Adobe Commerce on cloud infrastructure supports integration with the AWS PrivateLink or Azure Private Link service. You can use PrivateLink to establish secure, private communication between Adobe Commerce on cloud infrastructure environments with services and applications hosted on external systems. Both the Adobe Commerce application and external systems must be accessible through Virtual Private Cloud (VPC) endpoints configured within the same Cloud region (AWS or Azure).
PrivateLink is best used for securing connections for non-HTTP(S) integrations, such as database or file transfers. If you plan to integrate your application with Adobe Commerce APIs, see how to create an Adobe API Mesh in API Mesh for Adobe Developer App Builder.
The PrivateLink service integration for Adobe Commerce on cloud infrastructure projects includes the following features and support:
A secure connection between a customer Virtual Private Cloud (VPC) and the Adobe VPC within the same Cloud region.
Support for unidirectional or bidirectional communication between endpoint services available at Adobe and Customer VPCs.
There are two PrivateLink connection types available—shown in the following network diagram—to establish secure communication between your store and external systems hosted outside of the Cloud environment.
Choose one of the PrivateLink connection types best suited for your Adobe Commerce on cloud infrastructure environments:
Unidirectional PrivateLink–Choose this configuration to retrieve data securely from an Adobe Commerce on cloud infrastructure store.
Bidirectional PrivateLink–Choose this configuration to establish secure connections to and from systems outside of the Adobe Commerce on cloud infrastructure environment. The bidirectional option requires two connections:
Enabling PrivateLink can take up to five business days. Providing incomplete or inaccurate information can delay the process.
A Cloud account (AWS or Azure) in the same region as the Adobe Commerce on cloud infrastructure instance.
A VPC in the customer environment that hosts the services to connect through PrivateLink. See the AWS or Azure documentation for help with VPC setup or contact your network administrator.
For bidirectional PrivateLink connections, you must create the endpoint service configuration for your application or service, and create an endpoint in your VPC environment before requesting PrivateLink enablement. See Set up for bidirectional PrivateLink connections.
Gather the following data required for PrivateLink enablement:
Customer Cloud account number (AWS or Azure)—Must be in the same region as the Adobe Commerce on cloud infrastructure instance
Cloud region—Provide the Cloud region where the account is hosted for verification purposes
Services and communication ports—Adobe must open ports to enable service communication between VPCs, for example SQL port 3306, SFTP port 2222
Project ID—Provide the Adobe Commerce on cloud infrastructure Pro project ID. You can get the Project ID and other project information using the following Cloud CLI command:
Connection type—Specify unidirectional or bidirectional for connection type
Endpoint service—For bidirectional PrivateLink connections, provide the DNS URL for the VPC endpoint service that Adobe must connect to, for example:
Endpoint service access granted—To connect to external service, allow the endpoint service access to the following AWS account principal:
If access to the endpoint service is not provided, then the bidirectional PrivateLink connection to the service in your VPC is not added, which delays the setup.
Provide the cluster ID; using SSH, log in to the remote and use the command:
For an external service to connect to your Adobe Commerce Pro cluster, you need:
To connect your Adobe Commerce Pro cluster to an external service, you need:
The following workflow outlines the enablement process for PrivateLink integration with Adobe Commerce on cloud infrastructure.
Customer submits a support ticket requesting PrivateLink enablement with the subject line
PrivateLink support for <company>. Include the data required for enablement in the ticket. Adobe uses the Support ticket to coordinate communication during the enablement process.
Adobe enables customer account access to the endpoint service in the Adobe VPC.
Customer adds the Adobe endpoint service to their Cloud account (AWS or Azure), which triggers a connection request to Adobe. See the Cloud platform documentation for instructions:
Adobe approves the connection request.
After connection request approval, the customer verifies the connection between their VPC and the Adobe VPC.
Additional steps to enable bidirectional connections:
Adobe supplies the Adobe account principal (root user for AWS or Azure account) and requests access to the customer VPC endpoint service.
Customer enables Adobe access to the endpoint service in the customer VPC. This assumes that the Adobe account principal has access to
arn:aws:iam::402592597372:root, as previously described in the Endpoint service access granted prerequisite.
Update the customer endpoint service configuration to accept requests initiated from the Adobe account. See the Cloud platform documentation for instructions:
Provide Adobe with the endpoint service name for the customer VPC.
Adobe adds the customer endpoint service to Adobe platform account (AWS or Azure), which triggers a connection request to customer VPC.
Customer approves the connection request from Adobe to complete the setup.
Customer verifies the connection from the Adobe VPC.
You can use the Telnet application to test the connection to the VPC endpoint service.
To test the connection to the VPC endpoint service:
From the project root directory, check out the Staging or Production environment configured to access the PrivateLink endpoint service.
magento-cloud environment:checkout <environment-id>
Run the following CURL command:
curl -v telnet://<endpoint-service-dns-url>:<port>/
$ curl -v telnet://vpce-007ffnb9qkcnjgult-yfhmywqh.vpce-svc-083cqvm2ta3rxqat5v.us-east-1.vpce.amazonaws.com:80 -vvv
Sample successful response:
* Rebuilt URL to: telnet://vpce-007ffnb9qkcnjgult-yfhmywqh.vpce-svc-083cqvm2ta3rxqat5v.us-east-1.vpce.amazonaws.com:80 * Connected to vpce-0088d56482571241d-yfhmywqh.vpce-svc-083cqvm2ta3rxqat5v.us-east-1.vpce. amazonaws.com (22.214.171.124) port 80 (#0)
Sample failed response:
Failed to connect to vpce-007ffnb9qkcnjgult-yfhmywqh.vpce-svc-083cqvm2ta3rxqat5v.ap-southeast-1.vpce.amazonaws.com port 80: Connection timed out * Closing connection 0
Verify that the service is listening on VM.
netstat -na | grep <port>
Check the packages flow.
tcpdump -i <ethernet-interface> -tt -nn port <destination-port> and host <source-host>
Check the following internal settings to ensure that the configuration is valid:
See the following articles for help with troubleshooting connection issues:
If you cannot resolve the errors, update the Adobe Commerce Support ticket to request help establishing the connection.
Submit an Adobe Commerce Support ticket to change an existing PrivateLink configuration. For example, you can request changes like the following:
The customer VPC must have the following resources available to support bidirectional PrivateLink connections:
If these resources are not available in the customer VPC, you must sign into your Cloud platform account to add the configuration.
See your Cloud platform documentation for PrivateLink set up instructions: