Maintain Your Heroku Architecture Designer Certification for Summer ’20

Learning Objectives 

After completing this unit, you’ll be able to:

  • Understand Heroku Data’s PrivateLink feature.
  • Use PrivateLink in an architecture.
  • Understand mutual TLS (mTLS).
  • Use mTLS in an architecture.
  • Understand the Bring Your Own Key (BYOK) feature.

Salesforce Certification—the Big Picture

If you hold the Salesforce Heroku Architecture Designer credential, keep in mind that you need to complete this module by the due date to maintain your certification. Another important part of maintaining your credential is ensuring that your Trailhead and Webassessor accounts are linked.

Interested in learning more about getting certified? Check out the Salesforce Certified Heroku Architecture Designer credential.

There have been some great Heroku feature enhancements released during this last year. Let’s take a look at some of the more important enhancements.

PrivateLink allows for easy and secure access to Heroku Data resources within AWS architectures.

Under the hood, PrivateLink uses an AWS feature called AWS PrivateLink. This AWS feature allows for resources to be made available into other AWS VPCs easily and securely.

PrivateLink expands the capability of the Heroku platform to interoperate with the AWS platform.

For example, you could use PrivateLink to expose a Heroku Shield Postgres database directly into an AWS VPC that houses your data lake instances, making transferring data to the data lake trivial and secure. 

Or you could expose Private Kafka into a VPC containing AWS Lambda processes, allowing them to access and act on messages in the Kafka event bus.

There are some requirements in order to set up PrivateLink.

  • An AWS VPC that you control
  • A Heroku Private Space or Shield Private Space
  • An instance of Heroku Private or Shield Postgres, Private or Shield Kafka, or Private Redis

Once the requirements are met, there are three high-level steps to complete to set up the connection.

  1. Create an Endpoint Service on your Heroku Data instance.
  2. Create an Endpoint Network Interface in your AWS VPC.
  3. Establish a secure connection between the two endpoints.

Use Mutual TLS to Enable External Access to Heroku Postgres

Mutual TLS (mTLS) is an industry-recognized secure method to allow a limited number of programmatic clients to connect to specific services. At a high level, the two services exchange public keys and use them to validate the identity of the remote services using standard public key methods.

Heroku Private Postgres or Shield Postgres can be exposed via mTLS to remote services. With this, you can allow any remote service that supports mTLS to securely access your Heroku Private and Shield Postgres database.

Postgres can then be directly exposed to services on remote infrastructures, such as Azure, GCP, on premises, or others. Often mTLS is used to expose Private or Shield Postgres to external systems not residing on AWS infrastructure.

At a high level, the steps to set up mTLS are:

  1. Configure mutual TLS and allowlist your external IP.
  2. Set client-side certificates.
  3. Connect to your database from an external resource.

mTLS is used to connect Heroku Private Postgres or Shield Postgres to external systems, such as data visualization tools, external data processing systems, and applications running outside of the trust boundary of Heroku Private Spaces and Shield Private Spaces.

Bring Your Own Key for Heroku Managed Data Services

Enterprises are increasingly thinking about the threat of a compromise to their data and data services. Heroku’s Bring Your Own Key (BYOK) feature allows for these customers to have more control over access to their data, including a “kill switch” that will remove Heroku's ability to access customer data stored in the enterprise's Heroku managed data services.

This is accomplished by letting a customer generate a key using the AWS Key Management System (KMS), and using that key to encrypt Heroku managed data services. The customer then has control over the key and can revoke it, thereby revoking Heroku’s access to the data stores. Later, the customer could reinstate the key, and re-enable access to the data stores.

This combination of features gives customers the ability and flexibility to mitigate a number of risks and meet strict compliance requirements.

To deploy a data plan with a customer owned key, you need to:

  • Obtain a key from AWS’s KMS
  • Pass the key’s ARN when creating the new data service using the CLI: --encryption-key [arn:aws:kms:...]

The following minor limitations apply to Heroku managed data services encrypted with a customer encryption key.

  • Data service must be in a Private or Shield Space.
  • Postgres Followers and Forks must use the same encryption key as their leader.
  • PGBackups will not work. This includes using the heroku pg:backups or heroku pg:copy CLI commands.


Keep learning for
Sign up for an account to continue.
What’s in it for you?
  • Get personalized recommendations for your career goals
  • Practice your skills with hands-on challenges and quizzes
  • Track and share your progress with employers
  • Connect to mentorship and career opportunities