AWS PrivateLink
Last updated: December 11, 2024
You can connect to the Checkout.com APIs privately with AWS PrivateLink to improve data security.
AWS PrivateLink enables you to create and establish connections between virtual private clouds (VPCs).
To communicate with the Checkout.com APIs, create a VPC endpoint in your service consumer VPC and connect it to the Checkout.com service provider VPC.
AWS PrivateLink connections are only possible between subsets of AWS regions. Cross-regional connectivity is available in:
- Asia Pacific (Singapore)
- Asia Pacific (Tokyo)
- Australia (Sydney)
- Europe (Ireland)
- South America (São Paulo)
- US East (Northern Virginia)
- US West (Oregon)
AWS PrivateLink connections use the following base URLs, depending on which environment you want to perform the API call in:
- Live –
https://pl-[prefix].api.checkout.com/[path] - Test –
https://pl-[prefix].api.sandbox.checkout.com/[path]
The [prefix] value in the base URL is a string containing the first eight characters of your unique client_id, excluding the cli_ prefix. For example, if your client ID is cli_vkuhvk4vjn2edkps7dfsq6emqm, the base URL for your Live environment is:
https://pl-vkuhvk4v.api.checkout.com/[path]
The [path] value in the URL represents the resource from the API. For example, payments/{id}.
You can only connect to the api.checkout.com domain with AWS PrivateLink. Traffic to all other Checkout.com domains uses public DNS resolution and is routed to Checkout.com via the internet.
If you require all traffic to pass through AWS PrivateLink, you can override the public DNS name.
Note
Overrides take effect immediately. Do not use them if you need to control the roll out at an application level.
Before you configure the VPC endpoint, you must:
- Set
enableDnsHostnamesandenableDnsSupporttotruein the VPC that establishes a VPC endpoint connection to the Checkout.com VPC service endpoint. - Contact your Checkout.com Solutions Engineer or Account Manager and provide them with your AWS account ID. We add your ID to our allowlist.
Once you've done this, you can configure your VPC endpoint:
- Sign in to the AWS Console.
- Go to the VPC dashboard.
- Select Endpoints > Create endpoint.
- In the Service category section, select Other endpoint services.
- In Service settings, add the following service names to each environment:
- Live environment –
com.amazonaws.vpce.eu-west-1.vpce-svc-0952fdb05548049fb - Test environment –
com.amazonaws.vpce.eu-west-1.vpce-svc-0d45d28a6d943b992
- Select Verify service. This step only works if you've provided Checkout.com with your AWS account ID and we've added it to our allowlist.
- Select the VPC you want the endpoint to be created in.
- Copy the endpoint ID. You need this value when you configure the Route 53 hosted zone.
Information
Your new endpoint appears in the VPC endpoints page with Pending acceptance status. When Checkout.com accepts the connection, the status updates.
- Sign in to the AWS Console.
- Go to the Route 53 Services page and select Create hosted zone.
- In the Domain name field, enter your unique base URL. For example,
https://pl-vkuhvk4v.api.checkout.com. - Associate the hosted zone to the VPC you want to enable AWS PrivateLink connectivity for.
- In your new hosted zone, create a new record.
- Leave the Record name field empty.
- Set the Record type to A - Routes traffic to an IPv4 address and some AWS resources.
- Set the Route traffic to field to Alias to VPC endpoint.
- Set the endpoint to the VPC endpoint you configured. Ensure you select the endpoint that does not contain a region within the ID. For example,
eu-west. - Select the Simple routing policy.
- Enable Evaluate target health.
- Select Create records.
To route requests via the new domain name, you must update your service applications:
- If you integrate using a Checkout.com SDK, update the environment subdomain to your unique DNS name. For example,
pl-vkuhvk4v. - If you use another method to integrate, update all instances of the
api.checkout.comdomain to your unique AWS PrivateLink domain. For examplehttps://pl-vkuhvk4v.api.checkout.com.
Information
We recommend that you test the connection before you roll out the change to your live environment.