Support VPC peering for Add-ons

[johanrhodin]

Required Terms

• [X] I agree to follow this project's Code of Conduct
• [X] I have read and accept the Salesforce Program Agreement

What service(s) is this request for?

Addons

Tell us about what you're trying to solve. What challenges are you facing?

Today only Heroku's "internal" add-ons (Heroku Postgres, etc) lets customers peer with their servers in AWS. This should be possible to offer for external add-ons.

[afawcett]

Thanks for this idea @johanrhodin. We have been discussing about ways to add further value to our vendors add-ons. I'll pass this idea on to our Product Manager for Heroku Eco-system. Do you have meanwhile some thoughts on which add-ons you have in mind that would be most useful to you?

[lauragsack]

Hi @johanrhodin, thanks for sharing this idea. I'm the Heroku Ecosystem Product Manager and would love to learn more about the use case. As an add-on provider, how would this improve your add-ons' services?

[johanrhodin]

VPC peering would lower data costs for both add-on provider and Heroku, additionally it would bring security benefits.

Without going too much into the technical weeds: for CloudAMQP it would also lower CPU usage, lower the complexity for some applications, and for certain workloads (with heavy connection churn) it could boost performance.

[johanrhodin]

@afawcett This would be for the add-ons CloudAMQP, CloudKarafka and CloudMQTT, with emphasis on the first two.

[lauragsack]

Got it, thanks for the additional info. I'm looking into this internally and will share an update in the new year.

[friism]

@johanrhodin curious to get your thoughts on whether you (as an add-on provider) would be OK supporting attaching your add-ons to private space apps by using VPC Endpoints / PrivateLink instead of VPC peering? Obviously VPC peering has worked OK for us to power interconnection between Private Space apps and data resources, but it has some annoying limitations:

• cannot attach a single add-on to multiple apps if those apps are in different private spaces (eg. with addons:attach)
• end-customers have to be aware of more VPC IP address ranges to avoid conflicts (this is already a big problem with just the two ranges used for Heroku runtime and data)
• Managing the peering through AWS is technically relatively complicated (although the same can probably be said of VPC endpoints)

[johanrhodin]

@friism That could be doable! One downside is that PrivateLink requires a "Load balancer" and potentially "cross zone load balancing", both of which incur cost. So we might have to have Heroku plans with "plan" and "plan + privatelink ($$$)". But yes it would be better than the current situation!

[friism]

@johanrhodin is there a 3rd method (besides VPC peering or VPC endpoints) that you'd like? It sounds like you kind of like VPC Peering because of low cost (eg. no overhead). I'm curious if you've spec'd out an implementation with VPC peering, or would you need more details from Heroku?

[johanrhodin]

@friism We have both VPC peering and PrivateLink as options for our direct customers and both work reasonably well (with the limitations/drawbacks that you've mentioned), we're open to using either.