Setting up Private Connect spans Salesforce-side and customer-side work, with a coordination point between the two. The workflow below assumes the customer already has an AWS account with appropriate VPC infrastructure and that the Salesforce account team is engaged. Plan for at least two to four weeks of elapsed time from kickoff to a fully validated production setup, even though the active configuration work itself is measured in hours.
- Engage the Salesforce account team and define scope
Open a conversation with the Salesforce account team to confirm Private Connect availability for your org's region and the specific services you want to enable. Define the in-scope integrations: outbound callouts to specific internal APIs, inbound calls from specific customer-side systems, or both. Capture the technical requirements: VPC details, target host names, expected traffic volume, latency expectations. The account team will provide a Salesforce-side configuration package and any necessary commercial paperwork (contract amendment, statement of work).
- Configure the AWS side
On the AWS account, create an interface VPC endpoint that connects to the Salesforce-managed service endpoint provided by the account team. Configure the endpoint with the right subnet associations, security groups, and DNS settings. For DNS-based routing, configure Route 53 private hosted zones to resolve Salesforce host names to the private endpoint inside the VPC. Test connectivity from a sample EC2 instance in the VPC to confirm the endpoint resolves correctly and is reachable. Capture the endpoint ARN for the Salesforce-side configuration.
- Configure the Salesforce side
From Setup, navigate to Private Connect. Add the customer's AWS account number, VPC endpoint ARN, and any host name mappings. Save the configuration. Salesforce establishes the private peering between the org and the customer's VPC. Verify the connection state shows Active in the Setup page. Test by running a sample Apex callout from anonymous execution and confirming it routes through the private endpoint (visible in the AWS VPC flow logs). Iterate the configuration if any pieces do not match.
- Validate and promote to production traffic
Run the full integration test suite against the private endpoint to confirm every integration works as expected. Compare latency and throughput metrics against the public-routed baseline. Update any hardcoded DNS or URL configurations in customer-side integrations to use the private host names where applicable. Communicate the change to integration owners and ops teams. Monitor for the first two weeks to confirm no integrations regressed due to the network change. Update the org's network architecture documentation with the Private Connect setup details.
- Private Connect is region-specific. Cross-region traffic does not benefit and may require additional setup or fall back to public routing.
- DNS configuration is the most common failure point. If the Route 53 private zone is not set up correctly, traffic still resolves to public DNS and bypasses the private endpoint.
- The feature carries a separate license fee. Confirm cost with the account team before assuming Private Connect is available.
- Some Salesforce features (Einstein AI, Marketing Cloud) may not yet route through Private Connect. Check the current product coverage before assuming a workload is supported.
- Sandbox environments may not have Private Connect enabled by default. Production setup is what matters; sandbox testing may require public routing as a fallback.