mulesoft · luanamulesoft · Jul 16, 2025 · Jul 16, 2025 · Jul 16, 2025 · Jul 16, 2025
@@ -0,0 +1,113 @@
+= Setting Up an Outbound Private Link Connection
+
+This document describes the steps to configure and outbbound private link connection from CloudHub 2.0 private spaces.
+
+// Test in QAX
+// Deploy tf-rtfc-iam to STGX
+// tf issue thread: https://salesforce-internal.slack.com/archives/C03UAEK0TNY/p1752180070663329 - deployed to stgx, need CC for prods
+// CC: https://gus.lightning.force.com/lightning/r/Case/500EE00001ZFcLJYA1/view
+// Test in STGX once RTF API and ARC is ready
+
+== Before You Begin
+
+. Provision a xref:ps-create-configure.adoc[private space] in Cloudhub 2.0
+. Obtain a bearer token to be used below for calling APIs
++
+Make sure that the owner of the bearer token has permissions to manage private spaces
+
+== Configure the Outbound Connections
+
+Follow these steps to set up an outbound private link connection from your CloudHub 2.0 private space:
+
+. Gather Private Space Availability Zones and AWS Account Id
+..  Retrieve information about Availability Zones (AZs) for a your private space 
++
+[source,curl,linenums]
+----
+curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/{orgId}/privatespaces/{spaceId}/azs -H "Authorization:$AUTHTOKEN"
+----
++
+.. Retrieve information about accounts associated with your private space
++
+[source,curl,linenums]
+----
+curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/organizations/{orgId}/privatespaces/{spaceId}/accounts -H "Authorization:$AUTHTOKEN"
+----
++
+. Set up VPC endpoint services (if self-hosted endpoint services)
+.. https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html[Create a service powered by AWS PrivateLink]
+.. If the service is hosted the same region as the private space, set up the services in the same availability zone as the private space (obtained in he first step here)
+. Share the VPC endpoint Services with your CloudHub 2.0 private space
+.. https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html[Configure an endpoint service]
+.. In the VPC *Endpoint services*, click *Allow principals*
+... Add `arn:aws:iam::{accountId}:root` as principal
++
+The `{accountId}` is obtained in the first step step here
+. Gather this information for the API:
+.. Service Name: the endpoint service name
++
+For example, customer-hosted endpoint service: `com.amazonaws.vpce.us-east-1.vpce-svc-xxxxxxxxxxxxxxxx`
++
+For example, AWS hosted service: `com.amazonaws.us-west-2.s3`
+.. Service Region: the region where the VPC endpoint service is located
+.. Service Owner: the owner of the VPC endpoint service
+... Account id of the endpoint service 
+... “amazon”, if it’s an Amazon service
+.. Availability Zone Ids: the id of the availability zones where you wish to establish the private link. Make sure that the AZ Ids are the ones used by the private space (obtained in the first step here), and the VPC endpoint service is hosted in those AZ Ids.
+. Create a VPC endpoint in Cloudhub 2.0 via API
++
+[source,curl,linenums]
+----
+curl -XPOST https://anypoint.mulesoft.com/runtimefabric/api/{orgId}/privatespaces/{spaceId}/vpces -H "Authorization:$AUTHTOKEN"  -H "Content-Type:application/json"  -d '{
+	"name": "{any name}",
+	"serviceName": "{service name}",
+	"serviceRegion": "{service region}",
+	"serviceOwner": "{service owner}",
+	"azIds": [{aws-az-id1}, {aws-az-id2}]
+}‘
+----
++
+If the VPC endpoint is successfully created, the API returns a `vpceId`.
+. Get the VPC endpoint status in Cloudhub 2.0 using API
++
+[source,curl,linenums]
+----
+curl -XGET https://anypoint.mulesoft.com/runtimefabric/api/{orgId}/privatespaces/{spaceId}/vpces/{vpceid} -H "Authorization:$AUTHTOKEN" 
+----
++
+.. If successful, it returns the DNS names of the VPC endpoint
+.. It also returns the the provisioning status:
+... `Invalid`: VPCE creation failed
+... `Valid`: VPCE is being provisioned
+... `Available`
+... `PendingAcceptence`
+. Use this command to update a VPC Endpoint:
++
+[source,curl,linenums]
+----
+curl -XPATCH https://anypoint.mulesoft.com/runtimefabric/api/{orgId}/privatespaces/{spaceId}/vpces/{vpceId} -H "Authorization:$AUTHTOKEN"  -H "Content-Type:application/json"  -d '{
+	"name": "{any name}",
+	"serviceName": "{service name}",
+	"serviceRegion": "{service region}",
+	"serviceOwner": "{service owner}",
+	"azIds": [{aws-az-id1}, {aws-az-id2}]
+}‘
+----
++
+. Use this command to delete a VPC Endpoint:
+[source,curl,linenums]
+----
+curl -XDELETE https://anypoint.mulesoft.com/runtimefabric/api/{orgId}/privatespaces/{spaceId}/vpces/{vpceid} -H "Authorization:$AUTHTOKEN" 
+----
+
+
+== Limitations
+
+* This configuration supports interface endpoints only
+* This configuration doesn't support CloudHub VPCs or CloudHub 2.0 migrated private spaces
+* You can't perform cross-region validation properly done at the API level. If the endpoint service is invalid, the VPCE provisioning fails.
+
+
+== See Also
+* xref:access-management::saml-bearer-token.adoc[]
+* https://help.salesforce.com/s/articleView?id=001115323&type=1[How to generate your Authorization Bearer token for Anypoint Platform]