Integrating AWS PrivateLink
Firefly integrates with customer-hosted services over AWS PrivateLink, giving Firefly secure, private connectivity to internal resources without exposing them to the public internet. This integration applies to any service Firefly needs to reach inside your AWS environment, including APIs, GitHub Enterprise, artifact repositories, container registries, and custom TCP or HTTP services.
All traffic remains private within the AWS backbone and never traverses the public internet.
Prerequisites
An AWS account hosting the service you want Firefly to reach.
Permissions to create a Network Load Balancer, VPC Endpoint Service, and modify security groups in that account.
A backend service (EC2 instances, ECS tasks, or IPs) already running in the target VPC.
The following details ready to share with your Firefly contact:
AWS Account ID
AWS Region where the service is deployed
VPC ID hosting the service
Subnet IDs to be used by the load balancer
Ports and protocols required (for example, TCP 443, TCP 22)
Any firewall, NAT, or security group restrictions that may affect connectivity
A preferred internal hostname, if applicable
How It Works
In a standard PrivateLink setup, you expose your internal service through a VPC Endpoint Service, and Firefly connects to it through an Interface VPC Endpoint in Firefly's account.
The high-level flow:
You put a Network Load Balancer in front of the internal service and publish it as a VPC Endpoint Service.
Firefly creates an Interface VPC Endpoint that targets your service.
You approve the endpoint connection request.
Firefly configures private DNS so Firefly components can reach the service by a stable hostname.
Customer Setup Procedure
Complete the following steps in your AWS account. Firefly will then handle the corresponding configuration on its side.
1. Create a Network Load Balancer
AWS PrivateLink endpoint services must be backed by a load balancer. For most TCP-based services, a Network Load Balancer (NLB) is recommended.
In the AWS Console, go to EC2 > Load Balancers and click Create load balancer.
Select Network Load Balancer and choose Internal for the scheme.
Place it in the VPC where your service runs and select the subnets you identified in Prerequisites.
Add listeners for the required ports (for example, TCP 443).
Create target groups and register your backend targets (EC2 instances or IPs).
Confirm that all targets report as healthy before continuing.
2. Create a VPC Endpoint Service
Next, publish the load balancer as a VPC Endpoint Service. Acceptance-required mode is recommended for security control.
In the AWS Console, go to VPC > Endpoint Services and click Create endpoint service.
Select the Network Load Balancer you created in step 1.
Enable Acceptance Required.
Add Firefly's AWS Account ID as an allowed principal (your Firefly contact will provide this).
Copy the generated service name (format:
com.amazonaws.<region>.vpce-svc-xxxxxx) and send it to your Firefly contact.
Firefly Setup Procedure
Once Firefly receives your service name and connection details, Firefly will complete the following steps in its own AWS account. You do not need to take direct action during this phase, but the steps are documented here for visibility and audit purposes.
1. Create the Interface VPC Endpoint
Firefly will create an Interface VPC Endpoint in the appropriate Firefly VPC and region that targets your VPC Endpoint Service name. The endpoint is placed in private subnets and is not associated with any public-facing route.
2. Configure Security Groups and Routing
Firefly will attach a dedicated security group to the endpoint that:
Allows outbound traffic only on the ports and protocols you specified in Prerequisites.
Restricts inbound access to the specific Firefly components that need to call the service.
Logs all flow data for audit and troubleshooting.
3. Set Up Private DNS
Firefly will create a Route 53 Private Hosted Zone entry so that Firefly components can resolve your service by a stable internal hostname (either the hostname you supplied in Prerequisites or a Firefly-generated equivalent). This avoids any dependency on the AWS-generated VPCE DNS name, which can change if the endpoint is recreated.
4. Approve the Endpoint Connection
Once Firefly creates the Interface VPC Endpoint, an approval request will appear in your AWS account under VPC > Endpoint Services > Endpoint Connections.
Locate the pending connection request from Firefly's AWS account.
Confirm the requester account ID matches the Firefly account ID shared during Prerequisites.
Click Actions > Accept endpoint connection request.
Verify the connection moves to Accepted state.
5. Validate Connectivity
After the connection is approved, Firefly will validate end-to-end connectivity using DNS-based access. For example:
Your Firefly contact will confirm once validation succeeds and the integration is ready for production traffic.
Production Cutover and Operations
Once validation is complete:
Switch production traffic to PrivateLink.
Monitor the load balancer health and endpoint connection status from your AWS console.
No public exposure or routing changes are required after setup is finalized.
If you ever recreate the VPC Endpoint Service or change its service name, notify your Firefly contact so the Interface VPC Endpoint and private DNS on Firefly's side can be updated.
Features Enabled
Private connectivity: Firefly reaches your internal service without any traffic leaving the AWS backbone.
No public exposure: Your service does not need a public IP, public load balancer, or inbound internet access.
Stable DNS resolution: Firefly components use a fixed internal hostname, decoupled from the underlying VPCE DNS name.
Granular access control: Acceptance-required mode and AWS principal allow-listing ensure only Firefly's account can establish the connection.
Support
For coordination and validation, share the VPC Endpoint Service Name and required details in your shared support thread. Firefly will confirm once the connection and DNS configuration are complete.
Last updated
Was this helpful?