Connect your tasks directly to private AWS resources. RDS, ElastiCache, internal APIs, anything reachable inside your VPC: your tasks can talk to it without exposing the resource to the public internet.
Create a VPC Endpoint Service in your AWS account, paste the service name into the Trigger.dev dashboard, and your task pods connect over AWS PrivateLink. The resource stays inside your VPC. No public endpoint, no IP allowlist, no VPN.
How it works
Three things happen to wire it up:
- You create a Network Load Balancer + VPC Endpoint Service in your AWS account, pointing at the resource you want to expose (RDS, ElastiCache, an internal API, anything reachable inside your VPC).
- You add Trigger.dev's AWS account as an allowed principal on the Endpoint Service.
- We provision a VPC Endpoint on our side. Your tasks get a private IP they can use as the hostname in their connection string.
The assigned IP lives in our VPC, but it's only reachable from your organization's task pods. Every connection gets a dedicated CiliumNetworkPolicy that targets pods labeled with your org ID and allows egress only to your endpoint's IPs. Cilium compiles those rules into eBPF programs in the kernel, so traffic from any other organization is dropped at the network layer before it touches the endpoint.
Connections are organization-wide and work across all your projects and environments.
Adding a connection
Open Settings → Private Connections → New in the dashboard. Pick a region, enter your hostname and ports, then choose how you want to set up the AWS side. You can paste an existing VPC Endpoint Service name, copy a prefilled Terraform script, generate a prompt to paste into an AI agent of your choice to create the AWS resources for you, or follow a step-by-step Console walkthrough. Submit the service name, wait a minute or two for provisioning, and copy the assigned IP once the connection flips to ACTIVE.
What you can connect
Any TCP service reachable inside your VPC:
- RDS (Postgres, MySQL, Aurora)
- ElastiCache (Redis, Memcached)
- Internal microservices and APIs
- Self-hosted databases on EC2
PrivateLink supports 28 AWS regions on your side. Trigger.dev consumes them in us-east-1 and eu-central-1, where your tasks run.
Get started
AWS PrivateLink is on Pro and Enterprise plans. Default limit is 2 connections per organization (we'll raise it if you need more).
Open Settings → Private Connections in your org to create your first one.