Why we built Private Link (and why you should use it)

For the last decade, I’ve watched engineering teams fight the same battle over and over.

You have the application team who wants to use best-in-class SaaS tools (Snowflake, Confluent, Datastax). They want the velocity of managed infrastructure. They do not want to manage hardware. "Do what you're good at," right? Ford doesn't make tires. Your engineering team shouldn't have to manufacture your own inference infrastructure.

Then you have the security team. They look at the architecture diagram, see traffic traversing the public internet to an API endpoint, and hit the brakes. "Can we self-host this? Can we air-gap it?"

Suddenly, your application engineers are spending months figuring out how to run a vendor’s complex stack in your own Kubernetes cluster, just to satisfy a network compliance checkbox.

It’s a massive waste of engineering talent.

Today, we are launching bem Private Link to end that trade-off for unstructured data.

The Evolution of Secure Connectivity

We’ve seen the industry try to solve this in a few ways. First, it was on-prem packages. You install it, you manage it, you patch it. Painful.

Then came VPC Peering. It solved the connectivity, but created a networking nightmare. "What happens if we have overlapping CIDR ranges?" "How do we ensure isolation between 50 different customers?" It was a mess of routing tables and entangled security groups.

Private Link is the answer. It gives you the connection without the entanglement. We don't care what your IPs are, you don't care what ours are. It is the gold standard adopted by every major cloud provider and data platform.

Why? Because it gives you the security posture of on-premise with the operational simplicity of SaaS.

Here is what that actually means for you as a customer:

1. Zero Public Exposure

When you connect to bem via Private Link, your data never touches the public internet.

We provision a dedicated endpoint service in our VPC. You create an interface endpoint in your VPC. Your traffic travels exclusively over the AWS private backbone.

You can lock down your Security Groups to allow outbound traffic only to that specific VPC Endpoint ID. No more whitelisting 0.0.0.0/0 or managing complex proxy fleets.

2. We manage the mess

Self-hosting AI infrastructure is painful. Managing GPU auto-scaling, model weights, and inference latency requires a dedicated platform team.

With Private Link, bem looks like a local resource on your network (e.g., 10.0.1.45). We handle the heavy lifting of the inference engine, the scaling, and the updates. You just treat it like an RDS instance.

3. Reduced Latency

By keeping traffic within the AWS network, we remove the internet hops. This significantly reduces jitter and improves throughput for high-volume document and video pipelines. Even if you are in a different region (e.g., us-east-2) than our core infrastructure, AWS PrivateLink handles the cross-region traffic securely over their backbone.

How it works (The Engineering Details)

We’ve modeled our implementation on the gold standard set by platforms like Snowflake.

Handshake: We allow your AWS Account Principal to connect to our Endpoint Service.
Connection: You provision an Interface VPC Endpoint in your account targeting our service.
DNS: You configure your private Route 53 zones to resolve api.bem.ai to your new local VPC Endpoint IP.

That’s it. Your application code doesn’t change. Your SDKs don’t change. You just flip the switch on the network path.

Availability

We are launching support for AWS in US Regions (us-east-1, us-west-2) initially. Support for other clouds (Azure, GCP) is on the roadmap.

Ready for Production

We are rolling this out starting today.

If you are in FinTech, Healthcare, or Logistics and you’ve been holding off on modernizing your unstructured data pipeline because of network isolation requirements, let’s talk.

We’re ready to build this with you. Contact our team for access.