Skip to main content

PrivateLink connections

To keep your data secure, you can set up private access to your applications without exposing them to the public Internet. Instead, you can access your applications over AWS PrivateLink, using private IP addresses.

Note:

Access to Outbound PrivateLink connections is limited to users participating in the Platform Packaging and Pricing model.

You can connect your Guidewire Cloud applications to external systems in two ways:

  • Inbound connections

    Inbound connections come from the outside of your network.

    External systems access Guidewire Cloud through APIs. For example, users log into the InsuranceSuite web interface, or an external system like Salesforce calls Guidewire Cloud APIs.

    For details on how to create inbound AWS PrivateLink connections, see AWS PrivateLink (Ingress).

  • Outbound connections

    Outbound connections come from the inside of your network.

    Guidewire Cloud applications connect to external services. This includes third-party tools and your own internal systems.

    For details on how to create outbound AWS PrivateLink connections, see Manage outbound connections.

Supported apps, tools, and services

By default, Cloud Platform apps, tools, and services are accessible only through the public Internet. You can configure AWS PrivateLink connections for the following apps, tools, and services:

  • Inbound connections

    • Access to APIs to InsuranceSuite apps, Integration apps, Bitbucket, and TeamCity.

    • Connection to the Read Replica instance.

      Access to Read Replica instances is available only through the AWS PrivateLink connection. Access through the public Internet isn't supported.

  • Outbound connections

    • Integrations from the InsuranceSuite and Integration apps to services running in your Amazon Virtual Private Cloud (AWS VPC).

Access to other services, including Guidewire Home tools, is available only through the public Internet.

You can configure outbound connections for the following applications:

  • InsuranceSuite
  • Integration Gateway Apps

When you create a PrivateLink outbound connection for a planet, it applies to both InsuranceSuite and Integration Apps configured on this planet.

For details on how to create a PrivateLink connections, see Create an outbound connection.

Limitations

Before configuring PrivateLink connections, you need to consider the following limitations:

  • PrivateLink connections can be created when your network and the Guidewire network are in the same AWS region and there's at least one matching Availability Zone (AZ) between the GWCP VPC and your PrivateLink endpoint service. For details on how to check Availability Zones, see Check infrastructure information.

  • You can use up to three unique PrivateLink endpoint services for each star system.

  • You can use PrivateLink endpoint services in dev, pre-prod, and prod star systems.

  • For each planet, you can create up to 20 connections.

Prerequisites

Before you create a PrivateLink outbound connection:

  • Create the PrivateLink Endpoint Service in your VPC.

    For details, see Endpoint service in AWS documentation.

  • Make your endpoint services available to Guidewire.

    Add the permissions that allow Guidewire to connect to your endpoint service. AWS principals can privately connect to your endpoint service by creating a VPC endpoint. For details on how to check the AWS Principal, see Check infrastructure information.

    Include Guidewire subnet CIDRs in your IP allowlist as Guidewire will send requests from those IPs. For details on how to check the Guidewire subnet CIDRs, see Check infrastructure information.

    Accept the endpoint connection request from Guidewire. For details, see Accept or reject connection requests in AWS documentation.

Recommendations

Guidewire recommends using an API Gateway on the customer’s VPC to expose multiple services, which allows you to create fewer PrivateLink endpoints.