# Integrating AWS PrivateLink

Firefly integrates with customer-hosted services over **AWS PrivateLink**, giving Firefly secure, private connectivity to internal resources without exposing them to the public internet. This integration applies to any service Firefly needs to reach inside your AWS environment, including APIs, GitHub Enterprise, artifact repositories, container registries, and custom TCP or HTTP services.

All traffic remains private within the AWS backbone and never traverses the public internet.

## Prerequisites

* An AWS account hosting the service you want Firefly to reach.
* Permissions to create a Network Load Balancer, VPC Endpoint Service, and modify security groups in that account.
* A backend service (EC2 instances, ECS tasks, or IPs) already running in the target VPC.
* The following details ready to share with your Firefly contact:
  * **AWS Account ID**
  * **AWS Region** where the service is deployed
  * **VPC ID** hosting the service
  * **Subnet IDs** to be used by the load balancer
  * **Ports and protocols** required (for example, TCP 443, TCP 22)
  * Any **firewall, NAT, or security group restrictions** that may affect connectivity
  * A **preferred internal hostname**, if applicable

## How It Works

In a standard PrivateLink setup, you expose your internal service through a **VPC Endpoint Service**, and Firefly connects to it through an **Interface VPC Endpoint** in Firefly's account.

The high-level flow:

1. **You** put a Network Load Balancer in front of the internal service and publish it as a VPC Endpoint Service.
2. **Firefly** creates an Interface VPC Endpoint that targets your service.
3. **You** approve the endpoint connection request.
4. **Firefly** configures private DNS so Firefly components can reach the service by a stable hostname.

## Customer Setup Procedure

Complete the following steps in your AWS account. Firefly will then handle the corresponding configuration on its side.

### 1. Create a Network Load Balancer

AWS PrivateLink endpoint services must be backed by a load balancer. For most TCP-based services, a Network Load Balancer (NLB) is recommended.

1. In the AWS Console, go to **EC2 > Load Balancers** and click **Create load balancer**.
2. Select **Network Load Balancer** and choose **Internal** for the scheme.
3. Place it in the VPC where your service runs and select the subnets you identified in Prerequisites.
4. Add **listeners** for the required ports (for example, TCP 443).
5. Create **target groups** and register your backend targets (EC2 instances or IPs).
6. Confirm that all targets report as **healthy** before continuing.

### 2. Create a VPC Endpoint Service

Next, publish the load balancer as a VPC Endpoint Service. Acceptance-required mode is recommended for security control.

1. In the AWS Console, go to **VPC > Endpoint Services** and click **Create endpoint service**.
2. Select the **Network Load Balancer** you created in step 1.
3. Enable **Acceptance Required**.
4. Add Firefly's **AWS Account ID** as an allowed principal (your Firefly contact will provide this).
5. Copy the generated **service name** (format: `com.amazonaws.<region>.vpce-svc-xxxxxx`) and send it to your Firefly contact.

## Firefly Setup Procedure

Once Firefly receives your service name and connection details, Firefly will complete the following steps in its own AWS account. You do not need to take direct action during this phase, but the steps are documented here for visibility and audit purposes.

### 1. Create the Interface VPC Endpoint

Firefly will create an **Interface VPC Endpoint** in the appropriate Firefly VPC and region that targets your VPC Endpoint Service name. The endpoint is placed in private subnets and is not associated with any public-facing route.

### 2. Configure Security Groups and Routing

Firefly will attach a dedicated security group to the endpoint that:

* Allows outbound traffic only on the ports and protocols you specified in Prerequisites.
* Restricts inbound access to the specific Firefly components that need to call the service.
* Logs all flow data for audit and troubleshooting.

### 3. Set Up Private DNS

Firefly will create a **Route 53 Private Hosted Zone** entry so that Firefly components can resolve your service by a stable internal hostname (either the hostname you supplied in Prerequisites or a Firefly-generated equivalent). This avoids any dependency on the AWS-generated VPCE DNS name, which can change if the endpoint is recreated.

### 4. Approve the Endpoint Connection

Once Firefly creates the Interface VPC Endpoint, an approval request will appear in your AWS account under **VPC > Endpoint Services > Endpoint Connections**.

1. Locate the pending connection request from Firefly's AWS account.
2. Confirm the requester account ID matches the Firefly account ID shared during Prerequisites.
3. Click **Actions > Accept endpoint connection request**.
4. Verify the connection moves to **Accepted** state.

### 5. Validate Connectivity

After the connection is approved, Firefly will validate end-to-end connectivity using DNS-based access. For example:

```bash
curl -I https://<your-internal-hostname>
```

Your Firefly contact will confirm once validation succeeds and the integration is ready for production traffic.

## Production Cutover and Operations

Once validation is complete:

* Switch production traffic to PrivateLink.
* Monitor the **load balancer health** and **endpoint connection status** from your AWS console.
* No public exposure or routing changes are required after setup is finalized.

If you ever recreate the VPC Endpoint Service or change its service name, notify your Firefly contact so the Interface VPC Endpoint and private DNS on Firefly's side can be updated.

## Features Enabled

* **Private connectivity**: Firefly reaches your internal service without any traffic leaving the AWS backbone.
* **No public exposure**: Your service does not need a public IP, public load balancer, or inbound internet access.
* **Stable DNS resolution**: Firefly components use a fixed internal hostname, decoupled from the underlying VPCE DNS name.
* **Granular access control**: Acceptance-required mode and AWS principal allow-listing ensure only Firefly's account can establish the connection.

## Support

For coordination and validation, share the **VPC Endpoint Service Name** and required details in your shared support thread. Firefly will confirm once the connection and DNS configuration are complete.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.firefly.ai/integrations/aws-privatelink.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.