Create an Outbound Connection

Learning Objectives

After completing this unit, you’ll be able to:

Explain what an outbound connection is.
Create an outbound connection in AWS.
Create an outbound connection in Salesforce.

As we described in Private Connect Inbound Connections, Maria Jimenez is Ursa Major Solar’s Salesforce admin. She created an inbound connection to securely send data from an enterprise resource planning (ERP) system that’s hosted on Amazon Web Services (AWS) into Salesforce. Now she must figure out how to securely transfer data from Salesforce to the ERP system in AWS. And for that, she must know all about outbound connections.

See Private Connect Inbound Connections for the problem that Private Connect is solving for Ursa Major Solar and how Maria created the inbound connection. This module describes how to implement the second part of the solution: Create an outbound connection.

What Is an Outbound Connection?

From the perspective of Private Connect, any callouts that are sent from Salesforce to an external cloud provider over the private internet are referred to as outbound. So in outbound connections, data originates in Salesforce and flows out to a public cloud. In this context, a callout is defined as an API call to an external service.

Two clouds, one labeled Salesforce and the other AWS, with a large arrow pointing from Salesforce to AWS.

What Are the Components Behind an Outbound Connection?

Happily, Maria is already familiar with the main components of an outbound connection because she used them when she created the inbound connection.

Salesforce-Managed Transit VPC
PrivateLink
AWS Endpoint Service Name

If you need a refresher, see the Private Connect Inbound Connections module.

All the components of an outbound connection: Salesforce-managed Transit VPC, PrivateLink, AWS endpoint service name.

In this example, it’s assumed that Maria has an endpoint service already running on a network load balancer with targets that forward to her ERP system. For more advanced AWS configuration and setup, visit the AWS documentation.

Authorize the Salesforce Transit VPC in AWS

In order for the connection between the Salesforce Transit VPC and Ursa Major’s VPC to properly work, Maria needs to authorize the handshake between the two. That’s where the IAM role comes in. In this example, the IAM role represents the identity of the Salesforce Transit VPC. By allowing the Salesforce Transit VPC IAM role into the customer VPC’s endpoint service, she is authorizing the transit VPC to call into their own VPC. This is a one-time operation per VPC configuration.

The Salesforce transit VPC and customer VPC shaking hands.

Maria gets the IAM role from the Setup page in the Salesforce org.

From Setup, enter Private Connect in the Quick Find box, and then select Private Connect.
Click AWS Regions to view the available regions, IAM Roles, and Service Names.
Find the region in which your VPC is hosted and copy the corresponding IAM Role. This is the IAM role of the transit VPC that Salesforce has deployed in your region. Maria uses the service name from us-west-2.

The Private Connect page in Setup with the us-west-2 AWS region highlighted.

Maria now uses the AWS Console to navigate to the endpoint services in her VPC dashboard. She makes sure she’s logged in to the same region in AWS from which she retrieved the service name in Salesforce. In this example, it’s us-west-2. In the AWS console she updates the endpoint service she already created and is running inside her customer VPC and adds the IAM role she copied from step 3 above to the Whitelisted Principles tab.

While she’s in the AWS Console, she also copies the endpoint service name because she’ll use it next to create an outbound connection.