Connectivity models

The data plane can be connected to private environments for:

1 - Backend consumption of the public gateway pool, as shown in diagram 1:

public gateway

2 - Consumption of the private gateway pool, as shown in diagram 2:

private gateway
A gateway pool cannot be public and private at the same time.

Supported connectivity models

  • Allow list (Default)

    • Positive aspects

      • Most recommended model due to practicality and resilience.

      • Each data plane has at least 2 fixed output IPs. These IPs can/should be used for customer-side firewall controls.

      • To further enhance security, an mTLS strategy can be used between the gateways and the backend.

      • Cost already included in standard offers.

    • Limitations

      • It is not possible to access backends without externalization through a proxy or similar technology.

The diagram below represents connectivity through Allow list:

allow list
  • VPN (on request)

    • Positive aspects

      • Model with private access.

    • Attention points

      • Shared responsibility.

      • The SLA is different for VPN environments, given the high incidence of problems.

      • Higher cost of configuration, maintenance and troubleshooting.

    • Limitations

      • Each data plane can be connected to up to 4 networks, limited to 8190 IPs.

      • Currently, BGP is not supported.

The diagram below represents connectivity through VPN:

vpn
  • VPC Peering (on request)

    • Positive aspects

      • Stability and resilience.

      • Simplified setup.

    • Attention points

      • Offer available only to customers whose backend is also allocated on AWS.

    • Limitations

      • Each data plane can be connected to up to 4 networks, limited to 8190 IPs.

The diagram below represents connectivity through VPC Peering:

vpc
  • Transit Gateway (on request)

    • Positive aspects

      • Possibility to access backends through a private link.

      • No need to use VPN.

      • Greater communication flexibility between VPCs.

      • Within AWS limits, regarding Transit Gateway and connectivity, essential points are adjustable.

      • For more information, see the AWS Transit Gateway Limits documentation.

    • Attention points

      • Customer must share AWS Transit Gateway using their Sensedia account.

      • Need to create routes on the Sensedia side and on the client side.

      • The AWS billing fee happens on both sides (Customer and Sensedia), as AWS charges per VPC attached to the AWS Transit Gateway, and it happens on both sides.

    • Limitations

The diagram below represents connectivity through Transit Gateway:

transit gateway
For more information on the process of establishing connectivity using AWS Transit Gateway, visit this link.
  • Direct Connect (on request)

    • Positive aspects

      • Possibility to access backends through a private link.

    • Attention points

      • Cost.

      • Shared responsibility model between Sensedia, customer and link provider.

    • Limitations

      • Each data plane can be connected to up to 4 networks, limited to 8190 IPs.

The diagram below represents connectivity through Direct Connect:

direct connect
Networks above 8190 hosts (/19) are not supported.
  • Private link (on request)

    • Positive aspects

      • Facilitates communication between components on AWS.

      • Ensures private access with high resiliency.

      • For more information, see official AWS documentation.

    • Negative aspects

      • Requires exposure through NLB on the customer side.

    • Private DNS name

      • As per the AWS documentation, it is possible to use a name with a custom domain (<service>.customer.com.br, for example) in the endpoint service. This name is considered private because AWS registers it in a DNS zone local to the VPCs connected to the endpoint service.

      • The advantage is being able to consolidate the service exposure under a unique name for different service consumers.

      • For customers wishing to use this functionality, it is necessary to enable and validate the endpoint service to use the selected name. Once configured, the customer must open a ticket with Sensedia support, requesting the activation of the private DNS name and providing the relevant endpoint service information.

    • Limitations

      • Up to 4 VPC endpoints (powered by AWS Private link) are supported per data plane.

The diagram below represents connectivity using VPC endpoint powered by AWS Private link:

vpc aws

Additionally, it is possible to use the same VPC endpoint associated with the same load balancer, with multiple ports and target groups. The diagram below represents this model:

vpc load balancer
Thanks for your feedback!
EDIT

Share your suggestions with us!
Click here and then [+ Submit idea]