What is the most important tip for working with Private Connect?

Private Connect is most valuable for regulated industries and for high-volume, latency-sensitive integrations. For low-volume or non-regulated workloads, the cost and complexity may not be justified.

PlatformBeginner

Private Connect

Q: What is Private Connect?

Private Connect enables private peering for Salesforce-AWS traffic.

Q: Why use Private Connect?

Private Connect is for organizations with strict network isolation needs.

Q: What technology does it use?

Private Connect leverages AWS PrivateLink for the underlying private connectivity.

Hear it

§ 01

Definition

Private Connect is a Salesforce feature that enables private network connectivity between a Salesforce org and external services (primarily on AWS, with growing support for Azure and GCP) without traffic crossing the public internet. The feature uses cloud-provider PrivateLink technology to establish private peering between the Salesforce environment and the customer's virtual private cloud, with traffic flowing over the cloud provider's internal network rather than over the public internet.

The result is lower latency, stronger security guarantees, and compliance with network-isolation requirements that prohibit internet-routed traffic for regulated workloads. Private Connect is particularly relevant for financial services, healthcare, and government deployments where data flowing between Salesforce and internal systems must stay off the public internet. It also benefits any organization that has invested in private cloud architecture and wants Salesforce to fit into that model rather than requiring an exception for internet-routed traffic.

§ 02

The architecture and behavior of Private Connect

The PrivateLink model

AWS PrivateLink (and the equivalent Azure Private Link and Google Private Service Connect) lets a service provider expose a service endpoint inside a customer's virtual private cloud without traversing the internet. The customer accesses the service through a private endpoint in their own VPC, with traffic routed entirely over the cloud provider's internal backbone. Private Connect implements this pattern for Salesforce: a Salesforce-managed endpoint appears in the customer's AWS VPC, and outbound traffic from Salesforce flows through the customer's private network to reach internal systems. The reverse direction works similarly: customer apps can invoke Salesforce APIs via the private endpoint instead of the public salesforce.com endpoint.

Outbound versus inbound traffic

Private Connect supports both directions. Outbound from Salesforce: Apex callouts, External Services, MuleSoft integrations, and any other Salesforce-originating call to a customer-hosted API can be routed through the private endpoint instead of the public DNS. Inbound to Salesforce: REST API, SOAP API, and Bulk API calls from customer systems hit the private endpoint, never traversing the public internet. Each direction is configured separately, and most enterprise deployments enable both for the same set of integration patterns. The configuration creates a single integrated private network connecting the customer's data center, their cloud accounts, and their Salesforce org.

Configuration and Setup

From the Salesforce side, Private Connect is configured through the Setup page (Private Connect). The configuration requires the customer's AWS account number, the VPC details where the private endpoint should be exposed, and any service-specific identifiers. On the customer's AWS side, the customer creates an interface VPC endpoint that connects to the Salesforce-managed service endpoint. DNS resolution is handled either by Route 53 private zones (so the salesforce.com host name resolves to the private endpoint inside the VPC) or by hostname-based routing through API gateway proxies. The configuration takes a few hours of coordination between the Salesforce account team and the customer's network team.

Latency, throughput, and SLA considerations

Private Connect traffic stays within the cloud provider's regional backbone, which has lower and more predictable latency than public internet routing. For latency-sensitive integrations (high-frequency Apex callouts, real-time event-driven workflows), this can be a measurable improvement. Throughput is typically higher and more consistent than public-internet routing, because the path avoids the variable congestion of public peering. Private Connect does not change Salesforce's API rate limits or the underlying SLA on API responsiveness; those remain governed by the standard limits and the org's Salesforce edition. What changes is the network path the traffic takes, not the service guarantees on each end.

Security gains beyond encryption

Encryption (TLS) protects data in transit regardless of whether traffic goes over the public internet or a private connection. The security gains from Private Connect are not primarily about encryption; they are about reducing the attack surface. Traffic on the public internet is visible (encrypted but visible) to anyone on the path, including potential man-in-the-middle attackers or surveillance entities. Traffic on a private connection is invisible to those parties. Private Connect also bypasses public DNS, removing DNS-based attack vectors. For regulated industries, the combination of TLS plus private routing satisfies network-isolation requirements that TLS alone does not meet, even though both encrypt the data.

Compatibility with Hyperforce

Private Connect is most useful when both endpoints are in the same cloud region. For Hyperforce-hosted Salesforce orgs running on AWS in a specific region, Private Connect to the customer's AWS account in the same region delivers the strongest benefits: minimal latency, no cross-region transfer cost, no transit through public networks. For customers whose Salesforce org is on a different cloud provider than the destination (Hyperforce on AWS, customer on Azure), Private Connect may still work through inter-cloud private peering arrangements, but the configuration is more complex and the latency picture is less ideal. Salesforce account teams help map the right deployment model based on the customer's cloud strategy.

Operational and cost considerations

Private Connect carries an additional cost: Salesforce charges a per-month fee for the feature, and the customer incurs cloud-provider costs for the private endpoint (typically a small hourly fee plus data transfer). The total cost is meaningful for high-volume integrations but typically much less than the alternative of operating a dedicated MPLS or VPN link between the customer's network and Salesforce. Operationally, Private Connect requires coordination between the network team (managing VPC and DNS), the Salesforce admin (configuring the Setup page), and the integration team (validating that traffic actually flows through the private path). Most enterprises stand up a center-of-excellence team to coordinate these moving parts.

§ 03

Stand up Private Connect for a Salesforce org

Setting up Private Connect spans Salesforce-side and customer-side work, with a coordination point between the two. The workflow below assumes the customer already has an AWS account with appropriate VPC infrastructure and that the Salesforce account team is engaged. Plan for at least two to four weeks of elapsed time from kickoff to a fully validated production setup, even though the active configuration work itself is measured in hours.

Engage the Salesforce account team and define scope
Open a conversation with the Salesforce account team to confirm Private Connect availability for your org's region and the specific services you want to enable. Define the in-scope integrations: outbound callouts to specific internal APIs, inbound calls from specific customer-side systems, or both. Capture the technical requirements: VPC details, target host names, expected traffic volume, latency expectations. The account team will provide a Salesforce-side configuration package and any necessary commercial paperwork (contract amendment, statement of work).
Configure the AWS side
On the AWS account, create an interface VPC endpoint that connects to the Salesforce-managed service endpoint provided by the account team. Configure the endpoint with the right subnet associations, security groups, and DNS settings. For DNS-based routing, configure Route 53 private hosted zones to resolve Salesforce host names to the private endpoint inside the VPC. Test connectivity from a sample EC2 instance in the VPC to confirm the endpoint resolves correctly and is reachable. Capture the endpoint ARN for the Salesforce-side configuration.
Configure the Salesforce side
From Setup, navigate to Private Connect. Add the customer's AWS account number, VPC endpoint ARN, and any host name mappings. Save the configuration. Salesforce establishes the private peering between the org and the customer's VPC. Verify the connection state shows Active in the Setup page. Test by running a sample Apex callout from anonymous execution and confirming it routes through the private endpoint (visible in the AWS VPC flow logs). Iterate the configuration if any pieces do not match.
Validate and promote to production traffic
Run the full integration test suite against the private endpoint to confirm every integration works as expected. Compare latency and throughput metrics against the public-routed baseline. Update any hardcoded DNS or URL configurations in customer-side integrations to use the private host names where applicable. Communicate the change to integration owners and ops teams. Monitor for the first two weeks to confirm no integrations regressed due to the network change. Update the org's network architecture documentation with the Private Connect setup details.

Gotchas

Private Connect is region-specific. Cross-region traffic does not benefit and may require additional setup or fall back to public routing.
DNS configuration is the most common failure point. If the Route 53 private zone is not set up correctly, traffic still resolves to public DNS and bypasses the private endpoint.
The feature carries a separate license fee. Confirm cost with the account team before assuming Private Connect is available.
Some Salesforce features (Einstein AI, Marketing Cloud) may not yet route through Private Connect. Check the current product coverage before assuming a workload is supported.
Sandbox environments may not have Private Connect enabled by default. Production setup is what matters; sandbox testing may require public routing as a fallback.

Trust & references

Sources

Cross-checked against the following references.

Private Connect OverviewSalesforce Help

Official documentation

Straight from the source - Salesforce's reference material on Private Connect.

Private ConnectSalesforce Help
AWS PrivateLink DocumentationAWS

Was this entry helpful?

Help us write better definitions. Quick reactions or detailed edit suggestions.

About the Author

Dipojjal Chakrabarti is a B2C Solution Architect with 29 Salesforce certifications and over 13 years in the Salesforce ecosystem. He runs salesforcedictionary.com to help admins, developers, architects, and cert/interview candidates sharpen their fundamentals. More about Dipojjal.

Test your knowledge

Q1. What is Private Connect?

Q2. Why use Private Connect?

Q3. What technology does it use?

Discussion

Loading…

Loading discussion…

Back to Dictionary