AWS Prescriptive Guidance - Connecting to Salesforce Hyperforce by using AWS Direct Connect with Megaport

Connecting to Salesforce Hyperforce by using AWS Direct Connect with

Megaport

AWS Prescriptive Guidance

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

AWS Prescriptive Guidance: Connecting to Salesforce Hyperforce by

using AWS Direct Connect with Megaport

Amazon's trademarks and trade dress may not be used in connection with any product or service

that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any

manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are

the property of their respective owners, who may or may not be aﬃliated with, connected to, or

sponsored by Amazon.

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

Table of Contents

Introduction ..................................................................................................................................... 1

Solution components ...................................................................................................................... 2

AWS Direct Connect ..................................................................................................................................... 2

Hosted connection .................................................................................................................................. 2

Public virtual interface ........................................................................................................................... 2

Salesforce ....................................................................................................................................................... 3

Hyperforce ................................................................................................................................................ 3

Salesforce Express Connect (SEC) ........................................................................................................ 3

Megaport ........................................................................................................................................................ 4

Megaport Port ......................................................................................................................................... 4

Megaport Virtual Edge (MVE) ............................................................................................................... 5

Megaport Cloud Router (MCR) ............................................................................................................. 5

Use cases .......................................................................................................................................... 6

Use case: branch oﬃces .............................................................................................................................. 6

Requirements ........................................................................................................................................... 7

Conﬁguring Megaport Port with VXC ................................................................................................. 7

Conﬁguring your network devices ....................................................................................................... 7

Conﬁguring AWS Direct Connect ......................................................................................................... 8

Conﬁguring Megaport Port with SEC ................................................................................................. 9

Conﬁguring Salesforce Hyperforce ...................................................................................................... 9

Use case: VPN-connected workforce ...................................................................................................... 10

Requirements ......................................................................................................................................... 10

Conﬁguring Megaport MVE with VXC .............................................................................................. 10

Conﬁguring VNF applicances .............................................................................................................. 11

Conﬁguring route ﬁlters ...................................................................................................................... 11

Conﬁguring AWS Direct Connect ...................................................................................................... 12

Conﬁguring Megaport MVE with SEC ............................................................................................... 13

Conﬁguring Salesforce Hyperforce ................................................................................................... 13

Use case: multicloud virtual desktop infrastructure ........................................................................... 13

Requirements ......................................................................................................................................... 14

Conﬁguring Megaport MCR with VXC .............................................................................................. 14

Conﬁguring AWS Direct Connect ...................................................................................................... 14

Conﬁguring Megaport MCR with SEC ............................................................................................... 15

Conﬁgure Salesforce Hyperforce ....................................................................................................... 15

iii

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

Pricing ............................................................................................................................................ 16

Resources ........................................................................................................................................ 17

Document history .......................................................................................................................... 18

Glossary .......................................................................................................................................... 19

# ..................................................................................................................................................................... 19

A ..................................................................................................................................................................... 20

B ..................................................................................................................................................................... 23

C ..................................................................................................................................................................... 25

D ..................................................................................................................................................................... 28

E ..................................................................................................................................................................... 32

F ..................................................................................................................................................................... 34

G ..................................................................................................................................................................... 35

H ..................................................................................................................................................................... 36

I ...................................................................................................................................................................... 37

L ..................................................................................................................................................................... 40

M .................................................................................................................................................................... 41

O .................................................................................................................................................................... 45

P ..................................................................................................................................................................... 47

Q .................................................................................................................................................................... 50

R ..................................................................................................................................................................... 50

S ..................................................................................................................................................................... 53

T ..................................................................................................................................................................... 57

U ..................................................................................................................................................................... 58

V ..................................................................................................................................................................... 59

W .................................................................................................................................................................... 59

Z ..................................................................................................................................................................... 60

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

Connecting to Salesforce Hyperforce by using AWS Direct

Connect with Megaport

Bennett Borofka and Kranthi Pullagurla (AWS), Abhiram Gajjala (Salesforce), Kevin Dresser

(Megaport)

August 2024 (document history)

Many AWS users have hybrid workloads that span the cloud and on-premises locations. To

adequately provide private, reliable network connectivity between these environments, you can

choose from a variety of options to ensure business value and cost optimization. Users who have

branch oﬃces, enterprise data centers, and a VPN-connected workforce have unique requirements

for enabling access to Salesforce Hyperforce running on AWS. This guide describes use cases to

help Salesforce Hyperforce and AWS users conﬁgure private, reliable connectivity to Hyperforce by

using AWS Direct Connect and the Megaport software-deﬁned networking (SDN) platform.

Salesforce Hyperforce is a next-generation Salesforce infrastructure architecture that is built to run

on cloud providers such as AWS. You can use Hyperforce to beneﬁt from its enhanced compliance,

security, agility, scalability, and privacy. Hyperforce provides multiple options for establishing

private, reliable network connectivity to Hyperforce from your on-premises location, other AWS

accounts, or other cloud providers.

AWS Direct Connect is a cloud service that bypasses the internet to link branch oﬃces and data

centers to AWS. It oﬀers the shortest path from your location to Hyperforce, where network traﬃc

remains on the AWS backbone network and never traverses the public internet.

Megaport is an SDN platform and AWS Direct Connect partner. Megaport provides a variety of

network connectivity options for users who want fast, reliable connectivity to AWS and other cloud

providers.

This guide is for practitioners, architects, administrators, and operators of networking, cloud

infrastructure, and Salesforce Hyperforce.

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

Solution components

AWS Direct Connect requires you to either create your own dedicated connection to AWS, or work

with an AWS Direct Connect Partner to create a hosted connection. This article provides guidance

for using Megaport as an AWS Direct Connect Partner to facilitate hybrid and multiple use cases for

connecting to Salesforce Hyperforce.

AWS Direct Connect

AWS Direct Connect establishes a private, dedicated network connection between on-premises

data centers and AWS. This direct link helps organizations bypass the public internet and provides

reliable and private communication with AWS resources.

Although Hyperforce runs on AWS infrastructure, using AWS Direct Connect to access it requires

you to manage an AWS account for billing and conﬁguration of the connection. Using AWS Direct

Connect to connect to the Salesforce-managed Hyperforce AWS account isn't supported.

Hosted connection

A hosted connection is a physical Ethernet connection that an AWS Direct Connect Partner

provisions on behalf of a user. The use cases and architectures covered in this guide use a hosted

connection with the AWS Direct Connect Partner, Megaport. Hosted connections oﬀer bandwidth

ranges between 50 Mbps to 25 Gbps in multiple increments, whereas dedicated connections are

provided in 1 Gbps, 10 Gbps, and 100 Gbps capacities. For more information about AWS Direct

Connect bandwidth and costs, see AWS Direct Connect pricing.

Public virtual interface

The Hyperforce architecture requires access to the public IP address space of AWS resources from

on-premises and multicloud locations. A public virtual interface (VIF) is used to connect your

remote location to public AWS services and public IPs deployed on AWS. Using a private VIF to

access Hyperforce is not supported.

Notes

• Using a public VIF requires the use of unique public IPv4 addresses. You will need

to provide your own IPv4 CIDR or request a /31 CIDR from AWS Support. For more

AWS Direct Connect 2

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

information, see the prerequisites for virtual interfaces in the AWS Direct Connect

documentation.

• Using a public VIF to connect to AWS from your on-premises or multicloud environment

changes the way traﬃc is routed from AWS public preﬁxes to your users. We recommend

that you use a preﬁx ﬁlter (route map) to make sure that the accepted Amazon preﬁxes

are limited to the Hyperforce infrastructure and any other necessary AWS resources. For

more information, review public virtual interface preﬁx advertisement rules in the AWS

Direct Connect documentation and Hyperforce External IPs on the Salesforce website.

• The preﬁxes that are advertised by AWS Direct Connect must not be advertised beyond

the network boundaries of your connection. For example, these preﬁxes must not be

included in any public internet routing table. For information, review public virtual

interface routing policies in the AWS Direct Connect documentation.

Salesforce

Salesforce is a customer relationship management (CRM) platform that's designed to help you sell,

service, market, analyze, and connect with your customers.

Hyperforce

Salesforce Hyperforce is a next-generation Salesforce infrastructure architecture that's built

for the public cloud. It provides enhanced scalability, ﬂexibility, and agility by using the AWS

infrastructure. It is the fastest and simplest way to run Salesforce on public cloud infrastructure.

Salesforce Express Connect (SEC)

Salesforce Express Connect (SEC) enables private, reliable connectivity from users to Salesforce-

operated data centers. Ensuring private connectivity to Hyperforce currently requires a SEC

connection in conjunction with AWS Direct Connect.

Notes

• A limited number ofSalesforce services still run in Salesforce-managed infrastructure.

To maintain connectivity to all services in Salesforce-managed infrastructure and

Hyperforce, users who require private network access to Salesforce must continue to run

SEC along with AWS Direct Connect.

Salesforce 3

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

• Salesforce and AWS do not sell SEC. If you require private network connectivity to

Salesforce-managed infrastructure, you will need a SEC connection. This article covers

establishing a new SEC connection to Salesforce by using Megaport.

• SEC is not used for any data migration between Salesforce-managed infrastructure and

Hyperforce. If you are migrating to Hyperforce, Salesforce facilitates data migrations

in your organization on a private backbone. SEC is necessary for ongoing, private

connectivity to Salesforce by users.

Megaport

Megaport simpliﬁes and accelerates hybrid cloud connectivity to AWS Regions in a scalable,

private, and on-demand manner. Megaport acts as a facilitator in this connectivity ecosystem, and

oﬀers SDN solutions to simplify and optimize the process of connecting to cloud services, including

the AWS Cloud. Megaport connections are called virtual cross connects (VXCs), which are Layer 2

Ethernet circuits that provide private, ﬂexible, and on-demand connectivity between any of the

locations on the Megaport network. To access the Megaport network, you must ﬁrst create a Port,

Megaport Virtual Edge (MVE), or Megaport Cloud Router (MCR), which are covered in the next

sections.

Megaport Port

Megaport Port is a high-speed Ethernet interface that creates a network-to-network interface

(NNI) between your network and the Megaport network. It is conﬁgured as an 802.1Q virtual local

area network (VLAN) trunk to support up to 100 VXCs, each presented as a unique VLAN. The Port

provisioning process enables the Megaport interface and generates a Letter of Authorization (LOA)

with instructions for the data center operator to establish the physical cross connect from your

equipment to the new Port.

Note

Your network device requires either 10 or 100 Gbps interfaces with 10GBASE-LR (duplex on

single-mode optical ﬁber [SMOF]) or 100G-LR4 (duplex on SMOF) optical transceivers.

Megaport 4

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

Megaport Virtual Edge (MVE)

Megaport Virtual Edge (MVE) is a network functions virtualization (NFV) platform that provides

virtual infrastructure for network services at the edge of Megaport's global SDN. You can use MVE

to deploy a virtual network stack (or point of presence) without any physical data center presence

or hardware. MVE is available in 27 metro regions across the globe and is aligned closely with AWS

Direct Connect peering locations (NNIs). MVE supports third-party VNF appliances from vendors

such as Aruba, Cisco, Fortinet, Palo Alto Networks, Versa Networks, and VMware.

Note

Megaport doesn't sell third-party licenses and requires that you use a Bring Your Own

License (BYOL) model.

Megaport Cloud Router (MCR)

Megaport Cloud Router (MCR) is a managed virtual router service that enables direct Layer 2

and Layer 3 networking between endpoints on the Megaport network, including other cloud

providers. The MCR can be deployed as a standalone service to route traﬃc between diﬀerent

cloud environments without requiring you to have a physical presence in that data center. It can

also be connected to your Port to route pertinent traﬃc back to a physical location. The MCR is

managed through the Megaport Portal to conﬁgure both static and dynamic Border Gateway

Protocol (BGP) routing functions, including Bidirectional Forwarding Detection (BFD), Multi-Exit

Discriminator (MED), Autonomous System Number (ASN), and NAT. For more information, see

Conﬁguring BGP Advanced Settings in the Megaport documentation.

Megaport Virtual Edge (MVE) 5

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

Use cases

The use cases in the following sections provide examples for how you can enable your users to

have private, reliable connectivity to Hyperforce.

• Branch oﬃces

• VPN-connected workforce

• Multicloud virtual desktop infrastructure

Key considerations

• Hyperforce can be used for both private and public connectivity.

• You can use any combination of the use cases that are described.

• Both new Salesforce users and users who are migrating from Salesforce-managed data center

infrastructure can use Hyperforce. The use cases cover both scenarios.

• Migration of data from a Salesforce-managed data center instance to Hyperforce is managed by

Salesforce behind the scenes, and doesn't use the network architecture described in these use

cases.

• Some aspects of user application logins to Hyperforce still require network connectivity to

Salesforce-managed data centers. For this reason, if you require fully private connectivity, you

must use SEC with AWS Direct Connect.

Use case: branch oﬃces

This use case covers a scenario where you have a physical router in one Megaport location, and you

use it as an on-ramp to AWS Direct Connect. In this scenario, you also have one or more branch

oﬃces connected to this location through private circuits.

Using Megaport Port with AWS Direct Connect gives your users who work in branch oﬃces private

connectivity to Salesforce Hyperforce. The branch oﬃces consist of a single oﬃce or a cluster of

oﬃces inter-networked across a metropolitan area network (MAN). The oﬃces on-ramp to AWS

Direct Connect by using a Megaport location. The following diagram shows the architecture for this

use case.

Use case: branch oﬃces 6

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

Requirements

• Your users access Salesforce over private network connections.

• Your users work primarily from branch oﬃces that have private connectivity to a Megaport-

enabled location.

• You own an AWS account to manage the AWS Direct Connect hosted connection with Megaport.

• You have a physical router that's deployed at a Megaport location that facilitates a cross connect

with Megaport's router.

Conﬁguring Megaport Port with VXC

The Megaport Port is conﬁgured with a VXC and provides the private Layer 2 network segment to

AWS. The AWS Direct Connect connection is provisioned as a hosted connection and attached to a

public VIF. For step-by-step instructions, see the following Megaport documentation:

• Creating a Port

• Conﬁguring and Maintaining AWS Hosted Connections

Conﬁguring your network devices

Network devices that are deployed at the Megaport location within your rack are conﬁgured to

support the connectivity to the Hyperforce instances through AWS Direct Connect. These devices

might include a router, switch, ﬁrewall, or a combined network stack of multiple devices. The

Requirements 7

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

vendor and model types are optional, depending on your requirements.We recommend that you

work with your network administrator to conﬁgure these devices.

The device that is used to establish the physical cross connect to the Megaport rack must support

802.1Q VLAN tagging to establish Layer 2 adjacency. Layer 3 adjacency is then established

between your router and the AWS public VIF by using BGP.

Notes

• The BGP preﬁxes advertised from your router to AWS are conﬁgured in the AWS

Management Console when you create the public VIF.

• The preﬁxes advertised by AWS Direct Connect must not be advertised beyond the

network boundaries of your connection. For example, these preﬁxes must not be

included in any public internet routing table. For more information, see Public virtual

interface routing policies in the AWS Direct Connect documentation.

Conﬁguring AWS Direct Connect

Accept a hosted connection

In your AWS account, accept the VXC created previously as a hosted connection. For instructions,

see the AWS Direct Connect documentation.

Create a public VIF

In your account, provision a public VIF under the connection you accepted from Megaport. Before

you create this VIF, you need to obtain the following:

• The BGP ASN of the router that's deployed to the Megaport location.

•

Public IPv4 addresses for peering (typically /31 CIDR). You can own these or request them from

AWS Support. For more information, see Peer IP addresses in the section Prerequisites for virtual

interfaces in the AWS Direct Connect documentation.

To create a public VIF, follow the steps in the AWS Direct Connect documentation.

After you create the public VIF, you need to make sure that the BGP authentication key matches

both ends of the BGP peer for the peering state to become available.

Conﬁguring AWS Direct Connect 8

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

Note

Using a public VIF to connect to AWS from your on-premises environment changes

the way traﬃc is routed from AWS public preﬁxes to your users. We recommend that

you use a preﬁx ﬁlter (route map) to make sure that the accepted Amazon preﬁxes are

limited to the Hyperforce infrastructure and any other necessary AWS resources. For more

information, see Public virtual interface preﬁx advertisement rules in the AWS Direct

Connect documentation and Hyperforce External IPs in the Salesforce documentation.

Conﬁguring Megaport Port with SEC

You can also provision the Megaport Port with a SEC VXC, which provides the Layer 2 networking

elements for the private connection to Salesforce-managed data centers. SEC lets you access

Salesforce applications and services directly with a private, dedicated connection. SEC is delivered

as a Layer 3 routed service. You access Salesforce services by using public IPs and must run BGP to

receive Salesforce routes. Megaport allocates a /31 public IP range for each Salesforce peering.

Note

SEC oﬀers a choice between two IP addressing options:

•

Source NAT your LAN traﬃc to use the /31 public IP space provided by Megaport.

• Advertise your own public IP address space to Salesforce. (Salesforce won't accept

RFC1918 blocks of IP address space.)

For step-by-step instructions, see Connecting to Salesforce Express Connect in the Megaport

documentation.

Conﬁguring Salesforce Hyperforce

To enable inbound connections from your corporate network into Salesforce, you need to conﬁgure

inbound access to Hyperforce as a security measure. To allow the required domains, follow the

instructions in Allow Domains for a Salesforce Console in Salesforce Classic in the Salesforce

documentation. Do not use IP addresses.

Conﬁguring Megaport Port with SEC 9

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

Use case: VPN-connected workforce

This use case covers a scenario where you use a virtual VPN concentrator at a Megaport location

as an on-ramp to AWS Direct Connect. In this scenario, you have remote branch oﬃces or workers

with site-to-site VPNs that connect to the VPN concentrator.

Using Megaport MVE with a third-party virtual ﬁrewall and AWS Direct Connect gives your remote

workers private connectivity to Salesforce Hyperforce. The remote workers connect to the VPN

concentrator from an internet-connected router at a branch oﬃce or from a VPN client that is

running on their device. The remote workers then on-ramp to AWS Direct Connect by using a

Megaport location.

Requirements

• Your remote workers access Salesforce over private network connections.

• Your remote workers or users at branch oﬃces have site-to-site VPN connectivity to a Megaport-

enabled location over the internet.

• You own an AWS account to manage the AWS Direct Connect hosted connection with Megaport.

Conﬁguring Megaport MVE with VXC

The Megaport MVE that's conﬁgured with a VXC provides the private Layer 2 network segment to

AWS. The MVE is a virtual solution and doesn't require a Port.However, you must specify the third-

party virtual network appliance to be deployed. The VXC deployment process and functionality are

Use case: VPN-connected workforce 10

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

the same, whether you use a Port, MVE, or MCR. AWS Direct Connect should be provisioned as a

hosted connection and attached to a public VIF.

For an overview and step-by-step instructions, see the following Megaport documentation:

• Introducing MVE

• Conﬁguring and Maintaining AWS Hosted Connections

Conﬁguring VNF applicances

MVE supports third-party virtual network function (VNF) appliances from vendors such as Aruba,

Cisco, Fortinet, Palo Alto Networks, Versa Networks, and VMware. You can choose a vendor to

handle routing, security, and the SSL VPN functions of the MVE. For a full list of MVE integration

partners, see the Megaport documentation.

For example, this use case describes a high-level architecture where Megaport MVE supports

VPN/SD-WAN connections from regional branch oﬃces and remote users who have an SSL VPN

connection.This MVE peers with AWS and routes these connections privately to Hyperforce

through AWS Direct Connect.

The key elements of this architecture include:

• Route ﬁlters to limit AWS preﬁxes for relevant Hyperforce instances

• SSL VPN policies based on Hyperforce fully qualiﬁed domain name (FQDN) and IP address ranges

• NAT policy for Hyperforce users behind a single public IP address that faces AWS

Conﬁguring route ﬁlters

When the VNF has established BGP peering with the AWS public VIF, the route table should

populate with preﬁxes for all AWS public services and Hyperforce.You can apply route ﬁltering by

using IP lists or BGP community tags.We recommend that you conﬁgure a route map of preﬁxes

that include a range of Hyperforce instances in an AWS Region.

Notes:

• The BGP preﬁxes advertised from your router to AWS are conﬁgured in the AWS

Management Console when you create the public VIF.

Conﬁguring VNF applicances 11

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

• The preﬁxes advertised by AWS Direct Connect must not be advertised beyond the

network boundaries of your connection. For example, these preﬁxes must not be

included in any public internet routing table. For more information, see Public virtual

interface routing policies in the AWS Direct Connect documentation.

Conﬁguring AWS Direct Connect

Accept a hosted connection

In your AWS account, accept the VXC created previously as a hosted connection. For instructions,

see the AWS Direct Connect documentation.

Create a public VIF

In your account, provision a public VIF under the connection you accepted from Megaport. Before

you create this VIF, you need to obtain the following:

• The BGP ASN of the VNF appliance.

•

Public IPv4 addresses for peering (typically /31 CIDR). You can own these or request them from

AWS Support. For more information, see Peer IP addresses in the section Prerequisites for virtual

interfaces in the AWS Direct Connect documentation.

To create a public VIF, follow the steps in the AWS Direct Connect documentation.

After you create the public VIF, you need to make sure that the BGP authentication key matches

both ends of the BGP peer for the peering state to become available.

Note

Using a public VIF to connect to AWS from your on-premises environment changes

the way traﬃc is routed to your on-premises location from AWS. We recommend that

you use a preﬁx ﬁlter (route map) to make sure that the accepted Amazon preﬁxes are

limited to the Hyperforce infrastructure and any other necessary AWS resources. For more

information, see Public virtual interface preﬁx advertisement rules in the AWS Direct

Connect documentation and Hyperforce External IPs in the Salesforce documentation.

Conﬁguring AWS Direct Connect 12

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

Conﬁguring Megaport MVE with SEC

In some cases, Hyperforce login requests are redirected to Salesforce-managed data centers.To

keep this traﬃc on a private network, you can add a Megaport VXC to Salesforce by using SEC.

You can conﬁgure your VNF security policies with rules by using the Salesforce login FQDN. This is

similar to the AWS Direct Connect architecture described earlier in this guide.

For step-by-step instructions, see Connecting to Salesforce Express Connect in the Megaport

documentation.

Conﬁguring Salesforce Hyperforce

To enable inbound connections from your corporate network into Salesforce, you need to conﬁgure

inbound access to Hyperforce as a security measure. To allow the required domains, follow the

instructions in Allow Domains for a Salesforce Console in Salesforce Classic in the Salesforce

documentation. Do not use IP addresses.

Use case: multicloud virtual desktop infrastructure

This use case covers a scenario where you have a virtual desktop infrastructure (VDI) running in

another cloud provider that has a private connection to Megaport and is used as an on-ramp to

AWS Direct Connect

Using Megaport MCR with AWS Direct Connect gives your VDI users private connectivity to

Salesforce Hyperforce. VDI users use their desktops for their daily work, and the VDI provides an

on-ramp to AWS Direct Connect by using a Megaport location.

Conﬁguring Megaport MVE with SEC 13

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

Requirements

• Users access Salesforce over private network connections.

• Users use a VDI.

• The VDI runs in an alternate cloud provider and has a private connection established to

Megaport.

• You own an AWS account to manage the AWS Direct Connect hosted connection with Megaport.

Conﬁguring Megaport MCR with VXC

For step-by-step instructions, see the following Megaport documentation:

• Creating an MCR

• Creating MCR Connections to AWS

Notes

• The BGP preﬁxes advertised from your router to AWS are conﬁgured in the AWS

Management Console when you create the public VIF.

• The preﬁxes advertised by AWS Direct Connect must not be advertised beyond the

network boundaries of your connection. For example, these preﬁxes must not be

included in any public internet routing table. For more information, see Public virtual

interface routing policies in the AWS Direct Connect documentation.

Conﬁguring AWS Direct Connect

Accept a hosted connection

In your AWS account, accept the VXC created previously as a hosted connection.For instructions,

see the AWS Direct Connect documentation.

Create a public VIF

In your account, provision a public VIF under the connection you accepted from Megaport. Before

you create this VIF, you need to obtain the following:

Requirements 14

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

• The BGP ASN of the MCR.

•

Public IPv4 addresses for peering (typically /31 CIDR). You can own these or request them from

AWS Support. For more information, see Peer IP addresses in the section Prerequisites for virtual

interfaces in the AWS Direct Connect documentation.

To create a public VIF, follow the steps in the AWS Direct Connect documentation.

After you create the public VIF, you need to make sure that the BGP authentication key matches

both ends of the BGP peer for the peering state to become available.

Note

Using a public VIF to connect to AWS from your on-premises or multicloud environment

changes the way traﬃc is routed from AWS public preﬁxes to your users. We recommend

that you use a preﬁx ﬁlter (route map) to make sure that the accepted Amazon preﬁxes

are limited to the Hyperforce infrastructure and any other necessary AWS resources. For

more information, see Public virtual interface preﬁx advertisement rules in the AWS Direct

Connect documentation and Hyperforce External IPs in the Salesforce documentation.

Conﬁguring Megaport MCR with SEC

For step-by-step instructions, see Creating MCR Connections to Salesforce Express Connect in the

Megaport documentation.

Conﬁgure Salesforce Hyperforce

To enable inbound connections from your corporate network into Salesforce, you need to conﬁgure

inbound access to Hyperforce as a security measure. To allow the required domains, follow the

instructions in Allow Domains for a Salesforce Console in Salesforce Classic in the Salesforce

documentation. Do not use IP addresses.

Conﬁguring Megaport MCR with SEC 15

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

Pricing

Cost considerations for the solutions described in this guide depend on various factors, such as

scale, consumed bandwidth, selected products, and vendor discounts. When pricing the various

components, consider the following:

• AWS Direct Connect – The price varies based on Region, port type, capacity, and data transferred.

Use the AWS Pricing Calculator to estimate your costs.

• Megaport hosted connection to AWS – The price varies depending on product usage and

capacity. Megaport Port, MVE, and MCR are available directly from Megaport or can be procured

through AWS Marketplace.

• Megaport SEC – This is available directly through Megaport.

• Salesforce Hyperforce – This is available directly through Salesforce.

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

Resources

AWS documentation

• AWS Direct Connect

• AWS Direct Connect User Guide

Megaport documentation

• Creating a Port

• Conﬁguring and Maintaining AWS Hosted Connections

• Connections Overview

• MCR Overview

• Introducing MVE

• Connecting to Salesforce Express Connect

Salesforce documentation

• Introducing Hyperforce – General Information & FAQ

• Hyperforce External IPs

• Allow Domains for a Salesforce Console in Salesforce Classic

• Allow the Required Domains

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

Document history

The following table describes signiﬁcant changes to this guide. If you want to be notiﬁed about

future updates, you can subscribe to an RSS feed.

Change Description Date

Initial publication — August 30, 2024

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

AWS Prescriptive Guidance glossary

The following are commonly used terms in strategies, guides, and patterns provided by AWS

Prescriptive Guidance. To suggest entries, please use the Provide feedback link at the end of the

glossary.

Numbers

7 Rs

Seven common migration strategies for moving applications to the cloud. These strategies build

upon the 5 Rs that Gartner identiﬁed in 2011 and consist of the following:

• Refactor/re-architect – Move an application and modify its architecture by taking full

advantage of cloud-native features to improve agility, performance, and scalability. This

typically involves porting the operating system and database. Example:Migrate your on-

premises Oracle database to the Amazon Aurora PostgreSQL-Compatible Edition.

• Replatform (lift and reshape) – Move an application to the cloud, and introduce some level

of optimization to take advantage of cloud capabilities. Example:Migrate your on-premises

Oracle database to Amazon Relational Database Service (Amazon RDS) for Oracle in the AWS

Cloud.

• Repurchase (drop and shop) – Switch to a diﬀerent product, typically by moving from

a traditional license to a SaaS model. Example:Migrate your customer relationship

management (CRM) system to Salesforce.com.

• Rehost (lift and shift) – Move an application to the cloud without making any changes to

take advantage of cloud capabilities. Example:Migrate your on-premises Oracle database to

Oracle on an EC2 instance in the AWS Cloud.

• Relocate (hypervisor-level lift and shift) – Move infrastructure to the cloud without

purchasing new hardware, rewriting applications, or modifying your existing operations.

You migrate servers from an on-premises platform to a cloud service for the same platform.

Example:Migrate a Microsoft Hyper-V application to AWS.

• Retain (revisit) – Keep applications in your source environment. These might include

applications that require major refactoring, and you want to postpone that work until a later

time, and legacy applications that you want to retain, because there’s no business justiﬁcation

for migrating them.

# 19

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

• Retire – Decommission or remove applications that are no longer needed in your source

environment.

ABAC

See attribute-based access control.

abstracted services

See managed services.

ACID

See atomicity, consistency, isolation, durability.

active-active migration

A database migration method in which the source and target databases are kept in sync (by

using a bidirectional replication tool or dual write operations), and both databases handle

transactions from connecting applications during migration. This method supports migration in

small, controlled batches instead of requiring a one-time cutover. It’s more ﬂexible but requires

more work than active-passive migration.

active-passive migration

A database migration method in which in which the source and target databases are kept in

sync, but only the source database handles transactions from connecting applications while

data is replicated to the target database. The target database doesn’t accept any transactions

during migration.

aggregate function

A SQL function that operates on a group of rows and calculates a single return value for the

group. Examples of aggregate functions include SUM and MAX.

See artiﬁcial intelligence.

AIOps

See artiﬁcial intelligence operations.

A 20

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

anonymization

The process of permanently deleting personal information in a dataset. Anonymization can help

protect personal privacy. Anonymized data is no longer considered to be personal data.

anti-pattern

A frequently used solution for a recurring issue where the solution is counter-productive,

ineﬀective, or less eﬀective than an alternative.

application control

A security approach that allows the use of only approved applications in order to help protect a

system from malware.

application portfolio

A collection of detailed information about each application used by an organization, including

the cost to build and maintain the application, and its business value. This information is key to

the portfolio discovery and analysis process and helps identify and prioritize the applications to

be migrated, modernized, and optimized.

artiﬁcial intelligence (AI)

The ﬁeld of computer science that is dedicated to using computing technologies to perform

cognitive functions that are typically associated with humans, such as learning, solving

problems, and recognizing patterns. For more information, see What is Artiﬁcial Intelligence?

artiﬁcial intelligence operations (AIOps)

The process of using machine learning techniques to solve operational problems, reduce

operational incidents and human intervention, and increase service quality. For more

information about how AIOps is used in the AWS migration strategy, see the operations

integration guide.

asymmetric encryption

An encryption algorithm that uses a pair of keys, a public key for encryption and a private key

for decryption. You can share the public key because it isn’t used for decryption, but access to

the private key should be highly restricted.

atomicity, consistency, isolation, durability (ACID)

A set of software properties that guarantee the data validity and operational reliability of a

database, even in the case of errors, power failures, or other problems.

A 21

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

attribute-based access control (ABAC)

The practice of creating ﬁne-grained permissions based on user attributes, such as department,

job role, and team name. For more information, see ABAC for AWS in the AWS Identity and

Access Management (IAM) documentation.

authoritative data source

A location where you store the primary version of data, which is considered to be the most

reliable source of information. You can copy data from the authoritative data source to other

locations for the purposes of processing or modifying the data, such as anonymizing, redacting,

or pseudonymizing it.

Availability Zone

A distinct location within an AWS Region that is insulated from failures in other Availability

Zones and provides inexpensive, low-latency network connectivity to other Availability Zones in

the same Region.

AWS Cloud Adoption Framework (AWS CAF)

A framework of guidelines and best practices from AWS to help organizations develop an

eﬃcient and eﬀective plan to move successfully to the cloud. AWS CAF organizes guidance

into six focus areas called perspectives: business, people, governance, platform, security,

and operations. The business, people, and governance perspectives focus on business skills

and processes; the platform, security, and operations perspectives focus on technical skills

and processes. For example, the people perspective targets stakeholders who handle human

resources (HR), staﬃng functions, and people management. For this perspective, AWS CAF

provides guidance for people development, training, and communications to help ready the

organization for successful cloud adoption. For more information, see the AWS CAF website and

the AWS CAF whitepaper.

AWS Workload Qualiﬁcation Framework (AWS WQF)

A tool that evaluates database migration workloads, recommends migration strategies, and

provides work estimates. AWS WQF is included with AWS Schema Conversion Tool (AWS SCT). It

analyzes database schemas and code objects, application code, dependencies, and performance

characteristics, and provides assessment reports.

A 22

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

bad bot

A bot that is intended to disrupt or cause harm to individuals or organizations.

BCP

See business continuity planning.

behavior graph

A uniﬁed, interactive view of resource behavior and interactions over time. You can use a

behavior graph with Amazon Detective to examine failed logon attempts, suspicious API

calls, and similar actions. For more information, see Data in a behavior graph in the Detective

documentation.

big-endian system

A system that stores the most signiﬁcant byte ﬁrst. See also endianness.

binary classiﬁcation

A process that predicts a binary outcome (one of two possible classes). For example, your ML

model might need to predict problems such as “Is this email spam or not spam?" or "Is this

product a book or a car?"

bloom ﬁlter

A probabilistic, memory-eﬃcient data structure that is used to test whether an element is a

member of a set.

blue/green deployment

A deployment strategy where you create two separate but identical environments. You run the

current application version in one environment (blue) and the new application version in the

other environment (green). This strategy helps you quickly roll back with minimal impact.

bot

A software application that runs automated tasks over the internet and simulates human

activity or interaction. Some bots are useful or beneﬁcial, such as web crawlers that index

information on the internet. Some other bots, known as bad bots, are intended to disrupt or

cause harm to individuals or organizations.

B 23

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

botnet

Networks of bots that are infected by malware and are under the control of a single party,

known as a bot herder or bot operator. Botnets are the best-known mechanism to scale bots and

their impact.

branch

A contained area of a code repository. The ﬁrst branch created in a repository is the main

branch. You can create a new branch from an existing branch, and you can then develop

features or ﬁx bugs in the new branch. A branch you create to build a feature is commonly

referred to as a feature branch. When the feature is ready for release, you merge the feature

branch back into the main branch. For more information, see About branches (GitHub

documentation).

break-glass access

In exceptional circumstances and through an approved process, a quick means for a user to

gain access to an AWS account that they don't typically have permissions to access. For more

information, see the Implement break-glass procedures indicator in the AWS Well-Architected

guidance.

brownﬁeld strategy

The existing infrastructure in your environment. When adopting a brownﬁeld strategy for a

system architecture, you design the architecture around the constraints of the current systems

and infrastructure. If you are expanding the existing infrastructure, you might blend brownﬁeld

and greenﬁeld strategies.

buﬀer cache

The memory area where the most frequently accessed data is stored.

business capability

What a business does to generate value (for example, sales, customer service, or marketing).

Microservices architectures and development decisions can be driven by business capabilities.

For more information, see the Organized around business capabilities section of the Running

containerized microservices on AWS whitepaper.

business continuity planning (BCP)

A plan that addresses the potential impact of a disruptive event, such as a large-scale migration,

on operations and enables a business to resume operations quickly.

B 24

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

CAF

See AWS Cloud Adoption Framework.

canary deployment

The slow and incremental release of a version to end users. When you are conﬁdent, you deploy

the new version and replace the current version in its entirety.

CCoE

See Cloud Center of Excellence.

CDC

See change data capture.

change data capture (CDC)

The process of tracking changes to a data source, such as a database table, and recording

metadata about the change. You can use CDC for various purposes, such as auditing or

replicating changes in a target system to maintain synchronization.

chaos engineering

Intentionally introducing failures or disruptive events to test a system’s resilience. You can use

AWS Fault Injection Service (AWS FIS) to perform experiments that stress your AWS workloads

and evaluate their response.

CI/CD

See continuous integration and continuous delivery.

classiﬁcation

A categorization process that helps generate predictions. ML models for classiﬁcation problems

predict a discrete value. Discrete values are always distinct from one another. For example, a

model might need to evaluate whether or not there is a car in an image.

client-side encryption

Encryption of data locally, before the target AWS service receives it.

C 25

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

Cloud Center of Excellence (CCoE)

A multi-disciplinary team that drives cloud adoption eﬀorts across an organization, including

developing cloud best practices, mobilizing resources, establishing migration timelines, and

leading the organization through large-scale transformations. For more information, see the

CCoE posts on the AWS Cloud Enterprise Strategy Blog.

cloud computing

The cloud technology that is typically used for remote data storage and IoT device

management. Cloud computing is commonly connected to edge computing technology.

cloud operating model

In an IT organization, the operating model that is used to build, mature, and optimize one or

more cloud environments. For more information, see Building your Cloud Operating Model.

cloud stages of adoption

The four phases that organizations typically go through when they migrate to the AWS Cloud:

• Project – Running a few cloud-related projects for proof of concept and learning purposes

• Foundation – Making foundational investments to scale your cloud adoption (e.g., creating a

landing zone, deﬁning a CCoE, establishing an operations model)

• Migration – Migrating individual applications

• Re-invention – Optimizing products and services, and innovating in the cloud

These stages were deﬁned by Stephen Orban in the blog post The Journey Toward Cloud-First

& the Stages of Adoption on the AWS Cloud Enterprise Strategy blog. For information about

how they relate to the AWS migration strategy, see the migration readiness guide.

CMDB

See conﬁguration management database.

code repository

A location where source code and other assets, such as documentation, samples, and scripts,

are stored and updated through version control processes. Common cloud repositories include

GitHub or AWS CodeCommit. Each version of the code is called a branch. In a microservice

structure, each repository is devoted to a single piece of functionality. A single CI/CD pipeline

can use multiple repositories.

C 26

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

cold cache

A buﬀer cache that is empty, not well populated, or contains stale or irrelevant data. This

aﬀects performance because the database instance must read from the main memory or disk,

which is slower than reading from the buﬀer cache.

cold data

Data that is rarely accessed and is typically historical. When querying this kind of data, slow

queries are typically acceptable. Moving this data to lower-performing and less expensive

storage tiers or classes can reduce costs.

computer vision (CV)

A ﬁeld of AI that uses machine learning to analyze and extract information from visual formats

such as digital images and videos. For example, AWS Panorama oﬀers devices that add CV to

on-premises camera networks, and Amazon SageMaker provides image processing algorithms

for CV.

conﬁguration drift

For a workload, a conﬁguration change from the expected state. It might cause the workload to

become noncompliant, and it's typically gradual and unintentional.

conﬁguration management database (CMDB)

A repository that stores and manages information about a database and its IT environment,

including both hardware and software components and their conﬁgurations. You typically use

data from a CMDB in the portfolio discovery and analysis stage of migration.

conformance pack

A collection of AWS Conﬁg rules and remediation actions that you can assemble to customize

your compliance and security checks. You can deploy a conformance pack as a single entity in

an AWS account and Region, or across an organization, by using a YAML template. For more

information, see Conformance packs in the AWS Conﬁg documentation.

continuous integration and continuous delivery (CI/CD)

The process of automating the source, build, test, staging, and production stages of the

software release process. CI/CD is commonly described as a pipeline. CI/CD can help you

automate processes, improve productivity, improve code quality, and deliver faster. For more

information, see Beneﬁts of continuous delivery. CD can also stand for continuous deployment.

For more information, see Continuous Delivery vs. Continuous Deployment.

C 27

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

See computer vision.

data at rest

Data that is stationary in your network, such as data that is in storage.

data classiﬁcation

A process for identifying and categorizing the data in your network based on its criticality and

sensitivity. It is a critical component of any cybersecurity risk management strategy because

it helps you determine the appropriate protection and retention controls for the data. Data

classiﬁcation is a component of the security pillar in the AWS Well-Architected Framework. For

more information, see Data classiﬁcation.

data drift

A meaningful variation between the production data and the data that was used to train an ML

model, or a meaningful change in the input data over time. Data drift can reduce the overall

quality, accuracy, and fairness in ML model predictions.

data in transit

Data that is actively moving through your network, such as between network resources.

data mesh

An architectural framework that provides distributed, decentralized data ownership with

centralized management and governance.

data minimization

The principle of collecting and processing only the data that is strictly necessary. Practicing

data minimization in the AWS Cloud can reduce privacy risks, costs, and your analytics carbon

footprint.

data perimeter

A set of preventive guardrails in your AWS environment that help make sure that only trusted

identities are accessing trusted resources from expected networks. For more information, see

Building a data perimeter on AWS.

D 28

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

data preprocessing

To transform raw data into a format that is easily parsed by your ML model. Preprocessing data

can mean removing certain columns or rows and addressing missing, inconsistent, or duplicate

values.

data provenance

The process of tracking the origin and history of data throughout its lifecycle, such as how the

data was generated, transmitted, and stored.

data subject

An individual whose data is being collected and processed.

data warehouse

A data management system that supports business intelligence, such as analytics. Data

warehouses commonly contain large amounts of historical data, and they are typically used for

queries and analysis.

database deﬁnition language (DDL)

Statements or commands for creating or modifying the structure of tables and objects in a

database.

database manipulation language (DML)

Statements or commands for modifying (inserting, updating, and deleting) information in a

database.

DDL

See database deﬁnition language.

deep ensemble

To combine multiple deep learning models for prediction. You can use deep ensembles to

obtain a more accurate prediction or for estimating uncertainty in predictions.

deep learning

An ML subﬁeld that uses multiple layers of artiﬁcial neural networks to identify mapping

between input data and target variables of interest.

D 29

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

defense-in-depth

An information security approach in which a series of security mechanisms and controls are

thoughtfully layered throughout a computer network to protect the conﬁdentiality, integrity,

and availability of the network and the data within. When you adopt this strategy on AWS,

you add multiple controls at diﬀerent layers of the AWS Organizations structure to help

secure resources. For example, a defense-in-depth approach might combine multi-factor

authentication, network segmentation, and encryption.

delegated administrator

In AWS Organizations, a compatible service can register an AWS member account to administer

the organization’s accounts and manage permissions for that service. This account is called the

delegated administrator for that service. For more information and a list of compatible services,

see Services that work with AWS Organizations in the AWS Organizations documentation.

deployment

The process of making an application, new features, or code ﬁxes available in the target

environment. Deployment involves implementing changes in a code base and then building and

running that code base in the application’s environments.

development environment

See environment.

detective control

A security control that is designed to detect, log, and alert after an event has occurred.

These controls are a second line of defense, alerting you to security events that bypassed the

preventative controls in place. For more information, see Detective controls in Implementing

security controls on AWS.

development value stream mapping (DVSM)

A process used to identify and prioritize constraints that adversely aﬀect speed and quality in

a software development lifecycle. DVSM extends the value stream mapping process originally

designed for lean manufacturing practices. It focuses on the steps and teams required to create

and move value through the software development process.

D 30

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

digital twin

A virtual representation of a real-world system, such as a building, factory, industrial

equipment, or production line. Digital twins support predictive maintenance, remote

monitoring, and production optimization.

dimension table

In a star schema, a smaller table that contains data attributes about quantitative data in a

fact table. Dimension table attributes are typically text ﬁelds or discrete numbers that behave

like text. These attributes are commonly used for query constraining, ﬁltering, and result set

labeling.

disaster

An event that prevents a workload or system from fulﬁlling its business objectives in its primary

deployed location. These events can be natural disasters, technical failures, or the result of

human actions, such as unintentional misconﬁguration or a malware attack.

disaster recovery (DR)

The strategy and process you use to minimize downtime and data loss caused by a disaster. For

more information, see Disaster Recovery of Workloads on AWS: Recovery in the Cloud in the

AWS Well-Architected Framework.

DML

See database manipulation language.

domain-driven design

An approach to developing a complex software system by connecting its components to

evolving domains, or core business goals, that each component serves. This concept was

introduced by Eric Evans in his book, Domain-Driven Design: Tackling Complexity in the Heart of

Software (Boston: Addison-Wesley Professional,2003). For information about how you can use

domain-driven design with the strangler ﬁg pattern, see Modernizing legacy Microsoft ASP.NET

(ASMX) web services incrementally by using containers and Amazon API Gateway.

See disaster recovery.

D 31

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

drift detection

Tracking deviations from a baselined conﬁguration. For example, you can use AWS

CloudFormation to detect drift in system resources, or you can use AWS Control Tower to detect

changes in your landing zone that might aﬀect compliance with governance requirements.

DVSM

See development value stream mapping.

EDA

See exploratory data analysis.

edge computing

The technology that increases the computing power for smart devices at the edges of an IoT

network. When compared with cloud computing, edge computing can reduce communication

latency and improve response time.

encryption

A computing process that transforms plaintext data, which is human-readable, into ciphertext.

encryption key

A cryptographic string of randomized bits that is generated by an encryption algorithm. Keys

can vary in length, and each key is designed to be unpredictable and unique.

endianness

The order in which bytes are stored in computer memory. Big-endian systems store the most

signiﬁcant byte ﬁrst. Little-endian systems store the least signiﬁcant byte ﬁrst.

endpoint

See service endpoint.

endpoint service

A service that you can host in a virtual private cloud (VPC) to share with other users. You can

create an endpoint service with AWS PrivateLink and grant permissions to other AWS accounts

E 32

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

or to AWS Identity and Access Management (IAM) principals. These accounts or principals

can connect to your endpoint service privately by creating interface VPC endpoints. For more

information, see Create an endpoint service in the Amazon Virtual Private Cloud (Amazon VPC)

documentation.

enterprise resource planning (ERP)

A system that automates and manages key business processes (such as accounting, MES, and

project management) for an enterprise.

envelope encryption

The process of encrypting an encryption key with another encryption key. For more

information, see Envelope encryption in the AWS Key Management Service (AWS KMS)

documentation.

environment

An instance of a running application. The following are common types of environments in cloud

computing:

• development environment – An instance of a running application that is available only to the

core team responsible for maintaining the application. Development environments are used

to test changes before promoting them to upper environments. This type of environment is

sometimes referred to as a test environment.

• lower environments – All development environments for an application, such as those used

for initial builds and tests.

• production environment – An instance of a running application that end users can access. In a

CI/CD pipeline, the production environment is the last deployment environment.

• upper environments – All environments that can be accessed by users other than the core

development team. This can include a production environment, preproduction environments,

and environments for user acceptance testing.

epic

In agile methodologies, functional categories that help organize and prioritize your work. Epics

provide a high-level description of requirements and implementation tasks. For example, AWS

CAF security epics include identity and access management, detective controls, infrastructure

security, data protection, and incident response. For more information about epics in the AWS

migration strategy, see the program implementation guide.

E 33

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

ERP

See enterprise resource planning.

exploratory data analysis (EDA)

The process of analyzing a dataset to understand its main characteristics. You collect or

aggregate data and then perform initial investigations to ﬁnd patterns, detect anomalies,

and check assumptions. EDA is performed by calculating summary statistics and creating data

visualizations.

fact table

The central table in a star schema. It stores quantitative data about business operations.

Typically, a fact table contains two types of columns: those that contain measures and those

that contain a foreign key to a dimension table.

fail fast

A philosophy that uses frequent and incremental testing to reduce the development lifecycle. It

is a critical part of an agile approach.

fault isolation boundary

In the AWS Cloud, a boundary such as an Availability Zone, AWS Region, control plane, or data

plane that limits the eﬀect of a failure and helps improve the resilience of workloads. For more

information, see AWS Fault Isolation Boundaries.

feature branch

See branch.

features

The input data that you use to make a prediction. For example, in a manufacturing context,

features could be images that are periodically captured from the manufacturing line.

feature importance

How signiﬁcant a feature is for a model’s predictions. This is usually expressed as a numerical

score that can be calculated through various techniques, such as Shapley Additive Explanations

F 34

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

(SHAP) and integrated gradients. For more information, see Machine learning model

interpretability with :AWS.

feature transformation

To optimize data for the ML process, including enriching data with additional sources, scaling

values, or extracting multiple sets of information from a single data ﬁeld. This enables the ML

model to beneﬁt from the data. For example, if you break down the “2021-05-27 00:15:37”

date into “2021”, “May”, “Thu”, and “15”, you can help the learning algorithm learn nuanced

patterns associated with diﬀerent data components.

FGAC

See ﬁne-grained access control.

ﬁne-grained access control (FGAC)

The use of multiple conditions to allow or deny an access request.

ﬂash-cut migration

A database migration method that uses continuous data replication through change data

capture to migrate data in the shortest time possible, instead of using a phased approach. The

objective is to keep downtime to a minimum.

geo blocking

See geographic restrictions.

geographic restrictions (geo blocking)

In Amazon CloudFront, an option to prevent users in speciﬁc countries from accessing content

distributions. You can use an allow list or block list to specify approved and banned countries.

For more information, see Restricting the geographic distribution of your content in the

CloudFront documentation.

Gitﬂow workﬂow

An approach in which lower and upper environments use diﬀerent branches in a source code

repository. The Gitﬂow workﬂow is considered legacy, and the trunk-based workﬂow is the

modern, preferred approach.

G 35

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

greenﬁeld strategy

The absence of existing infrastructure in a new environment. When adopting a greenﬁeld

strategy for a system architecture, you can select all new technologies without the restriction

of compatibility with existing infrastructure, also known as brownﬁeld. If you are expanding the

existing infrastructure, you might blend brownﬁeld and greenﬁeld strategies.

guardrail

A high-level rule that helps govern resources, policies, and compliance across organizational

units (OUs). Preventive guardrails enforce policies to ensure alignment to compliance standards.

They are implemented by using service control policies and IAM permissions boundaries.

Detective guardrails detect policy violations and compliance issues, and generate alerts

for remediation. They are implemented by using AWS Conﬁg, AWS Security Hub, Amazon

GuardDuty, AWS Trusted Advisor, Amazon Inspector, and custom AWS Lambda checks.

See high availability.

heterogeneous database migration

Migrating your source database to a target database that uses a diﬀerent database engine

(for example, Oracle to Amazon Aurora). Heterogeneous migration is typically part of a re-

architecting eﬀort, and converting the schema can be a complex task. AWS provides AWS SCT

that helps with schema conversions.

high availability (HA)

The ability of a workload to operate continuously, without intervention, in the event of

challenges or disasters. HA systems are designed to automatically fail over, consistently deliver

high-quality performance, and handle diﬀerent loads and failures with minimal performance

impact.

historian modernization

An approach used to modernize and upgrade operational technology (OT) systems to better

serve the needs of the manufacturing industry. A historian is a type of database that is used to

collect and store data from various sources in a factory.

H 36

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

homogeneous database migration

Migrating your source database to a target database that shares the same database engine

(for example, Microsoft SQL Server to Amazon RDS for SQL Server). Homogeneous migration

is typically part of a rehosting or replatforming eﬀort. You can use native database utilities to

migrate the schema.

hot data

Data that is frequently accessed, such as real-time data or recent translational data. This data

typically requires a high-performance storage tier or class to provide fast query responses.

hotﬁx

An urgent ﬁx for a critical issue in a production environment. Due to its urgency, a hotﬁx is

usually made outside of the typical DevOps release workﬂow.

hypercare period

Immediately following cutover, the period of time when a migration team manages and

monitors the migrated applications in the cloud in order to address any issues. Typically, this

period is 1–4 days in length. At the end of the hypercare period, the migration team typically

transfers responsibility for the applications to the cloud operations team.

IaC

See infrastructure as code.

identity-based policy

A policy attached to one or more IAM principals that deﬁnes their permissions within the AWS

Cloud environment.

idle application

An application that has an average CPU and memory usage between 5and 20percent over

a period of 90days. In a migration project, it is common to retire these applications or retain

them on premises.

IIoT

See industrial Internet of Things.

I 37

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

immutable infrastructure

A model that deploys new infrastructure for production workloads instead of updating,

patching, or modifying the existing infrastructure. Immutable infrastructures are inherently

more consistent, reliable, and predictable than mutable infrastructure. For more information,

see the Deploy using immutable infrastructure best practice in the AWS Well-Architected

Framework.

inbound (ingress) VPC

In an AWS multi-account architecture, a VPC that accepts, inspects, and routes network

connections from outside an application. The AWS Security Reference Architecture recommends

setting up your Network account with inbound, outbound, and inspection VPCs to protect the

two-way interface between your application and the broader internet.

incremental migration

A cutover strategy in which you migrate your application in small parts instead of performing

a single, full cutover. For example, you might move only a few microservices or users to the

new system initially. After you verify that everything is working properly, you can incrementally

move additional microservices or users until you can decommission your legacy system. This

strategy reduces the risks associated with large migrations.

Industry 4.0

A term that was introduced by Klaus Schwab in 2016 to refer to the modernization of

manufacturing processes through advances in connectivity, real-time data, automation,

analytics, and AI/ML.

infrastructure

All of the resources and assets contained within an application’s environment.

infrastructure as code (IaC)

The process of provisioning and managing an application’s infrastructure through a set

of conﬁguration ﬁles. IaC is designed to help you centralize infrastructure management,

standardize resources, and scale quickly so that new environments are repeatable, reliable, and

consistent.

I 38

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

industrial Internet of Things (IIoT)

The use of internet-connected sensors and devices in the industrial sectors, such as

manufacturing, energy, automotive, healthcare, life sciences, and agriculture. For more

information, see Building an industrial Internet of Things (IIoT) digital transformation strategy.

inspection VPC

In an AWS multi-account architecture, a centralized VPC that manages inspections of network

traﬃc between VPCs (in the same or diﬀerent AWS Regions), the internet, and on-premises

networks. The AWS Security Reference Architecture recommends setting up your Network

account with inbound, outbound, and inspection VPCs to protect the two-way interface

between your application and the broader internet.

Internet of Things (IoT)

The network of connected physical objects with embedded sensors or processors that

communicate with other devices and systems through the internet or over a local

communication network. For more information, see What is IoT?

interpretability

A characteristic of a machine learning model that describes the degree to which a human

can understand how the model’s predictions depend on its inputs. For more information, see

Machine learning model interpretability with AWS.

IoT

See Internet of Things.

IT information library (ITIL)

A set of best practices for delivering IT services and aligning these services with business

requirements. ITIL provides the foundation for ITSM.

IT service management (ITSM)

Activities associated with designing, implementing, managing, and supporting IT services for

an organization. For information about integrating cloud operations with ITSM tools, see the

operations integration guide.

ITIL

See IT information library.

I 39

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

ITSM

See IT service management.

label-based access control (LBAC)

An implementation of mandatory access control (MAC) where the users and the data itself are

each explicitly assigned a security label value. The intersection between the user security label

and data security label determines which rows and columns can be seen by the user.

landing zone

A landing zone is a well-architected, multi-account AWS environment that is scalable and

secure. This is a starting point from which your organizations can quickly launch and deploy

workloads and applications with conﬁdence in their security and infrastructure environment.

For more information about landing zones, see Setting up a secure and scalable multi-account

AWS environment.

large migration

A migration of 300or more servers.

LBAC

See label-based access control.

least privilege

The security best practice of granting the minimum permissions required to perform a task. For

more information, see Apply least-privilege permissions in the IAM documentation.

lift and shift

See 7 Rs.

little-endian system

A system that stores the least signiﬁcant byte ﬁrst. See also endianness.

lower environments

See environment.

L 40

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

machine learning (ML)

A type of artiﬁcial intelligence that uses algorithms and techniques for pattern recognition and

learning. ML analyzes and learns from recorded data, such as Internet of Things (IoT) data, to

generate a statistical model based on patterns. For more information, see Machine Learning.

main branch

See branch.

malware

Software that is designed to compromise computer security or privacy. Malware might disrupt

computer systems, leak sensitive information, or gain unauthorized access. Examples of

malware include viruses, worms, ransomware, Trojan horses, spyware, and keyloggers.

managed services

AWS services for which AWS operates the infrastructure layer, the operating system, and

platforms, and you access the endpoints to store and retrieve data. Amazon Simple Storage

Service (Amazon S3) and Amazon DynamoDB are examples of managed services. These are also

known as abstracted services.

manufacturing execution system (MES)

A software system for tracking, monitoring, documenting, and controlling production processes

that convert raw materials to ﬁnished products on the shop ﬂoor.

MAP

See Migration Acceleration Program.

mechanism

A complete process in which you create a tool, drive adoption of the tool, and then inspect the

results in order to make adjustments. A mechanism is a cycle that reinforces and improves itself

as it operates. For more information, see Building mechanisms in the AWS Well-Architected

Framework.

member account

All AWS accounts other than the management account that are part of an organization in AWS

Organizations. An account can be a member of only one organization at a time.

M 41

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

MES

See manufacturing execution system.

Message Queuing Telemetry Transport (MQTT)

A lightweight, machine-to-machine (M2M) communication protocol, based on the publish/

subscribe pattern, for resource-constrained IoT devices.

microservice

A small, independent service that communicates over well-deﬁned APIs and is typically

owned by small, self-contained teams. For example, an insurance system might include

microservices that map to business capabilities, such as sales or marketing, or subdomains,

such as purchasing, claims, or analytics. The beneﬁts of microservices include agility, ﬂexible

scaling, easy deployment, reusable code, and resilience. For more information, see Integrating

microservices by using AWS serverless services.

microservices architecture

An approach to building an application with independent components that run each application

process as a microservice. These microservices communicate through a well-deﬁned interface

by using lightweight APIs. Each microservice in this architecture can be updated, deployed,

and scaled to meet demand for speciﬁc functions of an application. For more information, see

Implementing microservices on AWS.

Migration Acceleration Program (MAP)

An AWS program that provides consulting support, training, and services to help organizations

build a strong operational foundation for moving to the cloud, and to help oﬀset the initial

cost of migrations. MAP includes a migration methodology for executing legacy migrations in a

methodical way and a set of tools to automate and accelerate common migration scenarios.

migration at scale

The process of moving the majority of the application portfolio to the cloud in waves, with

more applications moved at a faster rate in each wave. This phase uses the best practices and

lessons learned from the earlier phases to implement a migration factory of teams, tools, and

processes to streamline the migration of workloads through automation and agile delivery. This

is the third phase of the AWS migration strategy.

M 42

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

migration factory

Cross-functional teams that streamline the migration of workloads through automated, agile

approaches. Migration factory teams typically include operations, business analysts and owners,

migration engineers, developers, and DevOps professionals working in sprints. Between 20

and 50 percent of an enterprise application portfolio consists of repeated patterns that can

be optimized by a factory approach. For more information, see the discussion of migration

factories and the Cloud Migration Factory guide in this content set.

migration metadata

The information about the application and server that is needed to complete the migration.

Each migration pattern requires a diﬀerent set of migration metadata. Examples of migration

metadata include the target subnet, security group, and AWS account.

migration pattern

A repeatable migration task that details the migration strategy, the migration destination, and

the migration application or service used. Example: Rehost migration to Amazon EC2 with AWS

Application Migration Service.

Migration Portfolio Assessment (MPA)

An online tool that provides information for validating the business case for migrating to

the AWS Cloud. MPA provides detailed portfolio assessment (server right-sizing, pricing, TCO

comparisons, migration cost analysis) as well as migration planning (application data analysis

and data collection, application grouping, migration prioritization, and wave planning). The

MPA tool (requires login) is available free of charge to all AWS consultants and APN Partner

consultants.

Migration Readiness Assessment (MRA)

The process of gaining insights about an organization’s cloud readiness status, identifying

strengths and weaknesses, and building an action plan to close identiﬁed gaps, using the AWS

CAF. For more information, see the migration readiness guide. MRA is the ﬁrst phase of the AWS

migration strategy.

migration strategy

The approach used to migrate a workload to the AWS Cloud. For more information, see the 7 Rs

entry in this glossary and see Mobilize your organization to accelerate large-scale migrations.

M 43

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

See machine learning.

modernization

Transforming an outdated (legacy or monolithic) application and its infrastructure into an agile,

elastic, and highly available system in the cloud to reduce costs, gain eﬃciencies, and take

advantage of innovations. For more information, see Strategy for modernizing applications in

the AWS Cloud.

modernization readiness assessment

An evaluation that helps determine the modernization readiness of an organization’s

applications; identiﬁes beneﬁts, risks, and dependencies; and determines how well the

organization can support the future state of those applications. The outcome of the assessment

is a blueprint of the target architecture, a roadmap that details development phases and

milestones for the modernization process, and an action plan for addressing identiﬁed gaps. For

more information, see Evaluating modernization readiness for applications in the AWS Cloud.

monolithic applications (monoliths)

Applications that run as a single service with tightly coupled processes. Monolithic applications

have several drawbacks. If one application feature experiences a spike in demand, the

entire architecture must be scaled. Adding or improving a monolithic application’s features

also becomes more complex when the code base grows. To address these issues, you can

use a microservices architecture. For more information, see Decomposing monoliths into

microservices.

MPA

See Migration Portfolio Assessment.

MQTT

See Message Queuing Telemetry Transport.

multiclass classiﬁcation

A process that helps generate predictions for multiple classes (predicting one of more than

two outcomes). For example, an ML model might ask "Is this product a book, car, or phone?" or

"Which product category is most interesting to this customer?"

M 44

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

mutable infrastructure

A model that updates and modiﬁes the existing infrastructure for production workloads. For

improved consistency, reliability, and predictability, the AWS Well-Architected Framework

recommends the use of immutable infrastructure as a best practice.

OAC

See origin access control.

OAI

See origin access identity.

OCM

See organizational change management.

oﬄine migration

A migration method in which the source workload is taken down during the migration process.

This method involves extended downtime and is typically used for small, non-critical workloads.

See operations integration.

OLA

See operational-level agreement.

online migration

A migration method in which the source workload is copied to the target system without being

taken oﬄine. Applications that are connected to the workload can continue to function during

the migration. This method involves zero to minimal downtime and is typically used for critical

production workloads.

OPC-UA

See Open Process Communications - Uniﬁed Architecture.

O 45

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

Open Process Communications - Uniﬁed Architecture (OPC-UA)

A machine-to-machine (M2M) communication protocol for industrial automation. OPC-UA

provides an interoperability standard with data encryption, authentication, and authorization

schemes.

operational-level agreement (OLA)

An agreement that clariﬁes what functional IT groups promise to deliver to each other, to

support a service-level agreement (SLA).

operational readiness review (ORR)

A checklist of questions and associated best practices that help you understand, evaluate,

prevent, or reduce the scope of incidents and possible failures. For more information, see

Operational Readiness Reviews (ORR) in the AWS Well-Architected Framework.

operational technology (OT)

Hardware and software systems that work with the physical environment to control industrial

operations, equipment, and infrastructure. In manufacturing, the integration of OT and

information technology (IT) systems is a key focus for Industry 4.0 transformations.

operations integration (OI)

The process of modernizing operations in the cloud, which involves readiness planning,

automation, and integration. For more information, see the operations integration guide.

organization trail

A trail that’s created by AWS CloudTrail that logs all events for all AWS accounts in an

organization in AWS Organizations. This trail is created in each AWS account that’s part of the

organization and tracks the activity in each account. For more information, see Creating a trail

for an organization in the CloudTrail documentation.

organizational change management (OCM)

A framework for managing major, disruptive business transformations from a people, culture,

and leadership perspective. OCM helps organizations prepare for, and transition to, new

systems and strategies by accelerating change adoption, addressing transitional issues, and

driving cultural and organizational changes. In the AWS migration strategy, this framework is

called people acceleration, because of the speed of change required in cloud adoption projects.

For more information, see the OCM guide.

O 46

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

origin access control (OAC)

In CloudFront, an enhanced option for restricting access to secure your Amazon Simple Storage

Service (Amazon S3) content. OAC supports all S3 buckets in all AWS Regions, server-side

encryption with AWS KMS (SSE-KMS), and dynamic PUT and DELETE requests to the S3 bucket.

origin access identity (OAI)

In CloudFront, an option for restricting access to secure your Amazon S3 content. When you

use OAI, CloudFront creates a principal that Amazon S3 can authenticate with. Authenticated

principals can access content in an S3 bucket only through a speciﬁc CloudFront distribution.

See also OAC, which provides more granular and enhanced access control.

ORR

See operational readiness review.

See operational technology.

outbound (egress) VPC

In an AWS multi-account architecture, a VPC that handles network connections that are

initiated from within an application. The AWS Security Reference Architecture recommends

setting up your Network account with inbound, outbound, and inspection VPCs to protect the

two-way interface between your application and the broader internet.

permissions boundary

An IAM management policy that is attached to IAM principals to set the maximum permissions

that the user or role can have. For more information, see Permissions boundaries in the IAM

documentation.

personally identiﬁable information (PII)

Information that, when viewed directly or paired with other related data, can be used to

reasonably infer the identity of an individual. Examples of PII include names, addresses, and

contact information.

P 47

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

PII

See personally identiﬁable information.

playbook

A set of predeﬁned steps that capture the work associated with migrations, such as delivering

core operations functions in the cloud. A playbook can take the form of scripts, automated

runbooks, or a summary of processes or steps required to operate your modernized

environment.

PLC

See programmable logic controller.

PLM

See product lifecycle management.

policy

An object that can deﬁne permissions (see identity-based policy), specify access conditions (see

resource-based policy), or deﬁne the maximum permissions for all accounts in an organization

in AWS Organizations (see service control policy).

polyglot persistence

Independently choosing a microservice’s data storage technology based on data access patterns

and other requirements. If your microservices have the same data storage technology, they can

encounter implementation challenges or experience poor performance. Microservices are more

easily implemented and achieve better performance and scalability if they use the data store

best adapted to their requirements. For more information, see Enabling data persistence in

microservices.

portfolio assessment

A process of discovering, analyzing, and prioritizing the application portfolio in order to plan

the migration. For more information, see Evaluating migration readiness.

predicate

A query condition that returns true or false, commonly located in a WHERE clause.

P 48

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

predicate pushdown

A database query optimization technique that ﬁlters the data in the query before transfer. This

reduces the amount of data that must be retrieved and processed from the relational database,

and it improves query performance.

preventative control

A security control that is designed to prevent an event from occurring. These controls are a ﬁrst

line of defense to help prevent unauthorized access or unwanted changes to your network. For

more information, see Preventative controls in Implementing security controls on AWS.

principal

An entity in AWS that can perform actions and access resources. This entity is typically a root

user for an AWS account, an IAM role, or a user. For more information, see Principal in Roles

terms and concepts in the IAM documentation.

Privacy by Design

An approach in system engineering that takes privacy into account throughout the whole

engineering process.

private hosted zones

A container that holds information about how you want Amazon Route53 to respond to DNS

queries for a domain and its subdomains within one or more VPCs. For more information, see

Working with private hosted zones in the Route53 documentation.

proactive control

A security control designed to prevent the deployment of noncompliant resources. These

controls scan resources before they are provisioned. If the resource is not compliant with the

control, then it isn't provisioned. For more information, see the Controls reference guide in the

AWS Control Tower documentation and see Proactive controls in Implementing security controls

on AWS.

product lifecycle management (PLM)

The management of data and processes for a product throughout its entire lifecycle, from

design, development, and launch, through growth and maturity, to decline and removal.

production environment

See environment.

P 49

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

programmable logic controller (PLC)

In manufacturing, a highly reliable, adaptable computer that monitors machines and automates

manufacturing processes.

pseudonymization

The process of replacing personal identiﬁers in a dataset with placeholder values.

Pseudonymization can help protect personal privacy. Pseudonymized data is still considered to

be personal data.

publish/subscribe (pub/sub)

A pattern that enables asynchronous communications among microservices to improve

scalability and responsiveness. For example, in a microservices-based MES, a microservice can

publish event messages to a channel that other microservices can subscribe to. The system can

add new microservices without changing the publishing service.

query plan

A series of steps, like instructions, that are used to access the data in a SQL relational database

system.

query plan regression

When a database service optimizer chooses a less optimal plan than it did before a given

change to the database environment. This can be caused by changes to statistics, constraints,

environment settings, query parameter bindings, and updates to the database engine.

RACI matrix

See responsible, accountable, consulted, informed (RACI).

ransomware

A malicious software that is designed to block access to a computer system or data until a

payment is made.

Q 50

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

RASCI matrix

See responsible, accountable, consulted, informed (RACI).

RCAC

See row and column access control.

read replica

A copy of a database that’s used for read-only purposes. You can route queries to the read

replica to reduce the load on your primary database.

re-architect

See 7 Rs.

recovery point objective (RPO)

The maximum acceptable amount of time since the last data recovery point. This determines

what is considered an acceptable loss of data between the last recovery point and the

interruption of service.

recovery time objective (RTO)

The maximum acceptable delay between the interruption of service and restoration of service.

refactor

See 7 Rs.

Region

A collection of AWS resources in a geographic area. Each AWS Region is isolated and

independent of the others to provide fault tolerance, stability, and resilience. For more

information, see Specify which AWS Regions your account can use.

regression

An ML technique that predicts a numeric value. For example, to solve the problem of "What

price will this house sell for?" an ML model could use a linear regression model to predict a

house's sale price based on known facts about the house (for example, the square footage).

rehost

See 7 Rs.

R 51

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

release

In a deployment process, the act of promoting changes to a production environment.

relocate

See 7 Rs.

replatform

See 7 Rs.

repurchase

See 7 Rs.

resiliency

An application's ability to resist or recover from disruptions. High availability and disaster

recovery are common considerations when planning for resiliency in the AWS Cloud. For more

information, see AWS Cloud Resilience.

resource-based policy

A policy attached to a resource, such as an Amazon S3 bucket, an endpoint, or an encryption

key. This type of policy speciﬁes which principals are allowed access, supported actions, and any

other conditions that must be met.

responsible, accountable, consulted, informed (RACI) matrix

A matrix that deﬁnes the roles and responsibilities for all parties involved in migration activities

and cloud operations. The matrix name is derived from the responsibility types deﬁned in the

matrix: responsible (R), accountable (A), consulted (C), and informed (I). The support (S) type

is optional. If you include support, the matrix is called a RASCI matrix, and if you exclude it, it’s

called a RACI matrix.

responsive control

A security control that is designed to drive remediation of adverse events or deviations from

your security baseline. For more information, see Responsive controls in Implementing security

controls on AWS.

retain

See 7 Rs.

R 52

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

retire

See 7 Rs.

rotation

The process of periodically updating a secret to make it more diﬃcult for an attacker to access

the credentials.

row and column access control (RCAC)

The use of basic, ﬂexible SQL expressions that have deﬁned access rules. RCAC consists of row

permissions and column masks.

RPO

See recovery point objective.

RTO

See recovery time objective.

runbook

A set of manual or automated procedures required to perform a speciﬁc task. These are

typically built to streamline repetitive operations or procedures with high error rates.

SAML 2.0

An open standard that many identity providers (IdPs) use. This feature enables federated

single sign-on (SSO), so users can log into the AWS Management Console or call the AWS API

operations without you having to create user in IAM for everyone in your organization. For more

information about SAML 2.0-based federation, see About SAML 2.0-based federation in the IAM

documentation.

SCADA

See supervisory control and data acquisition.

SCP

See service control policy.

S 53

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

secret

In AWS Secrets Manager, conﬁdential or restricted information, such as a password or user

credentials, that you store in encrypted form. It consists of the secret value and its metadata.

The secret value can be binary, a single string, or multiple strings. For more information, see

What's in a Secrets Manager secret? in the Secrets Manager documentation.

security control

A technical or administrative guardrail that prevents, detects, or reduces the ability of a threat

actor to exploit a security vulnerability. There are four primary types of security controls:

preventative, detective, responsive, and proactive.

security hardening

The process of reducing the attack surface to make it more resistant to attacks. This can include

actions such as removing resources that are no longer needed, implementing the security best

practice of granting least privilege, or deactivating unnecessary features in conﬁguration ﬁles.

security information and event management (SIEM) system

Tools and services that combine security information management (SIM) and security event

management (SEM) systems. A SIEM system collects, monitors, and analyzes data from servers,

networks, devices, and other sources to detect threats and security breaches, and to generate

alerts.

security response automation

A predeﬁned and programmed action that is designed to automatically respond to or remediate

a security event. These automations serve as detective or responsive security controls that help

you implement AWS security best practices. Examples of automated response actions include

modifying a VPC security group, patching an Amazon EC2 instance, or rotating credentials.

server-side encryption

Encryption of data at its destination, by the AWS service that receives it.

service control policy (SCP)

A policy that provides centralized control over permissions for all accounts in an organization

in AWS Organizations. SCPs deﬁne guardrails or set limits on actions that an administrator can

delegate to users or roles. You can use SCPs as allow lists or deny lists, to specify which services

or actions are permitted or prohibited. For more information, see Service control policies in the

AWS Organizations documentation.

S 54

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

service endpoint

The URL of the entry point for an AWS service. You can use the endpoint to connect

programmatically to the target service. For more information, see AWS service endpoints in

AWS General Reference.

service-level agreement (SLA)

An agreement that clariﬁes what an IT team promises to deliver to their customers, such as

service uptime and performance.

service-level indicator (SLI)

A measurement of a performance aspect of a service, such as its error rate, availability, or

throughput.

service-level objective (SLO)

A target metric that represents the health of a service, as measured by a service-level indicator.

shared responsibility model

A model describing the responsibility you share with AWS for cloud security and compliance.

AWS is responsible for security of the cloud, whereas you are responsible for security in the

cloud. For more information, see Shared responsibility model.

SIEM

See security information and event management system.

single point of failure (SPOF)

A failure in a single, critical component of an application that can disrupt the system.

SLA

See service-level agreement.

SLI

See service-level indicator.

SLO

See service-level objective.

S 55

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport

split-and-seed model

A pattern for scaling and accelerating modernization projects. As new features and product

releases are deﬁned, the core team splits up to create new product teams. This helps scale your

organization’s capabilities and services, improves developer productivity, and supports rapid

innovation. For more information, see Phased approach to modernizing applications in the AWS

Cloud.

SPOF

See single point of failure.

star schema

A database organizational structure that uses one large fact table to store transactional or

measured data and uses one or more smaller dimensional tables to store data attributes. This

structure is designed for use in a data warehouse or for business intelligence purposes.

strangler ﬁg pattern

An approach to modernizing monolithic systems by incrementally rewriting and replacing

system functionality until the legacy system can be decommissioned. This pattern uses the

analogy of a ﬁg vine that grows into an established tree and eventually overcomes and replaces

its host. The pattern was introduced by Martin Fowler as a way to manage risk when rewriting

monolithic systems. For an example of how to apply this pattern, see Modernizing legacy

Microsoft ASP.NET (ASMX) web services incrementally by using containers and Amazon API

Gateway.

subnet

A range of IP addresses in your VPC. A subnet must reside in a single Availability Zone.

supervisory control and data acquisition (SCADA)

In manufacturing, a system that uses hardware and software to monitor physical assets and

production operations.

symmetric encryption

An encryption algorithm that uses the same key to encrypt and decrypt the data.

synthetic testing

Testing a system in a way that simulates user interactions to detect potential issues or to

monitor performance. You can use Amazon CloudWatch Synthetics to create these tests.

S 56

AWS Prescriptive Guidance Connecting to Salesforce Hyperforce by using AWS Direct Connect

with Megaport