Connectivity models

Most recommended model due to practicality and resilience.

Each data plane has at least 2 fixed output IPs. These IPs can/should be used for customer-side firewall controls.

To further enhance security, an mTLS strategy can be used between the gateways and the backend.

Cost already included in standard offers.

It is not possible to access backends without externalization through a proxy or similar technology.

Model with private access, ensuring secure communication between Gateways and Backends.

Shared responsibility between Sensedia and the customer for configuring and maintaining connectivity.

SLA may differ for environments with VPN due to a higher incidence of network issues.

Higher setup, maintenance, and troubleshooting costs.

Communication occurs directly between Gateways and Backends, with no support for outbound NAT.

Gateways operate in an auto-scaling environment, which means that new IPs can be dynamically assigned within the configured range. Therefore, the entire range of IPs allocated to the data plane must be allowed, making it impossible to allocate only specific IPs (e.g., /32).

Each data plane can connect to up to 4 networks, limited to 8190 IPs.

BGP (Border Gateway Protocol) is not supported in the current model.

There is no native support for NAT, which means that the communication between Gateways and Backends always occurs with the Gateways' original IPs.

Stability and resilience.

Simplified setup.

Offer available only to customers whose backend is also allocated on AWS.

Each data plane can be connected to up to 4 networks, limited to 8190 IPs.

Possibility to access backends through a private link.

No need to use VPN.

Greater communication flexibility between VPCs.

Within AWS limits, regarding Transit Gateway and connectivity, essential points are adjustable.

For more information, see the AWS Transit Gateway Limits documentation.

Customer must share AWS Transit Gateway using their Sensedia account.

Need to create routes on the Sensedia side and on the client side.

The AWS billing fee happens on both sides (Customer and Sensedia), as AWS charges per VPC attached to the AWS Transit Gateway, and it happens on both sides.

Each data plane can receive up to 5 unique AWS Transit Gateway attachments.

AWS Transit Gateway limits also apply.

Possibility to access backends through a private link.

Cost.

Shared responsibility model between Sensedia, customer and link provider.

Each data plane can be connected to up to 4 networks, limited to 8190 IPs.

Facilitates communication between components on AWS.

Ensures private access with high resiliency.

For more information, see official AWS documentation.

Requires exposure through NLB on the customer side.

As per the AWS documentation, it is possible to use a name with a custom domain (<service>.customer.com.br, for example) in the endpoint service. This name is considered private because AWS registers it in a DNS zone local to the VPCs connected to the endpoint service.

The advantage is being able to consolidate the service exposure under a unique name for different service consumers.

For customers wishing to use this functionality, it is necessary to enable and validate the endpoint service to use the selected name. Once configured, the customer must open a ticket with Sensedia support, requesting the activation of the private DNS name and providing the relevant endpoint service information.

Up to 4 VPC endpoints (powered by AWS Private link) are supported per data plane.