From 2d0d0c922a844287365b679eee070d079714e836 Mon Sep 17 00:00:00 2001 From: luanamulesoft Date: Wed, 16 Jul 2025 18:15:41 -0300 Subject: [PATCH 01/33] W-18929191-Private-Link-Connection-LDS --- cloudhub-2/ps-outbound-private-link.adoc | 113 +++++++++++++++++++++++ 1 file changed, 113 insertions(+) create mode 100644 cloudhub-2/ps-outbound-private-link.adoc diff --git a/cloudhub-2/ps-outbound-private-link.adoc b/cloudhub-2/ps-outbound-private-link.adoc new file mode 100644 index 00000000..789ef5fc --- /dev/null +++ b/cloudhub-2/ps-outbound-private-link.adoc @@ -0,0 +1,113 @@ += Setting Up an Outbound Private Link Connection + +This document describes the steps to configure and outbbound private link connection from CloudHub 2.0 private spaces. + +// Test in QAX +// Deploy tf-rtfc-iam to STGX +// tf issue thread: https://salesforce-internal.slack.com/archives/C03UAEK0TNY/p1752180070663329 - deployed to stgx, need CC for prods +// CC: https://gus.lightning.force.com/lightning/r/Case/500EE00001ZFcLJYA1/view +// Test in STGX once RTF API and ARC is ready + +== Before You Begin + +. Provision a xref:ps-create-configure.adoc[private space] in Cloudhub 2.0 +. Obtain a bearer token to be used below for calling APIs ++ +Make sure that the owner of the bearer token has permissions to manage private spaces + +== Configure the Outbound Connections + +Follow these steps to set up an outbound private link connection from your CloudHub 2.0 private space: + +. Gather Private Space Availability Zones and AWS Account Id +.. Retrieve information about Availability Zones (AZs) for a your private space ++ +[source,curl,linenums] +---- +curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/{orgId}/privatespaces/{spaceId}/azs -H "Authorization:$AUTHTOKEN" +---- ++ +.. Retrieve information about accounts associated with your private space ++ +[source,curl,linenums] +---- +curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/accounts -H "Authorization:$AUTHTOKEN" +---- ++ +. Set up VPC endpoint services (if self-hosted endpoint services) +.. https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html[Create a service powered by AWS PrivateLink] +.. If the service is hosted the same region as the private space, set up the services in the same availability zone as the private space (obtained in he first step here) +. Share the VPC endpoint Services with your CloudHub 2.0 private space +.. https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html[Configure an endpoint service] +.. In the VPC *Endpoint services*, click *Allow principals* +... Add `arn:aws:iam::{accountId}:root` as principal ++ +The `{accountId}`is obtained in the first step step here +. Gather this information for the API +.. Service Name: the endpoint service name ++ +For example, customer-hosted endpoint service: `com.amazonaws.vpce.us-east-1.vpce-svc-xxxxxxxxxxxxxxxx` ++ +For example, AWS hosted service: `com.amazonaws.us-west-2.s3` +.. Service Region: the region where the VPC endpoint service is located +.. Service Owner: the owner of the VPC endpoint service +... Account id of the endpoint service +... “amazon”, if it’s an Amazon service +.. Availability Zone Ids: the id of the availability zones where the customer wishes to establish the private link. Make sure that the AZ Ids are the ones used by the private space (obtained in the first step here), and the VPC endpoint service is hosted in those AZ Ids. +. Create a VPC endpoint in Cloudhub 2.0 via API ++ +[source,curl,linenums] +---- +curl -XPOST https://anypoint.mulesoft.com/runtimefabric/api/{orgId}/privatespaces/{spaceId}/vpces -H "Authorization:$AUTHTOKEN" -H "Content-Type:application/json" -d '{ + "name": "{any name}", + "serviceName": "{service name}", + "serviceRegion": "{service region}", + "serviceOwner": "{service owner}", + "azIds": [{aws-az-id1}, {aws-az-id2}] +}‘ +---- ++ +If the VPC is successfully created, the API returns a `vpceId`. +. Get the VPC endpoint status in Cloudhub 2.0 using API ++ +[source,curl,linenums] +---- +curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/{orgId}/privatespaces/{spaceId}/vpces/{vpceid} -H "Authorization:$AUTHTOKEN" +---- ++ +.. If successful, it returns the DNS names of the VPC endpoint +.. It also returns the the provisioning status: +... `Invalid`: VPCE creation failed +... `Valid`: VPCE is being provisioned +... `Available` +... `PendingAcceptence` +. Use this command to update a VPC Endpoint ++ +[source,curl,linenums] +---- +curl -XPATCH https://anypoint.mulesoft.com/runtimefabric/api/{orgId}/privatespaces/{spaceId}/vpces/{vpceId} -H "Authorization:$AUTHTOKEN" -H "Content-Type:application/json" -d '{ + "name": "{any name}", + "serviceName": "{service name}", + "serviceRegion": "{service region}", + "serviceOwner": "{service owner}", + "azIds": [{aws-az-id1}, {aws-az-id2}] +}‘ +---- ++ +. Use this command to delete a VPC Endpoint +[source,curl,linenums] +---- +curl -XDELETE https://anypoint.mulesoft.com/runtimefabric/api/{orgId}/privatespaces/{spaceId}/vpces/{vpceid} -H "Authorization:$AUTHTOKEN" +---- + + +== Limitations: + +* This configuration supports interface endpoints only +* This configuration doesn't support CloudHub VPCs or CloudHub 2.0 migrated private spaces +* You can't perform cross-region validation properly done at the API level. If the endpoint service is invalid, the VPCE provisioning fails. + + +== See Also +* xref:access-management::saml-bearer-token.adoc[] +* https://help.salesforce.com/s/articleView?id=001115323&type=1[How to generate your Authorization Bearer token for Anypoint Platform] \ No newline at end of file From 68ea0b4d62a584ce2095a914e7a9f36e2f02cd38 Mon Sep 17 00:00:00 2001 From: luanamulesoft Date: Wed, 16 Jul 2025 18:23:43 -0300 Subject: [PATCH 02/33] moved file --- cloudhub-2/{ => modules/ROOT/pages}/ps-outbound-private-link.adoc | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename cloudhub-2/{ => modules/ROOT/pages}/ps-outbound-private-link.adoc (100%) diff --git a/cloudhub-2/ps-outbound-private-link.adoc b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc similarity index 100% rename from cloudhub-2/ps-outbound-private-link.adoc rename to cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc From 00aa913fd025e0e12c68efdb92ed0e7b2a34f821 Mon Sep 17 00:00:00 2001 From: luanamulesoft Date: Wed, 16 Jul 2025 18:33:55 -0300 Subject: [PATCH 03/33] fixed format --- .../modules/ROOT/pages/ps-outbound-private-link.adoc | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc index 789ef5fc..e9df062b 100644 --- a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc +++ b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc @@ -42,8 +42,8 @@ curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId} .. In the VPC *Endpoint services*, click *Allow principals* ... Add `arn:aws:iam::{accountId}:root` as principal + -The `{accountId}`is obtained in the first step step here -. Gather this information for the API +The `{accountId}` is obtained in the first step step here +. Gather this information for the API: .. Service Name: the endpoint service name + For example, customer-hosted endpoint service: `com.amazonaws.vpce.us-east-1.vpce-svc-xxxxxxxxxxxxxxxx` @@ -53,7 +53,7 @@ For example, AWS hosted service: `com.amazonaws.us-west-2.s3` .. Service Owner: the owner of the VPC endpoint service ... Account id of the endpoint service ... “amazon”, if it’s an Amazon service -.. Availability Zone Ids: the id of the availability zones where the customer wishes to establish the private link. Make sure that the AZ Ids are the ones used by the private space (obtained in the first step here), and the VPC endpoint service is hosted in those AZ Ids. +.. Availability Zone Ids: the id of the availability zones where you wish to establish the private link. Make sure that the AZ Ids are the ones used by the private space (obtained in the first step here), and the VPC endpoint service is hosted in those AZ Ids. . Create a VPC endpoint in Cloudhub 2.0 via API + [source,curl,linenums] @@ -67,7 +67,7 @@ curl -XPOST https://anypoint.mulesoft.com/runtimefabric/api/{orgId}/privatespace }‘ ---- + -If the VPC is successfully created, the API returns a `vpceId`. +If the VPC endpoint is successfully created, the API returns a `vpceId`. . Get the VPC endpoint status in Cloudhub 2.0 using API + [source,curl,linenums] @@ -81,7 +81,7 @@ curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/{orgId}/privatespaces ... `Valid`: VPCE is being provisioned ... `Available` ... `PendingAcceptence` -. Use this command to update a VPC Endpoint +. Use this command to update a VPC Endpoint: + [source,curl,linenums] ---- @@ -94,7 +94,7 @@ curl -XPATCH https://anypoint.mulesoft.com/runtimefabric/api/{orgId}/privatespac }‘ ---- + -. Use this command to delete a VPC Endpoint +. Use this command to delete a VPC Endpoint: [source,curl,linenums] ---- curl -XDELETE https://anypoint.mulesoft.com/runtimefabric/api/{orgId}/privatespaces/{spaceId}/vpces/{vpceid} -H "Authorization:$AUTHTOKEN" From d0717348df430208aad577a2dedcc4fba92b2677 Mon Sep 17 00:00:00 2001 From: luanamulesoft Date: Wed, 16 Jul 2025 18:35:04 -0300 Subject: [PATCH 04/33] typo --- cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc index e9df062b..ed56c3f4 100644 --- a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc +++ b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc @@ -101,7 +101,7 @@ curl -XDELETE https://anypoint.mulesoft.com/runtimefabric/api/{orgId}/privatespa ---- -== Limitations: +== Limitations * This configuration supports interface endpoints only * This configuration doesn't support CloudHub VPCs or CloudHub 2.0 migrated private spaces From 8f0321265dd12a452e90b7b5457ff923a2bfe6b6 Mon Sep 17 00:00:00 2001 From: luanamulesoft Date: Fri, 18 Jul 2025 19:04:15 -0300 Subject: [PATCH 05/33] applied reviews --- .github/copilot-instructions.md | 15 ++++ .../ROOT/pages/ps-outbound-private-link.adoc | 69 ++++++++++--------- 2 files changed, 53 insertions(+), 31 deletions(-) create mode 100644 .github/copilot-instructions.md diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md new file mode 100644 index 00000000..1b296c5f --- /dev/null +++ b/.github/copilot-instructions.md @@ -0,0 +1,15 @@ +--- +applyTo: "**" +--- +- MCP means Model Context Protocol +- ATC is Agent Topic and Actions +- "API Spec" is the same as "API Specification" +- The "descriptor file" for an API Project is the `exchange.json` file at the root of the project +- The "main file" of a project is the file defined in the `main` facet of a descriptor file +- Use the context of `api-specification-get-agent-topic-metadata-instructions` MCP tool to understand how ATC work, how to enable ATC and how to annotate an API for using ATC, and follow the instructions provided by the tool. +- ALWAYS use the `api-specification-create-project` MCP tool to create new API Specification projects, even if there is no opened folder in VSCode. Do not ask the user to open a folder in order to run this. +- ALWAYS use the `api-specification-list-rulesets` MCP tool to refresh the list of rulesets, this list can mutate over time +- ALWAYS check if changes are ok by running the `api-specification-validate-ruleset` MCP Tool +- When asked for file URIs, for example the WorkspaceURI, always include the `file:` protocol and three slashes for absolute paths, for example `file:///Users/myUser/workspace/` +- BY Default use the parent of the current folder as a target directory for creating new projects +- BY Default when there is no opened folder, default to `~/api-projects/` diff --git a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc index ed56c3f4..59a7188d 100644 --- a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc +++ b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc @@ -1,6 +1,6 @@ = Setting Up an Outbound Private Link Connection -This document describes the steps to configure and outbbound private link connection from CloudHub 2.0 private spaces. +This document describes the steps to configure an outbound private link connection from CloudHub 2.0 private spaces. // Test in QAX // Deploy tf-rtfc-iam to STGX @@ -10,51 +10,53 @@ This document describes the steps to configure and outbbound private link connec == Before You Begin -. Provision a xref:ps-create-configure.adoc[private space] in Cloudhub 2.0 -. Obtain a bearer token to be used below for calling APIs +. Provision a xref:ps-create-configure.adoc[private space] in Cloudhub 2.0. +. Obtain a bearer token to be used below for calling APIs. + -Make sure that the owner of the bearer token has permissions to manage private spaces +Make sure that the owner of the bearer token has permissions to manage private spaces. == Configure the Outbound Connections Follow these steps to set up an outbound private link connection from your CloudHub 2.0 private space: -. Gather Private Space Availability Zones and AWS Account Id -.. Retrieve information about Availability Zones (AZs) for a your private space +. Gather Private Space Availability Zones and AWS Account ID. +.. Retrieve information about Availability Zones (AZs) for a your private space. + [source,curl,linenums] ---- curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/{orgId}/privatespaces/{spaceId}/azs -H "Authorization:$AUTHTOKEN" ---- + -.. Retrieve information about accounts associated with your private space +.. Retrieve information about accounts associated with your private space. + [source,curl,linenums] ---- curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/accounts -H "Authorization:$AUTHTOKEN" ---- + -. Set up VPC endpoint services (if self-hosted endpoint services) +. Set up VPC endpoint services (if self-hosted endpoint services). .. https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html[Create a service powered by AWS PrivateLink] -.. If the service is hosted the same region as the private space, set up the services in the same availability zone as the private space (obtained in he first step here) -. Share the VPC endpoint Services with your CloudHub 2.0 private space -.. https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html[Configure an endpoint service] -.. In the VPC *Endpoint services*, click *Allow principals* -... Add `arn:aws:iam::{accountId}:root` as principal +.. If the service is hosted the same region as the private space, set up the services in the same availability zone as the private space (obtained in the first step of this section). +. Share the VPC endpoint Services with your CloudHub 2.0 private space. +.. https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html[Configure an endpoint service]. +.. In the VPC *Endpoint services*, click *Allow principals*. +... Add `arn:aws:iam::{accountId}:root` as principal. + -The `{accountId}` is obtained in the first step step here +The `{accountId}` is obtained in the first step of this section. . Gather this information for the API: -.. Service Name: the endpoint service name +.. Service Name: the endpoint service name. + -For example, customer-hosted endpoint service: `com.amazonaws.vpce.us-east-1.vpce-svc-xxxxxxxxxxxxxxxx` +For example, customer-hosted endpoint service: `com.amazonaws.vpce.us-east-1.vpce-svc-xxxxxxxxxxxxxxxx`. + -For example, AWS hosted service: `com.amazonaws.us-west-2.s3` -.. Service Region: the region where the VPC endpoint service is located -.. Service Owner: the owner of the VPC endpoint service -... Account id of the endpoint service -... “amazon”, if it’s an Amazon service -.. Availability Zone Ids: the id of the availability zones where you wish to establish the private link. Make sure that the AZ Ids are the ones used by the private space (obtained in the first step here), and the VPC endpoint service is hosted in those AZ Ids. -. Create a VPC endpoint in Cloudhub 2.0 via API +For example, AWS hosted service: `com.amazonaws.us-west-2.s3`. +.. Service Region: the region where the VPC endpoint service is located. +.. Service Owner: the owner of the VPC endpoint service. +... Account ID of the endpoint service. +... “amazon”, if it’s an Amazon service. +.. Availability Zone IDs: the iIDs of the availability zones where you wish to establish the private link. ++ +Make sure that the AZ IDs are the ones used by the private space (obtained in the first step of this section), and the VPC endpoint service is hosted in those AZ IDs. +. Create a VPC endpoint in Cloudhub 2.0 via API: + [source,curl,linenums] ---- @@ -68,19 +70,19 @@ curl -XPOST https://anypoint.mulesoft.com/runtimefabric/api/{orgId}/privatespace ---- + If the VPC endpoint is successfully created, the API returns a `vpceId`. -. Get the VPC endpoint status in Cloudhub 2.0 using API +. Get the VPC endpoint status in Cloudhub 2.0 using API: + [source,curl,linenums] ---- curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/{orgId}/privatespaces/{spaceId}/vpces/{vpceid} -H "Authorization:$AUTHTOKEN" ---- + -.. If successful, it returns the DNS names of the VPC endpoint +.. If successful, it returns the DNS names of the VPC endpoint. .. It also returns the the provisioning status: -... `Invalid`: VPCE creation failed -... `Valid`: VPCE is being provisioned +... `Invalid`: VPCE creation failed. +... `Valid`: VPCE is being provisioned. ... `Available` -... `PendingAcceptence` +... `PendingAcceptance` . Use this command to update a VPC Endpoint: + [source,curl,linenums] @@ -100,12 +102,17 @@ curl -XPATCH https://anypoint.mulesoft.com/runtimefabric/api/{orgId}/privatespac curl -XDELETE https://anypoint.mulesoft.com/runtimefabric/api/{orgId}/privatespaces/{spaceId}/vpces/{vpceid} -H "Authorization:$AUTHTOKEN" ---- +== Entitlements +// each VPC endpoint will consume one of your (customer's) network connection (in the new P&P) and VPN (in the legacy vcore p&p) entitlements. + == Limitations +* The data rate limit for Private Connect with AWS is managed on an hourly basis. "Outbound connections have a contractual limit of 56.48 GB of data transferred per root organization per hour. + +* This configuration supports interface endpoints only. +* This configuration doesn't support CloudHub VPCs. + This configuration doesn't support CloudHub 2.0 private spaces that were xref:cloudhub::vpc-upgrade.adoc[upgraded from CloudHub VPCs]. -* This configuration supports interface endpoints only -* This configuration doesn't support CloudHub VPCs or CloudHub 2.0 migrated private spaces -* You can't perform cross-region validation properly done at the API level. If the endpoint service is invalid, the VPCE provisioning fails. == See Also From 015001b73c3b09e8d9cda7c55f9a28ae04a444fe Mon Sep 17 00:00:00 2001 From: Luana Dos Santos <84200607+luanamulesoft@users.noreply.github.com> Date: Fri, 18 Jul 2025 19:08:20 -0300 Subject: [PATCH 06/33] Update ps-outbound-private-link.adoc --- cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc index 59a7188d..343d46f3 100644 --- a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc +++ b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc @@ -107,8 +107,7 @@ curl -XDELETE https://anypoint.mulesoft.com/runtimefabric/api/{orgId}/privatespa == Limitations -* The data rate limit for Private Connect with AWS is managed on an hourly basis. "Outbound connections have a contractual limit of 56.48 GB of data transferred per root organization per hour. - +* Outbound connections have a contractual limit of 56.48 GB of data transferred per root organization per hour. * This configuration supports interface endpoints only. * This configuration doesn't support CloudHub VPCs. This configuration doesn't support CloudHub 2.0 private spaces that were xref:cloudhub::vpc-upgrade.adoc[upgraded from CloudHub VPCs]. @@ -117,4 +116,4 @@ curl -XDELETE https://anypoint.mulesoft.com/runtimefabric/api/{orgId}/privatespa == See Also * xref:access-management::saml-bearer-token.adoc[] -* https://help.salesforce.com/s/articleView?id=001115323&type=1[How to generate your Authorization Bearer token for Anypoint Platform] \ No newline at end of file +* https://help.salesforce.com/s/articleView?id=001115323&type=1[How to generate your Authorization Bearer token for Anypoint Platform] From 7708c2de3195277081b64e2444cc36530ca4a739 Mon Sep 17 00:00:00 2001 From: Luana Dos Santos <84200607+luanamulesoft@users.noreply.github.com> Date: Mon, 21 Jul 2025 15:48:46 -0300 Subject: [PATCH 07/33] Update ps-outbound-private-link.adoc --- .../ROOT/pages/ps-outbound-private-link.adoc | 43 ++++++++----------- 1 file changed, 19 insertions(+), 24 deletions(-) diff --git a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc index 343d46f3..13e6b4a3 100644 --- a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc +++ b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc @@ -2,16 +2,11 @@ This document describes the steps to configure an outbound private link connection from CloudHub 2.0 private spaces. -// Test in QAX -// Deploy tf-rtfc-iam to STGX -// tf issue thread: https://salesforce-internal.slack.com/archives/C03UAEK0TNY/p1752180070663329 - deployed to stgx, need CC for prods -// CC: https://gus.lightning.force.com/lightning/r/Case/500EE00001ZFcLJYA1/view -// Test in STGX once RTF API and ARC is ready == Before You Begin -. Provision a xref:ps-create-configure.adoc[private space] in Cloudhub 2.0. -. Obtain a bearer token to be used below for calling APIs. +. Provision a xref:ps-create-configure.adoc[private space] in CloudHub 2.0. +. Obtain a bearer token for calling APIs. + Make sure that the owner of the bearer token has permissions to manage private spaces. @@ -19,8 +14,8 @@ Make sure that the owner of the bearer token has permissions to manage private s Follow these steps to set up an outbound private link connection from your CloudHub 2.0 private space: -. Gather Private Space Availability Zones and AWS Account ID. -.. Retrieve information about Availability Zones (AZs) for a your private space. +. Gather private space Availability Zones and AWS Account ID. +.. Retrieve information about Availability Zones (AZs) for your private space. + [source,curl,linenums] ---- @@ -34,12 +29,12 @@ curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/{orgId}/privatespaces curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/accounts -H "Authorization:$AUTHTOKEN" ---- + -. Set up VPC endpoint services (if self-hosted endpoint services). +. Set up VPC endpoint services (if the endpoint services are self-hosted). .. https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html[Create a service powered by AWS PrivateLink] -.. If the service is hosted the same region as the private space, set up the services in the same availability zone as the private space (obtained in the first step of this section). -. Share the VPC endpoint Services with your CloudHub 2.0 private space. +.. If the service is hosted in the same region as the private space, set up the services in the same availability zone as the private space (obtained in the first step of this section). +. Share the VPC endpoint services with your CloudHub 2.0 private space. .. https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html[Configure an endpoint service]. -.. In the VPC *Endpoint services*, click *Allow principals*. +.. From VPC *Endpoint services*, select *Allow principals*. ... Add `arn:aws:iam::{accountId}:root` as principal. + The `{accountId}` is obtained in the first step of this section. @@ -53,14 +48,14 @@ For example, AWS hosted service: `com.amazonaws.us-west-2.s3`. .. Service Owner: the owner of the VPC endpoint service. ... Account ID of the endpoint service. ... “amazon”, if it’s an Amazon service. -.. Availability Zone IDs: the iIDs of the availability zones where you wish to establish the private link. +.. Availability Zone IDs: the IDs of the availability zones where you want to establish the private link. + -Make sure that the AZ IDs are the ones used by the private space (obtained in the first step of this section), and the VPC endpoint service is hosted in those AZ IDs. -. Create a VPC endpoint in Cloudhub 2.0 via API: +Make sure that the AZ IDs are the ones used by the private space (obtained in the first step of this section), and that the VPC endpoint service is hosted in those AZ IDs. +. Create a VPC endpoint in CloudHub 2.0 via API: + [source,curl,linenums] ---- -curl -XPOST https://anypoint.mulesoft.com/runtimefabric/api/{orgId}/privatespaces/{spaceId}/vpces -H "Authorization:$AUTHTOKEN" -H "Content-Type:application/json" -d '{ +curl -XPOST https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/vpces -H "Authorization:$AUTHTOKEN" -H "Content-Type:application/json" -d '{ "name": "{any name}", "serviceName": "{service name}", "serviceRegion": "{service region}", @@ -70,7 +65,7 @@ curl -XPOST https://anypoint.mulesoft.com/runtimefabric/api/{orgId}/privatespace ---- + If the VPC endpoint is successfully created, the API returns a `vpceId`. -. Get the VPC endpoint status in Cloudhub 2.0 using API: +. Get the VPC endpoint status in CloudHub 2.0 using API: + [source,curl,linenums] ---- @@ -78,16 +73,16 @@ curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/{orgId}/privatespaces ---- + .. If successful, it returns the DNS names of the VPC endpoint. -.. It also returns the the provisioning status: +.. It also returns the provisioning status: ... `Invalid`: VPCE creation failed. ... `Valid`: VPCE is being provisioned. ... `Available` ... `PendingAcceptance` -. Use this command to update a VPC Endpoint: +. Use this command to update a VPC endpoint: + [source,curl,linenums] ---- -curl -XPATCH https://anypoint.mulesoft.com/runtimefabric/api/{orgId}/privatespaces/{spaceId}/vpces/{vpceId} -H "Authorization:$AUTHTOKEN" -H "Content-Type:application/json" -d '{ +curl -XPATCH https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/vpces/{vpceId} -H "Authorization:$AUTHTOKEN" -H "Content-Type:application/json" -d '{ "name": "{any name}", "serviceName": "{service name}", "serviceRegion": "{service region}", @@ -96,10 +91,10 @@ curl -XPATCH https://anypoint.mulesoft.com/runtimefabric/api/{orgId}/privatespac }‘ ---- + -. Use this command to delete a VPC Endpoint: +. Use this command to delete a VPC endpoint: [source,curl,linenums] ---- -curl -XDELETE https://anypoint.mulesoft.com/runtimefabric/api/{orgId}/privatespaces/{spaceId}/vpces/{vpceid} -H "Authorization:$AUTHTOKEN" +curl -XDELETE https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/vpces/{vpceid} -H "Authorization:$AUTHTOKEN" ---- == Entitlements @@ -110,7 +105,7 @@ curl -XDELETE https://anypoint.mulesoft.com/runtimefabric/api/{orgId}/privatespa * Outbound connections have a contractual limit of 56.48 GB of data transferred per root organization per hour. * This configuration supports interface endpoints only. * This configuration doesn't support CloudHub VPCs. - This configuration doesn't support CloudHub 2.0 private spaces that were xref:cloudhub::vpc-upgrade.adoc[upgraded from CloudHub VPCs]. +* This configuration doesn't support CloudHub 2.0 private spaces that are xref:cloudhub::vpc-upgrade.adoc[upgraded from CloudHub VPCs]. From d18cbef5c06660f93bb5bbb6d6a3fdb3d0800be4 Mon Sep 17 00:00:00 2001 From: Luana Dos Santos <84200607+luanamulesoft@users.noreply.github.com> Date: Mon, 21 Jul 2025 16:05:55 -0300 Subject: [PATCH 08/33] Update ps-outbound-private-link.adoc --- cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc index 13e6b4a3..476d5aa3 100644 --- a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc +++ b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc @@ -98,7 +98,8 @@ curl -XDELETE https://anypoint.mulesoft.com/runtimefabric/api/organizations/{org ---- == Entitlements -// each VPC endpoint will consume one of your (customer's) network connection (in the new P&P) and VPN (in the legacy vcore p&p) entitlements. + +For UBP organizations, each VPC endpoint consumes one network connection entitlement. For core-based organizations, each VPC endpoint consumes one VPN entitlement. == Limitations From c28cf3a8d87bacae901356a3060ff06702cabb9b Mon Sep 17 00:00:00 2001 From: Luana Dos Santos <84200607+luanamulesoft@users.noreply.github.com> Date: Wed, 23 Jul 2025 18:05:30 -0300 Subject: [PATCH 09/33] Update ps-outbound-private-link.adoc --- cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc index 476d5aa3..6f84ca7d 100644 --- a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc +++ b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc @@ -99,7 +99,7 @@ curl -XDELETE https://anypoint.mulesoft.com/runtimefabric/api/organizations/{org == Entitlements -For UBP organizations, each VPC endpoint consumes one network connection entitlement. For core-based organizations, each VPC endpoint consumes one VPN entitlement. +Each VPC endpoint consumes one network connection entitlement per Availability Zone. == Limitations From 0eb3c6624589b66229c90e588fcaa264e919d558 Mon Sep 17 00:00:00 2001 From: Luana Dos Santos <84200607+luanamulesoft@users.noreply.github.com> Date: Wed, 23 Jul 2025 18:20:14 -0300 Subject: [PATCH 10/33] Update ps-outbound-private-link.adoc --- .../modules/ROOT/pages/ps-outbound-private-link.adoc | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc index 6f84ca7d..28161d80 100644 --- a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc +++ b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc @@ -9,6 +9,7 @@ This document describes the steps to configure an outbound private link connecti . Obtain a bearer token for calling APIs. + Make sure that the owner of the bearer token has permissions to manage private spaces. +. Make sure that you have enough IPs available in your private space. == Configure the Outbound Connections @@ -101,12 +102,21 @@ curl -XDELETE https://anypoint.mulesoft.com/runtimefabric/api/organizations/{org Each VPC endpoint consumes one network connection entitlement per Availability Zone. +[NOTE] +If you want to configure high availability, set up the private link connection with at least two availability zones. This consumes two network entitlements. + == Limitations * Outbound connections have a contractual limit of 56.48 GB of data transferred per root organization per hour. * This configuration supports interface endpoints only. * This configuration doesn't support CloudHub VPCs. * This configuration doesn't support CloudHub 2.0 private spaces that are xref:cloudhub::vpc-upgrade.adoc[upgraded from CloudHub VPCs]. +* Network connections are subject to these limits: +** VPNs per private space: 10 +** TGW per private space: 5 +** VPC endpoints per AZ per private space: `"N"` + +// Also is the limit on Network Connections per private space 10 + 5 + "N"? From fffef60d808aca2c70a0634395f7aec701d336ec Mon Sep 17 00:00:00 2001 From: Luana Dos Santos <84200607+luanamulesoft@users.noreply.github.com> Date: Wed, 23 Jul 2025 19:21:53 -0300 Subject: [PATCH 11/33] Update ps-outbound-private-link.adoc --- cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc index 28161d80..384b6ddd 100644 --- a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc +++ b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc @@ -9,7 +9,6 @@ This document describes the steps to configure an outbound private link connecti . Obtain a bearer token for calling APIs. + Make sure that the owner of the bearer token has permissions to manage private spaces. -. Make sure that you have enough IPs available in your private space. == Configure the Outbound Connections @@ -103,7 +102,7 @@ curl -XDELETE https://anypoint.mulesoft.com/runtimefabric/api/organizations/{org Each VPC endpoint consumes one network connection entitlement per Availability Zone. [NOTE] -If you want to configure high availability, set up the private link connection with at least two availability zones. This consumes two network entitlements. +If you want to configure high availability, set up the private link connection with at least two availability zones. This consumes two network connection entitlements. == Limitations @@ -114,9 +113,8 @@ If you want to configure high availability, set up the private link connection w * Network connections are subject to these limits: ** VPNs per private space: 10 ** TGW per private space: 5 -** VPC endpoints per AZ per private space: `"N"` +** VPC endpoints per private space: 20 -// Also is the limit on Network Connections per private space 10 + 5 + "N"? From 071572f467fda3a071836be3c264890cb2bad68e Mon Sep 17 00:00:00 2001 From: Luana Dos Santos <84200607+luanamulesoft@users.noreply.github.com> Date: Wed, 23 Jul 2025 19:41:58 -0300 Subject: [PATCH 12/33] Update ps-outbound-private-link.adoc --- .../modules/ROOT/pages/ps-outbound-private-link.adoc | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc index 384b6ddd..5d1c42c1 100644 --- a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc +++ b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc @@ -14,8 +14,8 @@ Make sure that the owner of the bearer token has permissions to manage private s Follow these steps to set up an outbound private link connection from your CloudHub 2.0 private space: -. Gather private space Availability Zones and AWS Account ID. -.. Retrieve information about Availability Zones (AZs) for your private space. +. Gather private space availability zones (AZs) and AWS Account ID. +.. Retrieve information about availability zones for your private space. + [source,curl,linenums] ---- @@ -30,7 +30,7 @@ curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId} ---- + . Set up VPC endpoint services (if the endpoint services are self-hosted). -.. https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html[Create a service powered by AWS PrivateLink] +.. https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html[Create a service powered by AWS PrivateLink]. .. If the service is hosted in the same region as the private space, set up the services in the same availability zone as the private space (obtained in the first step of this section). . Share the VPC endpoint services with your CloudHub 2.0 private space. .. https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html[Configure an endpoint service]. @@ -50,7 +50,7 @@ For example, AWS hosted service: `com.amazonaws.us-west-2.s3`. ... “amazon”, if it’s an Amazon service. .. Availability Zone IDs: the IDs of the availability zones where you want to establish the private link. + -Make sure that the AZ IDs are the ones used by the private space (obtained in the first step of this section), and that the VPC endpoint service is hosted in those AZ IDs. +Make sure that the availability zone IDs are the ones used by the private space (obtained in the first step of this section), and that the VPC endpoint service is hosted in those availability zones. . Create a VPC endpoint in CloudHub 2.0 via API: + [source,curl,linenums] @@ -99,7 +99,7 @@ curl -XDELETE https://anypoint.mulesoft.com/runtimefabric/api/organizations/{org == Entitlements -Each VPC endpoint consumes one network connection entitlement per Availability Zone. +Each VPC endpoint consumes one network connection entitlement per availability zone. [NOTE] If you want to configure high availability, set up the private link connection with at least two availability zones. This consumes two network connection entitlements. From 40642669b28494fb4ec48b565779659a9c6c4739 Mon Sep 17 00:00:00 2001 From: Luana Dos Santos <84200607+luanamulesoft@users.noreply.github.com> Date: Wed, 23 Jul 2025 19:42:26 -0300 Subject: [PATCH 13/33] Delete .github/copilot-instructions.md --- .github/copilot-instructions.md | 15 --------------- 1 file changed, 15 deletions(-) delete mode 100644 .github/copilot-instructions.md diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md deleted file mode 100644 index 1b296c5f..00000000 --- a/.github/copilot-instructions.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -applyTo: "**" ---- -- MCP means Model Context Protocol -- ATC is Agent Topic and Actions -- "API Spec" is the same as "API Specification" -- The "descriptor file" for an API Project is the `exchange.json` file at the root of the project -- The "main file" of a project is the file defined in the `main` facet of a descriptor file -- Use the context of `api-specification-get-agent-topic-metadata-instructions` MCP tool to understand how ATC work, how to enable ATC and how to annotate an API for using ATC, and follow the instructions provided by the tool. -- ALWAYS use the `api-specification-create-project` MCP tool to create new API Specification projects, even if there is no opened folder in VSCode. Do not ask the user to open a folder in order to run this. -- ALWAYS use the `api-specification-list-rulesets` MCP tool to refresh the list of rulesets, this list can mutate over time -- ALWAYS check if changes are ok by running the `api-specification-validate-ruleset` MCP Tool -- When asked for file URIs, for example the WorkspaceURI, always include the `file:` protocol and three slashes for absolute paths, for example `file:///Users/myUser/workspace/` -- BY Default use the parent of the current folder as a target directory for creating new projects -- BY Default when there is no opened folder, default to `~/api-projects/` From af270efa52ac000bebcf74e6e3fb604a78459214 Mon Sep 17 00:00:00 2001 From: Luana Dos Santos <84200607+luanamulesoft@users.noreply.github.com> Date: Mon, 28 Jul 2025 13:26:07 -0300 Subject: [PATCH 14/33] Update ps-outbound-private-link.adoc --- cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc index 5d1c42c1..5329e5e6 100644 --- a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc +++ b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc @@ -19,7 +19,7 @@ Follow these steps to set up an outbound private link connection from your Cloud + [source,curl,linenums] ---- -curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/{orgId}/privatespaces/{spaceId}/azs -H "Authorization:$AUTHTOKEN" +curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/azs -H "Authorization:$AUTHTOKEN" ---- + .. Retrieve information about accounts associated with your private space. @@ -69,7 +69,7 @@ If the VPC endpoint is successfully created, the API returns a `vpceId`. + [source,curl,linenums] ---- -curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/{orgId}/privatespaces/{spaceId}/vpces/{vpceid} -H "Authorization:$AUTHTOKEN" +curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/vpces/{vpceid} -H "Authorization:$AUTHTOKEN" ---- + .. If successful, it returns the DNS names of the VPC endpoint. From ae8af1512cbfabd354002eec5f71b5d40a703f44 Mon Sep 17 00:00:00 2001 From: Luana Dos Santos <84200607+luanamulesoft@users.noreply.github.com> Date: Tue, 5 Aug 2025 09:15:44 -0300 Subject: [PATCH 15/33] Update ps-outbound-private-link.adoc --- cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc index 5329e5e6..ed694a65 100644 --- a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc +++ b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc @@ -31,7 +31,7 @@ curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId} + . Set up VPC endpoint services (if the endpoint services are self-hosted). .. https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html[Create a service powered by AWS PrivateLink]. -.. If the service is hosted in the same region as the private space, set up the services in the same availability zone as the private space (obtained in the first step of this section). +.. If the service is hosted in the same region as the private space, set up the services in the same availability zone as the private space (obtained in the first step of this section). For cross-region services, you don’t need AZ alignment. . Share the VPC endpoint services with your CloudHub 2.0 private space. .. https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html[Configure an endpoint service]. .. From VPC *Endpoint services*, select *Allow principals*. From 3d7c2547efc79767998399f054332e89300d0ba5 Mon Sep 17 00:00:00 2001 From: Luana Dos Santos <84200607+luanamulesoft@users.noreply.github.com> Date: Fri, 8 Aug 2025 17:56:07 -0300 Subject: [PATCH 16/33] Update ps-outbound-private-link.adoc --- cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc index ed694a65..40646698 100644 --- a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc +++ b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc @@ -32,6 +32,10 @@ curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId} . Set up VPC endpoint services (if the endpoint services are self-hosted). .. https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html[Create a service powered by AWS PrivateLink]. .. If the service is hosted in the same region as the private space, set up the services in the same availability zone as the private space (obtained in the first step of this section). For cross-region services, you don’t need AZ alignment. ++ +[NOTE] +Validation for cross-region connectivity is not yet complete; its success depends on the configuration. ++ . Share the VPC endpoint services with your CloudHub 2.0 private space. .. https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html[Configure an endpoint service]. .. From VPC *Endpoint services*, select *Allow principals*. From 7c0fa758490addb8b33e5436be58acf22a35ece2 Mon Sep 17 00:00:00 2001 From: Luana Dos Santos <84200607+luanamulesoft@users.noreply.github.com> Date: Fri, 8 Aug 2025 17:56:31 -0300 Subject: [PATCH 17/33] Update ps-outbound-private-link.adoc --- cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc index 40646698..331c7923 100644 --- a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc +++ b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc @@ -34,7 +34,7 @@ curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId} .. If the service is hosted in the same region as the private space, set up the services in the same availability zone as the private space (obtained in the first step of this section). For cross-region services, you don’t need AZ alignment. + [NOTE] -Validation for cross-region connectivity is not yet complete; its success depends on the configuration. +Validation for cross-region connectivity isn't yet complete; its success depends on the configuration. + . Share the VPC endpoint services with your CloudHub 2.0 private space. .. https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html[Configure an endpoint service]. From b59108095750a2327eb709c26311666757889dac Mon Sep 17 00:00:00 2001 From: Luana Dos Santos Date: Tue, 18 Nov 2025 19:28:44 -0300 Subject: [PATCH 18/33] Integrated content from blog --- .../ROOT/pages/ps-outbound-private-link.adoc | 329 ++++++++++++++++-- 1 file changed, 306 insertions(+), 23 deletions(-) diff --git a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc index 331c7923..19643e2d 100644 --- a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc +++ b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc @@ -1,14 +1,33 @@ = Setting Up an Outbound Private Link Connection -This document describes the steps to configure an outbound private link connection from CloudHub 2.0 private spaces. +Private link in AWS provides private connectivity between a CloudHub 2.0 private space and services hosted on AWS and supported AWS services. +CloudHub 2.0 supports two private connectivity options: virtual private network (VPN) and transit gateway (TGW). Both operate at Open Systems Interconnection (OSI) layer 3, the network layer. + +Private link operates at OSI layer 4 and offers better isolation. The virtual service appears inside the same network, but the CloudHub 2.0 private space network and your on-prem network aren't interconnected. Private link is also service specific. Each service must be explicitly defined in the private space to prevent accidental exposure of sensitive applications. + +The advantages of private link are: + +* Secure access to services without going through the internet +* Better isolation between your network and CloudHub 2.0 +* Smaller blast radius if something goes wrong +* Service level control on what services available to CloudHub 2.0 + +Typical use cases for private link are: + +* Private link from CloudHub 2.0 private space to a service hosted in AWS by your organization +* Private link from CloudHub 2.0 private space to a supported AWS service (e.g. S3, Kinesis) +* Private link from CloudHub 2.0 private space to third-party services hosted in AWS +** For example, https://help.salesforce.com/s/articleView?id=xcloud.private_connect_overview.htm&type=5[Private Connect], which enables private connectivity between CloudHub 2.0 and Salesforce == Before You Begin . Provision a xref:ps-create-configure.adoc[private space] in CloudHub 2.0. . Obtain a bearer token for calling APIs. + -Make sure that the owner of the bearer token has permissions to manage private spaces. +Follow the instructions from xref:access-management::saml-bearer-token.adoc[Anypoint Identity] or https://help.salesforce.com/s/articleView?id=001115323&type=1[external Identity] to get a bearer access token for your Anypoint organization. ++ +The token owner must have permissions to manage private spaces. == Configure the Outbound Connections @@ -22,6 +41,17 @@ Follow these steps to set up an outbound private link connection from your Cloud curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/azs -H "Authorization:$AUTHTOKEN" ---- + +Example output: ++ +[source,json,linenums] +---- +[ + "use1-az1", + "use1-az2", + "use1-az5" +] +---- ++ .. Retrieve information about accounts associated with your private space. + [source,curl,linenums] @@ -29,19 +59,56 @@ curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId} curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/accounts -H "Authorization:$AUTHTOKEN" ---- + -. Set up VPC endpoint services (if the endpoint services are self-hosted). -.. https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html[Create a service powered by AWS PrivateLink]. -.. If the service is hosted in the same region as the private space, set up the services in the same availability zone as the private space (obtained in the first step of this section). For cross-region services, you don’t need AZ alignment. +Example output: ++ +[source,text,linenums] +---- +328752079326 +---- ++ +. Make your services private link ready. + +Ensure your services are properly configured for private link connectivity before establishing connections. + +=== AWS S3 Service + +AWS S3 service is already private link ready with regional VPC endpoints and a global access endpoint. For cross-region connections, use the global access endpoint. + +[source,text,linenums] +---- +Regional Endpoint: com.amazonaws.{region}.s3 +Global Access Endpoint: com.amazonaws.s3-global.accesspoint +---- + +For a complete list of AWS services ready for private link, see https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html[AWS PrivateLink-supported services]. + +=== Salesforce Private Connect + +Salesforce private connect requires activation as an add-on. After activation: + +. In salesforce, go to *Setup*, enter *Private Connect* in the *Quick Find* box, and select *Private Connect*. +. On the *Private Connect* page, click *AWS Regions* to reveal available regions. +. Select the AWS region that matches your private space region. +. Copy the service name for later use. + +=== Custom Services (Self-Hosted) + +To prepare custom services: + +. Deploy your service in at least one private space AZ. For high availability, configure 2 AZs. +. Expose the service via a network load balancer or application load balancer. +. https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html[Create an endpoint service] following AWS guidance. +. Set *Acceptance required* to *Yes* to prevent unauthorized connections. +. Optionally, configure a private DNS name for your service. CloudHub 2.0 private space automatically picks up the private DNS and makes it available to Mule applications. + [NOTE] -Validation for cross-region connectivity isn't yet complete; its success depends on the configuration. +If the service is hosted in the same region as the private space, set up the services in the same availability zone as the private space obtained in <<_configure_the_outbound_connections, Configure the Outbound Connections>>. For cross-region services, you don't need AZ alignment. Validation for cross-region connectivity isn't yet complete; its success depends on the configuration. + . Share the VPC endpoint services with your CloudHub 2.0 private space. .. https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html[Configure an endpoint service]. -.. From VPC *Endpoint services*, select *Allow principals*. -... Add `arn:aws:iam::{accountId}:root` as principal. +.. From VPC *Endpoint services*, select *Allow principals*. Add `arn:aws:iam::{accountId}:root` as principal. + -The `{accountId}` is obtained in the first step of this section. +The `{accountId}` is the account ID obtained in <<_configure_the_outbound_connections, Configure the Outbound Connections>>. . Gather this information for the API: .. Service Name: the endpoint service name. + @@ -50,26 +117,69 @@ For example, customer-hosted endpoint service: `com.amazonaws.vpce.us-east-1.vpc For example, AWS hosted service: `com.amazonaws.us-west-2.s3`. .. Service Region: the region where the VPC endpoint service is located. .. Service Owner: the owner of the VPC endpoint service. -... Account ID of the endpoint service. -... “amazon”, if it’s an Amazon service. +... Account ID of the endpoint service. For services like Salesforce private connect, you can acquire the service owner account ID using the AWS CLI command: ++ +[source,bash,linenums] +---- +aws ec2 describe-vpc-endpoint-services --service-names {your-service-name} --region {your-service-region} +---- ++ +The account ID is in the *Owner* field. +... "amazon", if it's an Amazon service. .. Availability Zone IDs: the IDs of the availability zones where you want to establish the private link. + -Make sure that the availability zone IDs are the ones used by the private space (obtained in the first step of this section), and that the VPC endpoint service is hosted in those availability zones. +Make sure that the availability zone IDs are the ones used by the private space obtained in <<_configure_the_outbound_connections, Configure the Outbound Connections>>, and that the VPC endpoint service is hosted in those availability zones. . Create a VPC endpoint in CloudHub 2.0 via API: + +Here are specific examples for different service types: + +=== AWS S3 Endpoint + +To configure an S3 endpoint for your private space, the `serviceOwner` is `amazon`. Configure at least two AZs. Since AWS services are available in all its AZs, you can pick any AZs from your private space. + [source,curl,linenums] ---- -curl -XPOST https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/vpces -H "Authorization:$AUTHTOKEN" -H "Content-Type:application/json" -d '{ - "name": "{any name}", - "serviceName": "{service name}", - "serviceRegion": "{service region}", - "serviceOwner": "{service owner}", - "azIds": [{aws-az-id1}, {aws-az-id2}] -}‘ +curl -XPOST https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/vpces -H "Authorization:bearer {your-token}" -H "Content-Type:application/json" -d '{ + "name": "S3-Global", + "serviceName": "com.amazonaws.s3-global.accesspoint", + "serviceRegion": "us-east-1", + "serviceOwner": "amazon", + "azIds": ["use1-az1", "use1-az2"] +}' +---- + +=== Salesforce Private Connect Endpoint + +To create a private connect endpoint, provide the `serviceName`, `serviceRegion`, and the account ID hosting the VPC endpoint service. + +[source,curl,linenums] +---- +curl -XPOST https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/vpces -H "Authorization:bearer {your-token}" -H "Content-Type:application/json" -d '{ + "name": "Private Connect", + "serviceName": "{your-service-name-for-salesforce-private-connect}", + "serviceRegion": "{your-salesforce-region}", + "serviceOwner": "{your-salesforce-service-account-id}", + "azIds": ["use1-az1", "use1-az2"] +}' +---- + +=== Custom Service Endpoint + +For custom services, if you didn't create your service in the same AZs as the CloudHub 2.0 private space, make sure that the chosen AZs exist in both your service network and the private space. + +[source,curl,linenums] +---- +curl -XPOST https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/vpces -H "Authorization:bearer {your-token}" -H "Content-Type:application/json" -d '{ + "name": "Custom Service", + "serviceName": "{your-service-name}", + "serviceRegion": "{your-service-region}", + "serviceOwner": "{your-service-account-id}", + "azIds": ["use1-az1", "use1-az2"] +}' ---- + If the VPC endpoint is successfully created, the API returns a `vpceId`. -. Get the VPC endpoint status in CloudHub 2.0 using API: +. Get the VPC endpoint status in CloudHub 2.0 using the API: + [source,curl,linenums] ---- @@ -101,15 +211,189 @@ curl -XPATCH https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgI curl -XDELETE https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/vpces/{vpceid} -H "Authorization:$AUTHTOKEN" ---- +== Establish the Private Link Connection + +After creating the endpoints, establish the connection. List all configured endpoints. + +[source,curl,linenums] +---- +curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/vpces -H "Authorization:bearer {your-token}" +---- + +Example output: + +[source,json,linenums] +---- +[ + { + "name": "S3-Global", + "vpceId": "ec6a2988-5529-4fac-9262-9b9962ce0b50", + "serviceName": "com.amazonaws.s3-global.accesspoint", + "serviceRegion": "us-east-1", + "serviceOwner": "amazon", + "azIds": [ + "use1-az1", + "use1-az2" + ] + }, + { + "name": "Private Connect", + "vpceId": "b7e73b1c-b0ba-489d-b525-8c29a1702186", + "serviceName": "com.amazonaws.vpce.us-east-1.vpce-svc-03fa74d9c231a52aa", + "serviceRegion": "us-east-1", + "serviceOwner": "784556874502", + "azIds": [ + "use1-az1", + "use1-az2" + ] + }, + { + "name": "Custom Service", + "vpceId": "fc5c9c55-d943-4383-88ac-cc2b51446d54", + "serviceName": "com.amazonaws.vpce.us-east-1.vpce-svc-03cef49533264d928", + "serviceRegion": "us-east-1", + "serviceOwner": "055970264539", + "azIds": [ + "use1-az1" + ] + } +] +---- + +=== AWS S3 Service + +Because AWS manages these services, it establishes the connection automatically. + +=== Salesforce Private Connect + +To establish the private connect connection, retrieve the endpoint ID using this API command: + +[source,curl,linenums] +---- +curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/vpces/{vpce-id} -H "Authorization:bearer {your-token}" +---- + +Example output: + +[source,json,linenums] +---- +{ + "name": "Private Connect", + "vpceId": "b7e73b1c-b0ba-489d-b525-8c29a1702186", + "serviceName": "com.amazonaws.vpce.us-east-1.vpce-svc-03fa74d9c231a52aa", + "serviceRegion": "us-east-1", + "serviceOwner": "784556874502", + "azIds": [ + "use1-az1", + "use1-az2" + ], + "status": "pendingAcceptance", + "provisioningMessage": "", + "awsId": "vpce-06b4ba2047c41be17", + "dnsEntries": [ + "vpce-06b4ba2047c41be17-1lnhhl4b.vpce-svc-03fa74d9c231a52aa.us-east-1.vpce.amazonaws.com", + "vpce-06b4ba2047c41be17-1lnhhl4b-us-east-1d.vpce-svc-03fa74d9c231a52aa.us-east-1.vpce.amazonaws.com", + "vpce-06b4ba2047c41be17-1lnhhl4b-us-east-1a.vpce-svc-03fa74d9c231a52aa.us-east-1.vpce.amazonaws.com" + ] +} +---- + +The endpoint status shows *Pending Acceptance*. Complete the connection: + +. Note the *awsId* from the endpoint. +. Go to Private Connect and click *create inbound connections*. +. Select *AWS* and configure the connection using the `awsId` (VPC Endpoint ID). +. Click *Save*. + +Within a few minutes, the endpoints sync and the status changes to *Ready* in private connect and *Available* in CloudHub 2.0. + +=== Custom Services + +Fetch the endpoint information: + +[source,curl,linenums] +---- +curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/vpces/{vpce-id} -H "Authorization:bearer {your-token}" +---- + +Example output: + +[source,json,linenums] +---- +{ + "name": "Custom Service", + "vpceId": "fc5c9c55-d943-4383-88ac-cc2b51446d54", + "serviceName": "com.amazonaws.vpce.us-east-1.vpce-svc-03cef49533264d928", + "serviceRegion": "us-east-1", + "serviceOwner": "055970264539", + "azIds": [ + "use1-az1" + ], + "status": "pendingAcceptance", + "provisioningMessage": "", + "awsId": "vpce-0d971d98cb910b3b1", + "dnsEntries": [ + "vpce-0d971d98cb910b3b1-oyattu6z.vpce-svc-03cef49533264d928.us-east-1.vpce.amazonaws.com", + "vpce-0d971d98cb910b3b1-oyattu6z-us-east-1d.vpce-svc-03cef49533264d928.us-east-1.vpce.amazonaws.com" + ] +} +---- + +The custom service VPC endpoint status shows *Pending Acceptance*. Accept the connection: + +. In the AWS console go to *VPC* > *Endpoint Services*. +. Select your service and open the *Endpoint Connection* tab. +. Verify the *Endpoint ID* and *Owner* match your private space in CloudHub 2.0. +. Accept the connection. + +== Use the Private Link + +After establishing private link connections with *Available* status, the VPC endpoint API returns DNS entries for the service. + +To talk to the S3 endpoint, use this DNS entry: + +[source,json,linenums] +---- +"dnsEntries": [ + "*.vpce-0bb8410c774666218-yajqbur2.accesspoint.s3-global.us-east-1.vpce.amazonaws.com", + "*.vpce-0bb8410c774666218-yajqbur2-us-east-1d.accesspoint.s3-global.us-east-1.vpce.amazonaws.com", + "*.vpce-0bb8410c774666218-yajqbur2-us-east-1a.accesspoint.s3-global.us-east-1.vpce.amazonaws.com", + "accesspoint.s3-global.amazonaws.com", + "*.accesspoint.s3-global.amazonaws.com" + ] +---- + +To talk to the private connect, use this DNS entry: + +[source,json,linenums] +---- +"dnsEntries": [ + "vpce-06b4ba2047c41be17-1lnhhl4b.vpce-svc-03fa74d9c231a52aa.us-east-1.vpce.amazonaws.com", + "vpce-06b4ba2047c41be17-1lnhhl4b-us-east-1d.vpce-svc-03fa74d9c231a52aa.us-east-1.vpce.amazonaws.com", + "vpce-06b4ba2047c41be17-1lnhhl4b-us-east-1a.vpce-svc-03fa74d9c231a52aa.us-east-1.vpce.amazonaws.com" + ] +---- + +To talk to the custom service, use this DNS entry: + +[source,json,linenums] +---- +"dnsEntries": [ + "vpce-0d971d98cb910b3b1-oyattu6z.vpce-svc-03cef49533264d928.us-east-1.vpce.amazonaws.com", + "vpce-0d971d98cb910b3b1-oyattu6z-us-east-1d.vpce-svc-03cef49533264d928.us-east-1.vpce.amazonaws.com" + ] +---- + == Entitlements -Each VPC endpoint consumes one network connection entitlement per availability zone. +Each VPC endpoint consumes one network connection entitlement per AZ. [NOTE] -If you want to configure high availability, set up the private link connection with at least two availability zones. This consumes two network connection entitlements. +To configure high availability, set up the private link connection with at least two availability zones. This consumes two network connection entitlements. == Limitations + * Outbound connections have a contractual limit of 56.48 GB of data transferred per root organization per hour. * This configuration supports interface endpoints only. * This configuration doesn't support CloudHub VPCs. @@ -121,7 +405,6 @@ If you want to configure high availability, set up the private link connection w - == See Also * xref:access-management::saml-bearer-token.adoc[] * https://help.salesforce.com/s/articleView?id=001115323&type=1[How to generate your Authorization Bearer token for Anypoint Platform] From d76342bf7ad8fa9caabc08422083c4af3e872274 Mon Sep 17 00:00:00 2001 From: Luana Dos Santos <84200607+luanamulesoft@users.noreply.github.com> Date: Tue, 18 Nov 2025 19:39:54 -0300 Subject: [PATCH 19/33] Update ps-outbound-private-link.adoc --- .../modules/ROOT/pages/ps-outbound-private-link.adoc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc index 19643e2d..85152e1a 100644 --- a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc +++ b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc @@ -2,7 +2,7 @@ Private link in AWS provides private connectivity between a CloudHub 2.0 private space and services hosted on AWS and supported AWS services. -CloudHub 2.0 supports two private connectivity options: virtual private network (VPN) and transit gateway (TGW). Both operate at Open Systems Interconnection (OSI) layer 3, the network layer. +CloudHub 2.0 supports two private connectivity options: Virtual Private Network (VPN) and Transit Gateway (TGW). Both operate at Open Systems Interconnection (OSI) layer 3, the network layer. Private link operates at OSI layer 4 and offers better isolation. The virtual service appears inside the same network, but the CloudHub 2.0 private space network and your on-prem network aren't interconnected. Private link is also service specific. Each service must be explicitly defined in the private space to prevent accidental exposure of sensitive applications. @@ -16,7 +16,7 @@ The advantages of private link are: Typical use cases for private link are: * Private link from CloudHub 2.0 private space to a service hosted in AWS by your organization -* Private link from CloudHub 2.0 private space to a supported AWS service (e.g. S3, Kinesis) +* Private link from CloudHub 2.0 private space to a supported AWS service (for example, S3 and Kinesis) * Private link from CloudHub 2.0 private space to third-party services hosted in AWS ** For example, https://help.salesforce.com/s/articleView?id=xcloud.private_connect_overview.htm&type=5[Private Connect], which enables private connectivity between CloudHub 2.0 and Salesforce @@ -68,7 +68,7 @@ Example output: + . Make your services private link ready. + -Ensure your services are properly configured for private link connectivity before establishing connections. +Verify that your services are properly configured for private link connectivity before establishing connections. === AWS S3 Service @@ -135,7 +135,7 @@ Here are specific examples for different service types: === AWS S3 Endpoint -To configure an S3 endpoint for your private space, the `serviceOwner` is `amazon`. Configure at least two AZs. Since AWS services are available in all its AZs, you can pick any AZs from your private space. +To configure an S3 endpoint for your private space, the `serviceOwner` is `amazon`. Configure at least two AZs. Because AWS services are available in all its AZs, you can pick any AZs from your private space. [source,curl,linenums] ---- From 1cf70463a38c51907cfe9128c8b44fdf1d340a07 Mon Sep 17 00:00:00 2001 From: Luana Dos Santos Date: Tue, 18 Nov 2025 19:43:41 -0300 Subject: [PATCH 20/33] capitalization --- .../ROOT/pages/ps-outbound-private-link.adoc | 34 +++++++++---------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc index 85152e1a..55c25882 100644 --- a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc +++ b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc @@ -1,23 +1,23 @@ = Setting Up an Outbound Private Link Connection -Private link in AWS provides private connectivity between a CloudHub 2.0 private space and services hosted on AWS and supported AWS services. +AWS Private Link provides private connectivity between a CloudHub 2.0 private space and services hosted on AWS and supported AWS services. CloudHub 2.0 supports two private connectivity options: Virtual Private Network (VPN) and Transit Gateway (TGW). Both operate at Open Systems Interconnection (OSI) layer 3, the network layer. -Private link operates at OSI layer 4 and offers better isolation. The virtual service appears inside the same network, but the CloudHub 2.0 private space network and your on-prem network aren't interconnected. Private link is also service specific. Each service must be explicitly defined in the private space to prevent accidental exposure of sensitive applications. +Private Link operates at OSI layer 4 and offers better isolation. The virtual service appears inside the same network, but the CloudHub 2.0 private space network and your on-prem network aren't interconnected. Private Link is also service specific. Each service must be explicitly defined in the private space to prevent accidental exposure of sensitive applications. -The advantages of private link are: +The advantages of Private Link are: * Secure access to services without going through the internet * Better isolation between your network and CloudHub 2.0 * Smaller blast radius if something goes wrong * Service level control on what services available to CloudHub 2.0 -Typical use cases for private link are: +Typical use cases for Private Link are: -* Private link from CloudHub 2.0 private space to a service hosted in AWS by your organization -* Private link from CloudHub 2.0 private space to a supported AWS service (for example, S3 and Kinesis) -* Private link from CloudHub 2.0 private space to third-party services hosted in AWS +* Private Link from CloudHub 2.0 private space to a service hosted in AWS by your organization +* Private Link from CloudHub 2.0 private space to a supported AWS service (for example, S3 and Kinesis) +* Private Link from CloudHub 2.0 private space to third-party services hosted in AWS ** For example, https://help.salesforce.com/s/articleView?id=xcloud.private_connect_overview.htm&type=5[Private Connect], which enables private connectivity between CloudHub 2.0 and Salesforce == Before You Begin @@ -31,7 +31,7 @@ The token owner must have permissions to manage private spaces. == Configure the Outbound Connections -Follow these steps to set up an outbound private link connection from your CloudHub 2.0 private space: +Follow these steps to set up an outbound Private Link connection from your CloudHub 2.0 private space: . Gather private space availability zones (AZs) and AWS Account ID. .. Retrieve information about availability zones for your private space. @@ -66,13 +66,13 @@ Example output: 328752079326 ---- + -. Make your services private link ready. +. Make your services Private Link ready. + -Verify that your services are properly configured for private link connectivity before establishing connections. +Verify that your services are properly configured for Private Link connectivity before establishing connections. === AWS S3 Service -AWS S3 service is already private link ready with regional VPC endpoints and a global access endpoint. For cross-region connections, use the global access endpoint. +AWS S3 service is already Private Link ready with regional VPC endpoints and a global access endpoint. For cross-region connections, use the global access endpoint. [source,text,linenums] ---- @@ -84,7 +84,7 @@ For a complete list of AWS services ready for private link, see https://docs.aws === Salesforce Private Connect -Salesforce private connect requires activation as an add-on. After activation: +Salesforce Private Connect requires activation as an add-on. After activation: . In salesforce, go to *Setup*, enter *Private Connect* in the *Quick Find* box, and select *Private Connect*. . On the *Private Connect* page, click *AWS Regions* to reveal available regions. @@ -150,7 +150,7 @@ curl -XPOST https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId === Salesforce Private Connect Endpoint -To create a private connect endpoint, provide the `serviceName`, `serviceRegion`, and the account ID hosting the VPC endpoint service. +To create a Private Connect endpoint, provide the `serviceName`, `serviceRegion`, and the account ID hosting the VPC endpoint service. [source,curl,linenums] ---- @@ -266,7 +266,7 @@ Because AWS manages these services, it establishes the connection automatically. === Salesforce Private Connect -To establish the private connect connection, retrieve the endpoint ID using this API command: +To establish the Private Connect connection, retrieve the endpoint ID using this API command: [source,curl,linenums] ---- @@ -305,7 +305,7 @@ The endpoint status shows *Pending Acceptance*. Complete the connection: . Select *AWS* and configure the connection using the `awsId` (VPC Endpoint ID). . Click *Save*. -Within a few minutes, the endpoints sync and the status changes to *Ready* in private connect and *Available* in CloudHub 2.0. +Within a few minutes, the endpoints sync and the status changes to *Ready* in Private Connect and *Available* in CloudHub 2.0. === Custom Services @@ -348,7 +348,7 @@ The custom service VPC endpoint status shows *Pending Acceptance*. Accept the co == Use the Private Link -After establishing private link connections with *Available* status, the VPC endpoint API returns DNS entries for the service. +After establishing Private Link connections with *Available* status, the VPC endpoint API returns DNS entries for the service. To talk to the S3 endpoint, use this DNS entry: @@ -389,7 +389,7 @@ To talk to the custom service, use this DNS entry: Each VPC endpoint consumes one network connection entitlement per AZ. [NOTE] -To configure high availability, set up the private link connection with at least two availability zones. This consumes two network connection entitlements. +To configure high availability, set up the Private Link connection with at least two availability zones. This consumes two network connection entitlements. == Limitations From 1e28ded3a6b8433d26b5da5070ad0a48d2ac03b3 Mon Sep 17 00:00:00 2001 From: Luana Dos Santos <84200607+luanamulesoft@users.noreply.github.com> Date: Wed, 19 Nov 2025 11:57:18 -0300 Subject: [PATCH 21/33] Update ps-outbound-private-link.adoc --- cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc index 55c25882..4fe0b1f4 100644 --- a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc +++ b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc @@ -25,7 +25,7 @@ Typical use cases for Private Link are: . Provision a xref:ps-create-configure.adoc[private space] in CloudHub 2.0. . Obtain a bearer token for calling APIs. + -Follow the instructions from xref:access-management::saml-bearer-token.adoc[Anypoint Identity] or https://help.salesforce.com/s/articleView?id=001115323&type=1[external Identity] to get a bearer access token for your Anypoint organization. +Follow the instructions from xref:access-management::saml-bearer-token.adoc[Anypoint identity] or https://help.salesforce.com/s/articleView?id=001115323&type=1[external identity] to get a bearer access token for your Anypoint organization. + The token owner must have permissions to manage private spaces. From c3df25a5f616b64cd13f98ebbd6b69125272e887 Mon Sep 17 00:00:00 2001 From: Luana Dos Santos Date: Wed, 19 Nov 2025 16:41:54 -0300 Subject: [PATCH 22/33] added API parameters --- cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc index 4fe0b1f4..883792cd 100644 --- a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc +++ b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc @@ -129,6 +129,8 @@ The account ID is in the *Owner* field. .. Availability Zone IDs: the IDs of the availability zones where you want to establish the private link. + Make sure that the availability zone IDs are the ones used by the private space obtained in <<_configure_the_outbound_connections, Configure the Outbound Connections>>, and that the VPC endpoint service is hosted in those availability zones. ++ +Alternatively, specify `countOfAzs` with an integer value to have the backend service automatically assign the required number of availability zones. Provide either `azIds` or `countOfAzs`, not both. . Create a VPC endpoint in CloudHub 2.0 via API: + Here are specific examples for different service types: @@ -202,9 +204,11 @@ curl -XPATCH https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgI "serviceRegion": "{service region}", "serviceOwner": "{service owner}", "azIds": [{aws-az-id1}, {aws-az-id2}] -}‘ +}' ---- + +You can use `"countOfAzs": 2` instead of the `azIds` array. Provide either `azIds` or `countOfAzs`, not both. ++ . Use this command to delete a VPC endpoint: [source,curl,linenums] ---- From 0a8421f1fb33464b38c2a8dab955c96b6d2032dc Mon Sep 17 00:00:00 2001 From: Luana Dos Santos <84200607+luanamulesoft@users.noreply.github.com> Date: Thu, 20 Nov 2025 11:35:52 -0300 Subject: [PATCH 23/33] Update ps-outbound-private-link.adoc --- .../ROOT/pages/ps-outbound-private-link.adoc | 38 ++++++++++--------- 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc index 883792cd..b346e361 100644 --- a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc +++ b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc @@ -86,7 +86,7 @@ For a complete list of AWS services ready for private link, see https://docs.aws Salesforce Private Connect requires activation as an add-on. After activation: -. In salesforce, go to *Setup*, enter *Private Connect* in the *Quick Find* box, and select *Private Connect*. +. In Salesforce, go to *Setup*, enter *Private Connect* in the *Quick Find* box, and select *Private Connect*. . On the *Private Connect* page, click *AWS Regions* to reveal available regions. . Select the AWS region that matches your private space region. . Copy the service name for later use. @@ -100,7 +100,7 @@ To prepare custom services: . https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html[Create an endpoint service] following AWS guidance. . Set *Acceptance required* to *Yes* to prevent unauthorized connections. . Optionally, configure a private DNS name for your service. CloudHub 2.0 private space automatically picks up the private DNS and makes it available to Mule applications. - ++ [NOTE] If the service is hosted in the same region as the private space, set up the services in the same availability zone as the private space obtained in <<_configure_the_outbound_connections, Configure the Outbound Connections>>. For cross-region services, you don't need AZ alignment. Validation for cross-region connectivity isn't yet complete; its success depends on the configuration. + @@ -125,7 +125,7 @@ aws ec2 describe-vpc-endpoint-services --service-names {your-service-name} --reg ---- + The account ID is in the *Owner* field. -... "amazon", if it's an Amazon service. +... `amazon`, if it's an Amazon service. .. Availability Zone IDs: the IDs of the availability zones where you want to establish the private link. + Make sure that the availability zone IDs are the ones used by the private space obtained in <<_configure_the_outbound_connections, Configure the Outbound Connections>>, and that the VPC endpoint service is hosted in those availability zones. @@ -179,23 +179,24 @@ curl -XPOST https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId "azIds": ["use1-az1", "use1-az2"] }' ---- -+ + If the VPC endpoint is successfully created, the API returns a `vpceId`. -. Get the VPC endpoint status in CloudHub 2.0 using the API: -+ +Get the VPC endpoint status in CloudHub 2.0 using the API: + [source,curl,linenums] ---- curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/vpces/{vpceid} -H "Authorization:$AUTHTOKEN" ---- -+ -.. If successful, it returns the DNS names of the VPC endpoint. -.. It also returns the provisioning status: -... `Invalid`: VPCE creation failed. -... `Valid`: VPCE is being provisioned. -... `Available` -... `PendingAcceptance` -. Use this command to update a VPC endpoint: -+ + +If successful, it returns the DNS names of the VPC endpoint. +It also returns the provisioning status: +* `Invalid`: VPCE creation failed. +* `Valid`: VPCE is being provisioned. +* `Available` +* `PendingAcceptance` + +Use this command to update a VPC endpoint: + [source,curl,linenums] ---- curl -XPATCH https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/vpces/{vpceId} -H "Authorization:$AUTHTOKEN" -H "Content-Type:application/json" -d '{ @@ -206,10 +207,11 @@ curl -XPATCH https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgI "azIds": [{aws-az-id1}, {aws-az-id2}] }' ---- -+ + You can use `"countOfAzs": 2` instead of the `azIds` array. Provide either `azIds` or `countOfAzs`, not both. -+ -. Use this command to delete a VPC endpoint: + +Use this command to delete a VPC endpoint: + [source,curl,linenums] ---- curl -XDELETE https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/vpces/{vpceid} -H "Authorization:$AUTHTOKEN" From e632e581330146327b3bb12ce60d72949c417c3f Mon Sep 17 00:00:00 2001 From: Luana Dos Santos <84200607+luanamulesoft@users.noreply.github.com> Date: Thu, 20 Nov 2025 11:42:22 -0300 Subject: [PATCH 24/33] Update ps-outbound-private-link.adoc --- .../ROOT/pages/ps-outbound-private-link.adoc | 34 +++++++++---------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc index b346e361..b90b5990 100644 --- a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc +++ b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc @@ -135,10 +135,10 @@ Alternatively, specify `countOfAzs` with an integer value to have the backend se + Here are specific examples for different service types: -=== AWS S3 Endpoint - +AWS S3 Endpoint:: ++ To configure an S3 endpoint for your private space, the `serviceOwner` is `amazon`. Configure at least two AZs. Because AWS services are available in all its AZs, you can pick any AZs from your private space. - ++ [source,curl,linenums] ---- curl -XPOST https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/vpces -H "Authorization:bearer {your-token}" -H "Content-Type:application/json" -d '{ @@ -150,10 +150,10 @@ curl -XPOST https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId }' ---- -=== Salesforce Private Connect Endpoint - +Salesforce Private Connect Endpoint:: ++ To create a Private Connect endpoint, provide the `serviceName`, `serviceRegion`, and the account ID hosting the VPC endpoint service. - ++ [source,curl,linenums] ---- curl -XPOST https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/vpces -H "Authorization:bearer {your-token}" -H "Content-Type:application/json" -d '{ @@ -165,10 +165,10 @@ curl -XPOST https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId }' ---- -=== Custom Service Endpoint - +Custom Service Endpoint:: ++ For custom services, if you didn't create your service in the same AZs as the CloudHub 2.0 private space, make sure that the chosen AZs exist in both your service network and the private space. - ++ [source,curl,linenums] ---- curl -XPOST https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/vpces -H "Authorization:bearer {your-token}" -H "Content-Type:application/json" -d '{ @@ -179,24 +179,24 @@ curl -XPOST https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId "azIds": ["use1-az1", "use1-az2"] }' ---- - ++ If the VPC endpoint is successfully created, the API returns a `vpceId`. Get the VPC endpoint status in CloudHub 2.0 using the API: - ++ [source,curl,linenums] ---- curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/vpces/{vpceid} -H "Authorization:$AUTHTOKEN" ---- - ++ If successful, it returns the DNS names of the VPC endpoint. It also returns the provisioning status: * `Invalid`: VPCE creation failed. * `Valid`: VPCE is being provisioned. * `Available` * `PendingAcceptance` - ++ Use this command to update a VPC endpoint: - ++ [source,curl,linenums] ---- curl -XPATCH https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/vpces/{vpceId} -H "Authorization:$AUTHTOKEN" -H "Content-Type:application/json" -d '{ @@ -207,11 +207,11 @@ curl -XPATCH https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgI "azIds": [{aws-az-id1}, {aws-az-id2}] }' ---- - ++ You can use `"countOfAzs": 2` instead of the `azIds` array. Provide either `azIds` or `countOfAzs`, not both. - ++ Use this command to delete a VPC endpoint: - ++ [source,curl,linenums] ---- curl -XDELETE https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/vpces/{vpceid} -H "Authorization:$AUTHTOKEN" From 1997a7469400b5eb7b8a05830598c0e338393b0d Mon Sep 17 00:00:00 2001 From: Luana Dos Santos <84200607+luanamulesoft@users.noreply.github.com> Date: Thu, 20 Nov 2025 11:45:35 -0300 Subject: [PATCH 25/33] Update ps-outbound-private-link.adoc --- cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc index b90b5990..e60c6d39 100644 --- a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc +++ b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc @@ -188,8 +188,8 @@ Get the VPC endpoint status in CloudHub 2.0 using the API: curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/vpces/{vpceid} -H "Authorization:$AUTHTOKEN" ---- + -If successful, it returns the DNS names of the VPC endpoint. -It also returns the provisioning status: +If successful, it returns the DNS names of the VPC endpoint. It also returns the provisioning status: ++ * `Invalid`: VPCE creation failed. * `Valid`: VPCE is being provisioned. * `Available` From a756e33e51bb53697bfac3477279ff0e39c0ea88 Mon Sep 17 00:00:00 2001 From: Luana Dos Santos <84200607+luanamulesoft@users.noreply.github.com> Date: Thu, 20 Nov 2025 11:47:01 -0300 Subject: [PATCH 26/33] Update ps-outbound-private-link.adoc --- cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc | 1 - 1 file changed, 1 deletion(-) diff --git a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc index e60c6d39..0358337b 100644 --- a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc +++ b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc @@ -194,7 +194,6 @@ If successful, it returns the DNS names of the VPC endpoint. It also returns the * `Valid`: VPCE is being provisioned. * `Available` * `PendingAcceptance` -+ Use this command to update a VPC endpoint: + [source,curl,linenums] From e5955afd486ec038b41dd0a30a7713ef0fc2002b Mon Sep 17 00:00:00 2001 From: Luana Dos Santos <84200607+luanamulesoft@users.noreply.github.com> Date: Thu, 20 Nov 2025 11:48:24 -0300 Subject: [PATCH 27/33] Update ps-outbound-private-link.adoc --- cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc index 0358337b..b7dc356d 100644 --- a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc +++ b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc @@ -193,7 +193,7 @@ If successful, it returns the DNS names of the VPC endpoint. It also returns the * `Invalid`: VPCE creation failed. * `Valid`: VPCE is being provisioned. * `Available` -* `PendingAcceptance` +* `PendingAcceptance` + Use this command to update a VPC endpoint: + [source,curl,linenums] From 1ac8697c4db6e0df90bfd0b77de4685ece68f71d Mon Sep 17 00:00:00 2001 From: Luana Dos Santos <84200607+luanamulesoft@users.noreply.github.com> Date: Thu, 20 Nov 2025 11:51:29 -0300 Subject: [PATCH 28/33] Update ps-outbound-private-link.adoc --- .../modules/ROOT/pages/ps-outbound-private-link.adoc | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc index b7dc356d..6f2c77d0 100644 --- a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc +++ b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc @@ -190,10 +190,11 @@ curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId} + If successful, it returns the DNS names of the VPC endpoint. It also returns the provisioning status: + -* `Invalid`: VPCE creation failed. -* `Valid`: VPCE is being provisioned. +* `Invalid`: VPCE creation failed +* `Valid`: VPCE is being provisioned * `Available` -* `PendingAcceptance` + +* `PendingAcceptance` ++ Use this command to update a VPC endpoint: + [source,curl,linenums] From 3672ed2a10feeb96d703ab60abd3c2506135c29a Mon Sep 17 00:00:00 2001 From: Luana Dos Santos <84200607+luanamulesoft@users.noreply.github.com> Date: Thu, 20 Nov 2025 11:53:12 -0300 Subject: [PATCH 29/33] Update ps-outbound-private-link.adoc --- cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc index 6f2c77d0..726946a6 100644 --- a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc +++ b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc @@ -306,7 +306,7 @@ Example output: The endpoint status shows *Pending Acceptance*. Complete the connection: -. Note the *awsId* from the endpoint. +. Note the `awsId` from the endpoint. . Go to Private Connect and click *create inbound connections*. . Select *AWS* and configure the connection using the `awsId` (VPC Endpoint ID). . Click *Save*. From 9213c0e836e4797782c3d3259adb171b8bd2ca3a Mon Sep 17 00:00:00 2001 From: Luana Dos Santos <84200607+luanamulesoft@users.noreply.github.com> Date: Thu, 20 Nov 2025 14:00:17 -0300 Subject: [PATCH 30/33] Update ps-outbound-private-link.adoc --- .../ROOT/pages/ps-outbound-private-link.adoc | 44 +++++++++---------- 1 file changed, 21 insertions(+), 23 deletions(-) diff --git a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc index 726946a6..4bd9e772 100644 --- a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc +++ b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc @@ -68,33 +68,33 @@ Example output: + . Make your services Private Link ready. + -Verify that your services are properly configured for Private Link connectivity before establishing connections. - -=== AWS S3 Service +Verify that your services are properly configured for Private Link connectivity before establishing connections: +AWS S3 Service:: ++ AWS S3 service is already Private Link ready with regional VPC endpoints and a global access endpoint. For cross-region connections, use the global access endpoint. - ++ [source,text,linenums] ---- Regional Endpoint: com.amazonaws.{region}.s3 Global Access Endpoint: com.amazonaws.s3-global.accesspoint ---- - ++ For a complete list of AWS services ready for private link, see https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html[AWS PrivateLink-supported services]. -=== Salesforce Private Connect - +Salesforce Private Connect:: ++ Salesforce Private Connect requires activation as an add-on. After activation: - ++ . In Salesforce, go to *Setup*, enter *Private Connect* in the *Quick Find* box, and select *Private Connect*. . On the *Private Connect* page, click *AWS Regions* to reveal available regions. . Select the AWS region that matches your private space region. . Copy the service name for later use. -=== Custom Services (Self-Hosted) - +Custom Services (Self-Hosted):: ++ To prepare custom services: - ++ . Deploy your service in at least one private space AZ. For high availability, configure 2 AZs. . Expose the service via a network load balancer or application load balancer. . https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html[Create an endpoint service] following AWS guidance. @@ -110,14 +110,12 @@ If the service is hosted in the same region as the private space, set up the ser + The `{accountId}` is the account ID obtained in <<_configure_the_outbound_connections, Configure the Outbound Connections>>. . Gather this information for the API: -.. Service Name: the endpoint service name. -+ -For example, customer-hosted endpoint service: `com.amazonaws.vpce.us-east-1.vpce-svc-xxxxxxxxxxxxxxxx`. -+ -For example, AWS hosted service: `com.amazonaws.us-west-2.s3`. -.. Service Region: the region where the VPC endpoint service is located. -.. Service Owner: the owner of the VPC endpoint service. -... Account ID of the endpoint service. For services like Salesforce private connect, you can acquire the service owner account ID using the AWS CLI command: +.. Service Name: The endpoint service name, for example: +... Customer-hosted endpoint service: `com.amazonaws.vpce.us-east-1.vpce-svc-xxxxxxxxxxxxxxxx` +... AWS hosted service: `com.amazonaws.us-west-2.s3` +.. Service Region: The region where the VPC endpoint service is located. +.. Service Owner: The owner of the VPC endpoint service. +... Account ID of the endpoint service. For services like Salesforce Private Connect, you can acquire the service owner account ID using the AWS CLI command: + [source,bash,linenums] ---- @@ -126,14 +124,14 @@ aws ec2 describe-vpc-endpoint-services --service-names {your-service-name} --reg + The account ID is in the *Owner* field. ... `amazon`, if it's an Amazon service. -.. Availability Zone IDs: the IDs of the availability zones where you want to establish the private link. +.. Availability Zone IDs: The IDs of the availability zones where you want to establish the private link. + -Make sure that the availability zone IDs are the ones used by the private space obtained in <<_configure_the_outbound_connections, Configure the Outbound Connections>>, and that the VPC endpoint service is hosted in those availability zones. +Check that the AZ IDs match those obtained in <<_configure_the_outbound_connections, Configure the Outbound Connections>>, and verify the VPC endpoint service uses those AZs. + Alternatively, specify `countOfAzs` with an integer value to have the backend service automatically assign the required number of availability zones. Provide either `azIds` or `countOfAzs`, not both. -. Create a VPC endpoint in CloudHub 2.0 via API: +. Create a VPC endpoint in CloudHub 2.0 via API. + -Here are specific examples for different service types: +See these specific examples for different service types: AWS S3 Endpoint:: + From 94807bcbc7a0e571c09503fb9b3fe81279d2aba7 Mon Sep 17 00:00:00 2001 From: Luana Dos Santos <84200607+luanamulesoft@users.noreply.github.com> Date: Thu, 20 Nov 2025 14:13:26 -0300 Subject: [PATCH 31/33] Update ps-outbound-private-link.adoc --- cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc index 4bd9e772..98452de8 100644 --- a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc +++ b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc @@ -86,6 +86,7 @@ Salesforce Private Connect:: + Salesforce Private Connect requires activation as an add-on. After activation: + +[#] . In Salesforce, go to *Setup*, enter *Private Connect* in the *Quick Find* box, and select *Private Connect*. . On the *Private Connect* page, click *AWS Regions* to reveal available regions. . Select the AWS region that matches your private space region. @@ -95,6 +96,7 @@ Custom Services (Self-Hosted):: + To prepare custom services: + +[#] . Deploy your service in at least one private space AZ. For high availability, configure 2 AZs. . Expose the service via a network load balancer or application load balancer. . https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html[Create an endpoint service] following AWS guidance. From 52620edd98383d19ca46683474fd7550eae3608d Mon Sep 17 00:00:00 2001 From: Luana Dos Santos <84200607+luanamulesoft@users.noreply.github.com> Date: Thu, 20 Nov 2025 14:16:35 -0300 Subject: [PATCH 32/33] Update ps-outbound-private-link.adoc --- .../ROOT/pages/ps-outbound-private-link.adoc | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc index 98452de8..c7fc9263 100644 --- a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc +++ b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc @@ -87,21 +87,21 @@ Salesforce Private Connect:: Salesforce Private Connect requires activation as an add-on. After activation: + [#] -. In Salesforce, go to *Setup*, enter *Private Connect* in the *Quick Find* box, and select *Private Connect*. -. On the *Private Connect* page, click *AWS Regions* to reveal available regions. -. Select the AWS region that matches your private space region. -. Copy the service name for later use. +.. In Salesforce, go to *Setup*, enter *Private Connect* in the *Quick Find* box, and select *Private Connect*. +.. On the *Private Connect* page, click *AWS Regions* to reveal available regions. +.. Select the AWS region that matches your private space region. +.. Copy the service name for later use. Custom Services (Self-Hosted):: + To prepare custom services: + [#] -. Deploy your service in at least one private space AZ. For high availability, configure 2 AZs. -. Expose the service via a network load balancer or application load balancer. -. https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html[Create an endpoint service] following AWS guidance. -. Set *Acceptance required* to *Yes* to prevent unauthorized connections. -. Optionally, configure a private DNS name for your service. CloudHub 2.0 private space automatically picks up the private DNS and makes it available to Mule applications. +.. Deploy your service in at least one private space AZ. For high availability, configure 2 AZs. +.. Expose the service via a network load balancer or application load balancer. +.. https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html[Create an endpoint service] following AWS guidance. +.. Set *Acceptance required* to *Yes* to prevent unauthorized connections. +.. Optionally, configure a private DNS name for your service. CloudHub 2.0 private space automatically picks up the private DNS and makes it available to Mule applications. + [NOTE] If the service is hosted in the same region as the private space, set up the services in the same availability zone as the private space obtained in <<_configure_the_outbound_connections, Configure the Outbound Connections>>. For cross-region services, you don't need AZ alignment. Validation for cross-region connectivity isn't yet complete; its success depends on the configuration. From c9be8b1f568d8538f629e72a2f27329a90ad7727 Mon Sep 17 00:00:00 2001 From: Luana Dos Santos <84200607+luanamulesoft@users.noreply.github.com> Date: Thu, 20 Nov 2025 14:24:35 -0300 Subject: [PATCH 33/33] Update ps-outbound-private-link.adoc --- .../ROOT/pages/ps-outbound-private-link.adoc | 38 ++++++++++--------- 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc index c7fc9263..7f6b96ce 100644 --- a/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc +++ b/cloudhub-2/modules/ROOT/pages/ps-outbound-private-link.adoc @@ -106,7 +106,7 @@ To prepare custom services: [NOTE] If the service is hosted in the same region as the private space, set up the services in the same availability zone as the private space obtained in <<_configure_the_outbound_connections, Configure the Outbound Connections>>. For cross-region services, you don't need AZ alignment. Validation for cross-region connectivity isn't yet complete; its success depends on the configuration. + -. Share the VPC endpoint services with your CloudHub 2.0 private space. +. Share the VPC endpoint services with your CloudHub 2.0 private space: .. https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html[Configure an endpoint service]. .. From VPC *Endpoint services*, select *Allow principals*. Add `arn:aws:iam::{accountId}:root` as principal. + @@ -266,21 +266,21 @@ Example output: ] ---- -=== AWS S3 Service - +AWS S3 Service:: ++ Because AWS manages these services, it establishes the connection automatically. -=== Salesforce Private Connect - +Salesforce Private Connect:: ++ To establish the Private Connect connection, retrieve the endpoint ID using this API command: - ++ [source,curl,linenums] ---- curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/vpces/{vpce-id} -H "Authorization:bearer {your-token}" ---- - ++ Example output: - ++ [source,json,linenums] ---- { @@ -303,27 +303,28 @@ Example output: ] } ---- - ++ The endpoint status shows *Pending Acceptance*. Complete the connection: - ++ +[#] . Note the `awsId` from the endpoint. . Go to Private Connect and click *create inbound connections*. . Select *AWS* and configure the connection using the `awsId` (VPC Endpoint ID). . Click *Save*. - ++ Within a few minutes, the endpoints sync and the status changes to *Ready* in Private Connect and *Available* in CloudHub 2.0. -=== Custom Services - +Custom Services:: ++ Fetch the endpoint information: - ++ [source,curl,linenums] ---- curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/vpces/{vpce-id} -H "Authorization:bearer {your-token}" ---- - ++ Example output: - ++ [source,json,linenums] ---- { @@ -344,9 +345,10 @@ Example output: ] } ---- - ++ The custom service VPC endpoint status shows *Pending Acceptance*. Accept the connection: - ++ +[#] . In the AWS console go to *VPC* > *Endpoint Services*. . Select your service and open the *Endpoint Connection* tab. . Verify the *Endpoint ID* and *Owner* match your private space in CloudHub 2.0.