Skip to main content
Some enterprise customers require Devin to connect privately to internal systems such as GitHub Enterprise Server, GitLab, Bitbucket Data Center, Artifactory, Nexus, or other developer infrastructure. Devin Dedicated SaaS supports this through AWS PrivateLink. This model keeps all traffic on the AWS backbone and avoids exposure on the public internet.

Overview

PrivateLink provides private IP connectivity from your Devin Dedicated SaaS environment to your internal endpoints. To enable this, your team provides an AWS VPC Endpoint Service in front of each internal system that Devin needs to reach. Cognition then creates Interface VPC Endpoints that consume that service. PrivateLink is configured on a per domain basis. If Devin must reach multiple domains, you will need one Endpoint Service and one Interface Endpoint for each domain.

Requirements

You must provide:
  • A Network Load Balancer (NLB) in your AWS account that fronts each internal service (GitLab, Artifactory, etc.)
  • A VPC Endpoint Service that uses the NLB as its target
  • The service name for each Endpoint Service
  • Allowed principal permissions that include the Cognition AWS account
  • Confirmation of supported ports for each service
  • DNS information for the domains Devin must resolve privately
Cognition will provide:
  • The AWS account ID to add as an allowed principal
  • The target VPC and subnet information for the Interface Endpoints
  • DNS configuration on the Devin side once connectivity is established
If your internal services run in a different region than your Cognition Dedicated SaaS tenant, PrivateLink can still be used. AWS supports cross region endpoint consumption provided the service owner enables it.

Customer steps

  1. Create or reuse the Network Load Balancer The NLB should target the internal systems Devin must access. The NLB must support all required ports.
  2. Create a VPC Endpoint Service from the NLB This makes the service available for consumption over PrivateLink.
  3. Enable cross region support In the AWS console: 
    VPC Console → Endpoint Services → Select service → Actions → Modify supported Regions
    Add the region where your Cognition tenant is deployed. CLI example: 
    aws ec2 modify-vpc-endpoint-service-configuration \
    --service-id vpce-svc-0abc123 \
    --add-supported-regions us-west-2  # Your Cognition tenant region
  4. Add Cognition’s AWS account as an allowed principal 
    aws ec2 modify-vpc-endpoint-service-permissions \
    --service-id vpce-svc-0abc123 \
    --add-allowed-principals arn:aws:iam::<COGNITION_ACCOUNT_ID>:root
  5. Provide the following details to Cognition
    • Endpoint Service name Example: com.amazonaws.vpce.us-west-2.vpce-svc-0abc123
    • Ports the service accepts
    • The domains that should resolve through PrivateLink

What happens next

Once you provide the details above, Cognition will:
  1. Create Interface VPC Endpoints in your dedicated tenant environment using the service names you provided.
  2. Send a connection request that you’ll need to approve (either manually or via auto-accept if configured).
  3. Configure DNS so that your specified domains resolve privately within the Devin environment.

Architecture Diagram

PrivateLink Architecture

Gateway Load Balancer (GWLB) Support

If your organization uses a security appliance such as Zscaler for traffic inspection, you can use an AWS Gateway Load Balancer (GWLB) instead of a Network Load Balancer. This allows Devin’s traffic to pass through your security appliance for inspection before reaching your internal services. In this model:
  • A Gateway Load Balancer fronts your security appliance (e.g., Zscaler)
  • A Gateway Load Balancer Endpoint is created in the Devin environment to route traffic through the appliance
  • Traffic is inspected by your security appliance and then forwarded to the target internal service
To use this option, provide Cognition with:
  • The GWLB Endpoint Service name
  • The security appliance vendor and configuration details
  • The domains that should be routed through the GWLB
GWLB-based setups follow the same PrivateLink principles as NLB-based setups but add a traffic inspection layer. Contact your Cognition account team for detailed setup guidance.

Key Considerations

TopicGuidance
Required setupOne Endpoint Service per domain, one Interface Endpoint per domain
Cross region supportMust be explicitly enabled on the Endpoint Service
Allowed principalsCustomer must add Cognition’s AWS account ID
DNSCustomer domains will resolve to private Interface Endpoint IPs on the Cognition side
PortsNLB listeners must match the ports Devin uses to access each service
AvailabilityNLB and underlying targets should be configured in multiple Availability Zones
LatencySmall cross region latency increase may occur, since traffic stays on the AWS backbone

Information to Provide to Cognition

When your setup is ready, send Cognition:
  • AWS Endpoint Service names for each internal domain
  • Confirmation that cross region support is enabled (if applicable)
  • Allowed principal configuration is complete
  • Ports exposed by the NLB
  • The list of domains that should be routed through PrivateLink
Cognition will then provision the Interface Endpoints, configure DNS, and confirm connectivity.