Overview
PrivateLink provides private IP connectivity from your Devin Dedicated SaaS VPC to your internal endpoints. To enable this, your team provides an AWS VPC Endpoint Service in front of each internal system that Devin needs to reach. Cognition then creates Interface VPC Endpoints that consume that service. PrivateLink is configured on a per domain basis. If Devin must reach multiple domains, you will need one Endpoint Service and one Interface Endpoint for each domain.Requirements
You must provide:- A Network Load Balancer (NLB) in your AWS account that fronts each internal service (GitLab, Artifactory, etc.)
- A VPC Endpoint Service that uses the NLB as its target
- The service name for each Endpoint Service
- Allowed principal permissions that include the Cognition AWS account
- Confirmation of supported ports for each service
- DNS information for the domains Devin must resolve privately
- The AWS account ID to add as an allowed principal
- The target VPC and subnet information for the Interface Endpoints
- DNS configuration on the Devin side once connectivity is established
Cross Region PrivateLink (if your services are in a different region)
If your internal services run in a different region than your Cognition Dedicated SaaS tenant, PrivateLink can still be used. AWS supports cross region endpoint consumption provided the service owner enables it.Customer steps
- Create or reuse the Network Load Balancer The NLB should target the internal systems Devin must access. The NLB must support all required ports.
- Create a VPC Endpoint Service from the NLB This makes the service available for consumption over PrivateLink.
-
Enable cross region support
In the AWS console:
Add the region where your Cognition tenant is deployed. CLI example:
-
Add Cognition’s AWS account as an allowed principal
-
Provide the following details to Cognition
- Endpoint Service name
Example:
com.amazonaws.vpce.us-west-2.vpce-svc-0abc123 - Ports the service accepts
- The domains that should resolve through PrivateLink
- Endpoint Service name
Example:
What happens next
Once you provide the details above, Cognition will:- Create Interface VPC Endpoints in your dedicated tenant VPC using the service names you provided.
- Send a connection request that you’ll need to approve (either manually or via auto-accept if configured).
- Configure DNS so that your specified domains resolve privately within the Devin environment.
Architecture Diagram
Cross-region PrivateLink connectivity from Cognition to customer internal services
Key Considerations
| Topic | Guidance |
|---|---|
| Required setup | One Endpoint Service per domain, one Interface Endpoint per domain |
| Cross region support | Must be explicitly enabled on the Endpoint Service |
| Allowed principals | Customer must add Cognition’s AWS account ID |
| DNS | Customer domains will resolve to private Interface Endpoint IPs on the Cognition side |
| Ports | NLB listeners must match the ports Devin uses to access each service |
| Availability | NLB and underlying targets should be configured in multiple Availability Zones |
| Latency | Small cross region latency increase may occur, since traffic stays on the AWS backbone |
Information to Provide to Cognition
When your setup is ready, send Cognition:- AWS Endpoint Service names for each internal domain
- Confirmation that cross region support is enabled (if applicable)
- Allowed principal configuration is complete
- Ports exposed by the NLB
- The list of domains that should be routed through PrivateLink