the Connectivity page in the wizard.
Use this DNS name in your API Connect API to connect to your application behind your VPC endpoint service.
Configure public connections
Once you have configured at least one inbound or outbound connection, you’ll be able to configure public connections for your instance and/or your catalogs. You’ll find that public connections are enabled by default, represented by the toggle switch being set to Yes.
If you want to block all public connections to your instance and require that all connections use the private connectivity connections you just configured, toggle this to No. The UI will ask you to confirm this action, as it can be disruptive. Make sure to only disable public connections after ensuring all public traffic has been routed to your private connections.
You’ll notice that the UI no longer allows you to configure public connections for your individual catalogs. Since this is redundant, we have hidden the UI in this case. More on that later.
If you would like to configure public connections for a subset of your catalogs, leave the “Public connections” toggle set to Yes. To configure public connections for your catalogs, click the edit icon next to the catalog status.
This will load a new panel allowing you to batch block/enable public connections for your catalogs. This is a great addition for users who only want a subset of their catalogs to allow or block public connections. Note that newly created catalogs will default to Allowed. If you are using this page to batch edit all catalogs, you may want to stick with the instance-wide toggle on the previous page.
Additionally, if you configure public connections for your catalogs but then decide to disable public connections for your entire instance, this is also supported. The catalogs configured will persist when public connections for the instance are blocked and will be reinstated if the user ever toggles public connections back on.