Link Search Menu Expand Document
Virtues

Network Integration

urn:js:virtue:aspire:proposal:16.1

TL;DR

Preferred options for VPC peering or VPN solutions.

Rational

Where a third party vendor presents a robust public facing API and also offers some form of VPC peering or VPN solution, then the preferred options are as follows. Note that these are only valid when the vendor really does have a legitimate robust public facing API.

  1. (Best) Traffic via the robust API, with network controls that restrict exposure of that API without needing IP whitelisting. AWS PrivateLink is an example.
  2. Traffic via the robust API, with IP whitelisting to restrict access to that API
  3. Traffic via the robust API, with VPC peering or VPN
  4. Traffic via the robust API, without IP whitelisting (Worst) Any options which don’t use a robust API

Maintain sustainable, robust and secure network integrations that are scalable.

Reduce friction on third party integrations.

Implications

  • 1,2 and 3 are effectively all equally secure because they are encrypted, authenticated traffic from restricted sources. 2 uses the public internet, but because the traffic is via a robust API, it is encrypted adequately.
  • 5 is the worst option, because it doesn’t use a robust API, it isn’t safe enough to prefer for third party integrations
  • 2 is preferable to 3 because setting up VPC peering or VPN and still maintaining use of the robust API without creating any security holes takes some extra time, though it may not be a lot more
  • 1 is preferable to 2 because it doesn’t require inconvenient management of IP addresses