Provision and Use Outbound Connections
Learning Objectives
After completing this unit, you’ll be able to:
- Provision an outbound connection in Salesforce.
- Learn the different states of an outbound connection.
- Verify your connection is set up correctly by making runtime calls.
Provision the Connection in Salesforce
To start making runtime callouts, Maria creates a PrivateLink connection in AWS between the Salesforce transit VPC and Ursa Major Solar’s VPC by provisioning her new outbound connection. Every such endpoint has its own unique PrivateLink assigned to the Salesforce org ID. As a result, each org has its own dedicated secure private channel through which to send its connections.
- From Setup, enter
Private Connectin the Quick Find box, and then select Private Connect.
- Find your connection in the Outbound Connections list.
- Click the Actions arrow and select Provision.
The Status column for the outbound connection changes to Allocating, which means the Salesforce transit VPC is creating the endpoint to call into the endpoint service.
Accept the Endpoint Connection in AWS
To verify the endpoint was created, Maria uses the AWS console to navigate to her endpoint service and see the new endpoint ID. If the endpoint service is set up to require acceptance, she must manually accept the connection. Otherwise, the connection is automatically accepted as long as the IAM role had previously been allowlisted.
After being accepted, it can take up to 5 minutes for the endpoint to be available.
Sync the Outbound Connection Status in Salesforce
Maria waits for the connection status of the outbound connection in Setup to update from Allocating to Ready. She then syncs the outbound connection. Salesforce can successfully send outbound traffic to AWS only when the connection is in the Ready state.
- From Setup, enter
Private Connectin the Quick Find box, and then select Private Connect.
- Find your connection in the Outbound Connections list.
- Click the Actions arrow and click Sync.
Maria sees that the VPC endpoint ID column for her outbound connection has been populated, which means that the endpoint has been created in the Salesforce transit VPC and it’s communicating with the endpoint service running in the customer VPC.
The Status column of the outbound connection represents the last polled state of the connection in AWS. Performing the sync action on the connection gets the latest status of the AWS connection.
This table lists the different statuses for outbound connections.
Salesforce Transit VPC |
Salesforce Outbound Connection Status |
What It Means |
|---|---|---|
unmapped |
Unprovisioned |
The PrivateLink connection between the transit VPC and customer VPC hasn’t been established. |
allocating |
Allocating |
Waiting for the transit VPC to create a PrivateLink. |
pendingAcceptance |
PendingAcceptance |
Waiting for the AWS administrator to approve the connection. |
privateLinkAvailable |
PendingActivation |
Waiting for the transit VPC to finalize the PrivateLink. |
ready |
Ready |
The PrivateLink can be used. |
privateLinkReject |
RejectedRemotely |
The AWS administrator rejected the PrivateLink. |
recordDeleting |
TeardownInProgress |
Waiting for the transit VPC to finish deleting the PrivateLink. |
recordDeleted |
Unprovisioned |
The record has been deleted in AWS. |
unmapped |
Unprovisioned |
The connection isn’t associated with any record in AWS. |
Associate the Outbound Connection with a Named Credential
To use the outbound connection from Salesforce, Maria associates it with a named credential. Named credentials allow you to manage the authentication of Salesforce outbound callouts using declarative tools in Setup.
- From Setup, enter
Named Credentialin the Quick Find box, and then select Named Credential.
- Either create a new named credential or edit an existing one. See Define a Named Credential for details.
- In the Callout Options section, select the name of the outbound connection from the Outbound Network Connection lookup field.
Associating the outbound connection to the named credential ensures that callouts that use the named credential use the private internet rather than the public internet.
This screenshot shows an outbound connection called toERPuswest2 associated with the ERPNamedCredential named credential.
Verify That the Named Credential Works
Maria verifies that the named credential works correctly by executing an anonymous Apex block that makes an outbound callout to her customer VPC that references the named credential. Named Credentials only executes in Anonymous Apex if the user has the Customize Application permission.
Only Salesforce admins can execute Named Credentials in Anonymous Apex.
- In the Salesforce UI, click Developer Console under the quick access menu.
- Click Debug | Open Execute Anonymous Window.
- Execute this Apex code, substituting the name of your named credential in the
hr.setEndpointmethod. This sample code uses theERPNamedCredentialshown in the previous section.
HTTP h = new http();
HTTPRequest hr = new HTTPRequest();
hr.setEndpoint('callout:ERPNamedCredential');
hr.setMethod('GET');
hr.setTimeout(120000);
system.debug('response →' +(h.send(hr)).getbody());If the Apex code returns a 200 response code, the connection is working as expected.
Out-Standing
Maria did it! She successfully created an outbound connection and can rest assured that the data coming from Salesforce to AWS is secure. Maria decides it’s time for a well-deserved beach vacation so she can disconnect from the world for a little while.
Resources
- Salesforce Help: Establish an Outbound Connection with AWS
- Salesforce Help: Considerations for Private Connect with AWS
- Salesforce Help: Named Credentials
- Apex Developer Guide: Named Credentials as Callout Endpoints
- Apex Developer Guide: Anonymous Blocks