{"_id":"5ae740a24bcbef000360faa6","project":"5633ebff7e9e880d00af1a53","version":{"_id":"5633ec007e9e880d00af1a56","project":"5633ebff7e9e880d00af1a53","__v":18,"createdAt":"2015-10-30T22:15:28.105Z","releaseDate":"2015-10-30T22:15:28.105Z","categories":["5633ec007e9e880d00af1a57","5633f072737ea01700ea329d","5637a37d0704070d00f06cf4","5637cf4e7ca5de0d00286aeb","564503082c74cf1900da48b4","564503cb7f1fff210078e70a","567af26cb56bac0d0019d87d","567afeb8802b2b17005ddea0","567aff47802b2b17005ddea1","567b0005802b2b17005ddea3","568adfffcbd4ca0d00aebf7e","56ba80078cf7c9210009673e","574d127f6f075519007da3d0","574fde60aef76a0e00840927","57a22ba6cd51b22d00f623a0","5a062c15a66ae1001a3f5b09","5b032aef01b0ff00038d8d5e","5b032af62d18d700038a7042"],"is_deprecated":false,"is_hidden":false,"is_beta":false,"is_stable":true,"codename":"","version_clean":"1.0.0","version":"1.0"},"category":{"_id":"5633f072737ea01700ea329d","version":"5633ec007e9e880d00af1a56","__v":4,"pages":["5633fdb0fa71f30d00ba74e1","5637ce94aa96490d00a64f78","5637d7a34dbdd919001b27ab","56e8747747de1e170005945a"],"project":"5633ebff7e9e880d00af1a53","sync":{"url":"","isSync":false},"reference":false,"createdAt":"2015-10-30T22:34:26.440Z","from_sync":false,"order":0,"slug":"early-project-setup","title":"Early Project Setup"},"user":"5637d336aa96490d00a64f81","__v":0,"parentDoc":null,"updates":[],"next":{"pages":[],"description":""},"createdAt":"2018-04-30T16:13:22.985Z","link_external":false,"link_url":"","githubsync":"","sync_unique":"","hidden":false,"api":{"results":{"codes":[]},"settings":"","auth":"required","params":[],"url":""},"isReference":false,"order":3,"body":"[Heroku Private Spaces](https://www.heroku.com/private-spaces) are network-isolated application containers available to [Heroku Enterprise](https://www.heroku.com/enterprise) customers. Private Spaces allow organizations to host applications within a secure, HIPAA-compliant environment. They are ideal for apps that handle PII and other legally regulated types of data.\n\nWhen third party addons are included in your build, additional steps need to be taken in order for your data to maximize the benefit of a private space. Most addons are operated outside of Heroku's VPC, which means your Private Space application will be communicating across the public internet. For some use cases this is unacceptable, which is why Bonsai proudly supports joining our networks together allowing your traffic to travel on the private backbone of AWS. Joining these networks together securely requires some careful networking, called _peering_.\n\nFortunately, both Heroku and Bonsai run on AWS infrastructure, which offers a service called [VPC Peering](https://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/Welcome.html). VPC Peering is a network connection between two VPCs that allows appliances within each VPC to communicate as though they were in a single network.\n[block:callout]\n{\n  \"type\": \"danger\",\n  \"body\": \"Bonsai clusters come in one of two architectures: multitenant or single tenant. Clusters in the single tenant architectures (Dedicated and Enterprise tiers) are running on private, sandboxed nodes. Clusters in the multitenant architecture (the Shared tier) are in an environment resources are shared among multiple users. As a result, **shared tier clusters are not available for VPC Peering.**\\n\\nThis may or may not be acceptable for the data you plan to index. The rest of this guide assumes you are running on a Dedicated\",\n  \"title\": \"Be aware of your security model\"\n}\n[/block]\nVPC Peering can be set up between a Heroku Private Space and a Bonsai cluster on a Dedicated or Enterprise plan. This configuration will ensure maximum isolation and protection of your data.\n[block:api-header]\n{\n  \"title\": \"Gather your Heroku Peering Network Settings\"\n}\n[/block]\nIn your Heroku Private Space you’ll need to navigate to the Network tab, and make a note of some settings under the Peering sub-section of the page. We will use this data to initiate a peering connection with your Heroku Space.\n[block:callout]\n{\n  \"type\": \"info\",\n  \"body\": \"Your Private Space URL will look something like:\\n\\n    https://dashboard.heroku.com/teams/<team name>/spaces/<space name>/network\",\n  \"title\": \"Finding Your Private Space URL\"\n}\n[/block]\n\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/21b883e-img1.png\",\n        \"img1.png\",\n        1600,\n        936,\n        \"#f2f5f9\"\n      ]\n    }\n  ]\n}\n[/block]\n\n[block:api-header]\n{\n  \"title\": \"Accept our Peering Request\"\n}\n[/block]\nOnce Bonsai has the above data we will initiate a peering request to your space which will show up in the Network tab and under the Peering subsection. It should look like this:\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/490b489-img2.png\",\n        \"img2.png\",\n        1256,\n        353,\n        \"#dfe0db\"\n      ]\n    }\n  ]\n}\n[/block]\n\n[block:callout]\n{\n  \"type\": \"info\",\n  \"body\": \"The lead time for this to show up ranges from 30 minutes to a few hours.\",\n  \"title\": \"Network changes are not instantaneous\"\n}\n[/block]\nWhen you accept the invitation the UI should change to look like:\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/4677def-img3.png\",\n        \"img3.png\",\n        1600,\n        440,\n        \"#dedce2\"\n      ]\n    }\n  ]\n}\n[/block]\nOnce the request has been accepted, you will be able to use the cluster URL provided in the [Bonsai dashboard](doc:exploring-your-cluster-dashboard). \n[block:callout]\n{\n  \"type\": \"info\",\n  \"body\": \"The DNS entry for your cluster will be pointing to private internal IP addresses, which means you will not be able to access this cluster except from within the Heroku Space. Browsers and `curl` commands will not work.\",\n  \"title\": \"Private Means Private!\"\n}\n[/block]","excerpt":"","slug":"heroku-ps-peering","type":"basic","title":"Private Spaces & VPC Peering on Heroku"}

Private Spaces & VPC Peering on Heroku


[Heroku Private Spaces](https://www.heroku.com/private-spaces) are network-isolated application containers available to [Heroku Enterprise](https://www.heroku.com/enterprise) customers. Private Spaces allow organizations to host applications within a secure, HIPAA-compliant environment. They are ideal for apps that handle PII and other legally regulated types of data. When third party addons are included in your build, additional steps need to be taken in order for your data to maximize the benefit of a private space. Most addons are operated outside of Heroku's VPC, which means your Private Space application will be communicating across the public internet. For some use cases this is unacceptable, which is why Bonsai proudly supports joining our networks together allowing your traffic to travel on the private backbone of AWS. Joining these networks together securely requires some careful networking, called _peering_. Fortunately, both Heroku and Bonsai run on AWS infrastructure, which offers a service called [VPC Peering](https://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/Welcome.html). VPC Peering is a network connection between two VPCs that allows appliances within each VPC to communicate as though they were in a single network. [block:callout] { "type": "danger", "body": "Bonsai clusters come in one of two architectures: multitenant or single tenant. Clusters in the single tenant architectures (Dedicated and Enterprise tiers) are running on private, sandboxed nodes. Clusters in the multitenant architecture (the Shared tier) are in an environment resources are shared among multiple users. As a result, **shared tier clusters are not available for VPC Peering.**\n\nThis may or may not be acceptable for the data you plan to index. The rest of this guide assumes you are running on a Dedicated", "title": "Be aware of your security model" } [/block] VPC Peering can be set up between a Heroku Private Space and a Bonsai cluster on a Dedicated or Enterprise plan. This configuration will ensure maximum isolation and protection of your data. [block:api-header] { "title": "Gather your Heroku Peering Network Settings" } [/block] In your Heroku Private Space you’ll need to navigate to the Network tab, and make a note of some settings under the Peering sub-section of the page. We will use this data to initiate a peering connection with your Heroku Space. [block:callout] { "type": "info", "body": "Your Private Space URL will look something like:\n\n https://dashboard.heroku.com/teams/<team name>/spaces/<space name>/network", "title": "Finding Your Private Space URL" } [/block] [block:image] { "images": [ { "image": [ "https://files.readme.io/21b883e-img1.png", "img1.png", 1600, 936, "#f2f5f9" ] } ] } [/block] [block:api-header] { "title": "Accept our Peering Request" } [/block] Once Bonsai has the above data we will initiate a peering request to your space which will show up in the Network tab and under the Peering subsection. It should look like this: [block:image] { "images": [ { "image": [ "https://files.readme.io/490b489-img2.png", "img2.png", 1256, 353, "#dfe0db" ] } ] } [/block] [block:callout] { "type": "info", "body": "The lead time for this to show up ranges from 30 minutes to a few hours.", "title": "Network changes are not instantaneous" } [/block] When you accept the invitation the UI should change to look like: [block:image] { "images": [ { "image": [ "https://files.readme.io/4677def-img3.png", "img3.png", 1600, 440, "#dedce2" ] } ] } [/block] Once the request has been accepted, you will be able to use the cluster URL provided in the [Bonsai dashboard](doc:exploring-your-cluster-dashboard). [block:callout] { "type": "info", "body": "The DNS entry for your cluster will be pointing to private internal IP addresses, which means you will not be able to access this cluster except from within the Heroku Space. Browsers and `curl` commands will not work.", "title": "Private Means Private!" } [/block]