Bem Private Link add-on: how do we enable it, and what exactly is included for $500/month?
Unstructured Data Extraction APIs

Bem Private Link add-on: how do we enable it, and what exactly is included for $500/month?

7 min read

Most teams hit the same wall with network isolation: security says “no public internet,” but your AI vendor lives behind a shared SaaS endpoint. That’s exactly the gap Bem’s Private Link add-on is designed to close.

Quick Answer: Bem’s Private Link add-on gives you a dedicated, fully managed AWS PrivateLink endpoint service so your traffic reaches Bem only over the AWS private backbone, never the public internet. It costs $500/month, and you enable it by working with our team to provision the endpoint service in Bem’s VPC, then creating an interface endpoint in your own VPC that your workloads call instead of the public Bem API URL.

Why This Matters

If you’re in a regulated or high-stakes environment, “just call the SaaS API over HTTPS” usually doesn’t pass review. You need deterministic network boundaries, auditable controls, and a security posture that behaves like on-prem—without actually re-hosting everything yourself. Private Link gives you that: zero public exposure, a clean separation of networks, and the ability to keep using Bem as fully managed infrastructure instead of operating the stack in your own VPC.

Key Benefits:

  • Zero public exposure: Your traffic stays entirely on the AWS private backbone; you can block outbound public internet and still reach Bem.
  • Enterprise-ready network posture: Network teams get clear, enforceable boundaries—Security Groups locked to a single VPC Endpoint ID instead of broad egress rules.
  • SaaS simplicity, infra-grade control: You keep the operational simplicity of a fully managed Bem deployment while meeting strict compliance and isolation requirements.

Core Concepts & Key Points

ConceptDefinitionWhy it's important
AWS PrivateLinkAn AWS mechanism that lets you privately access services across VPCs via interface endpoints, without sending traffic over the public internet.Gives you on-prem-style isolation with cloud-native services; critical for teams that can’t expose traffic to public endpoints.
Bem Private Link add-onBem’s dedicated AWS PrivateLink endpoint service, provisioned in Bem’s VPC, that your VPC connects to via an interface endpoint.You get a private, scoped path to Bem’s API; your data never traverses the public internet while retaining fully managed SaaS infrastructure.
Dedicated endpoint serviceA Bem-managed AWS endpoint service across multiple availability zones that your interface endpoint maps to.Provides high availability and clear network control: you can lock down Security Groups to a single endpoint ID and know exactly where traffic goes.

How It Works (Step-by-Step)

At a high-level, you’re replacing “public HTTPS to api.bem.ai” with “private HTTPS via an interface endpoint in your VPC that’s wired to Bem’s endpoint service.” Same API. Very different network path.

  1. Activate the Private Link add-on with Bem

    • Contact Bem (via your account rep or sales) and request Private Link.
    • We provision a dedicated endpoint service in our VPC for your account.
    • Pricing is $500/month starting, and scales with data transfer usage. There’s no separate platform fee or per-VPC surcharge from Bem beyond that subscription; standard AWS PrivateLink/data transfer costs in your own account are billed by AWS directly.

  2. Create an interface endpoint in your VPC

    • In your AWS account, you create an Interface VPC Endpoint targeting Bem’s endpoint service name we provide.
    • This creates one or more elastic network interfaces (ENIs) in your subnets—these are the private entry points your workloads hit.
    • You can:
      • Attach Security Groups that strictly control which resources can connect.
      • Restrict outbound traffic so workloads can only send traffic to this endpoint, not arbitrary internet addresses.

  3. Wire your workloads to the Private Link endpoint

    • Update your application configuration to call Bem via:
      • The VPC endpoint–specific DNS name (AWS will expose one or more DNS entries), or
      • A private hosted zone / custom DNS that maps your existing Bem API hostname to the VPC endpoint, depending on how your network is set up.
    • From the app’s perspective, it’s still just HTTPS to Bem’s REST API:
      • Same authentication model.
      • Same endpoints and workflows.
      • Same schemas and responses.
    • Under the hood, the requests now:
      • Stay entirely inside AWS’s private backbone.
      • Traverse your interface endpoint → Bem’s endpoint service → Bem’s infrastructure.
      • Never go out to the public internet.

What Exactly Is Included for $500/Month?

Here’s what you are getting for the Private Link add-on from Bem, beyond standard AWS charges in your own account:

  • Dedicated Bem endpoint service in our VPC

    • A PrivateLink endpoint service created and managed by Bem.
    • Backed by a Network Load Balancer across 3 Availability Zones for resiliency.
    • Isolated to your account: your traffic is not mixed in some giant shared endpoint.

  • Zero public internet exposure for your traffic

    • All traffic between your VPC and Bem flows over the AWS private backbone.
    • You can configure Security Groups and outbound rules so:
      • No generic 0.0.0.0/0 egress to the internet.
      • Only traffic to the specific VPC Endpoint ID is allowed.
    • This aligns with policies that explicitly prohibit data leaving private networks via public endpoints.

  • Fully managed infra on the Bem side

    • Bem owns:
      • Scaling the endpoint service and NLB across AZs.
      • High-availability configuration and monitoring.
      • Security hardening and updates on our side.
    • You don’t run Bem’s models, workflows, or storage in your VPC; you keep the operational simplicity of SaaS with a private network path.

  • Production-grade connectivity model

    • Architecture built for production workloads:
      • Multi-AZ redundancy through the NLB.
      • Design that fits with:
        • SOC 2 Type 2, HIPAA, GDPR programs.
        • Internal network compliance reviews that require private connectivity.
    • The same Bem production guarantees:
      • 99.99% uptime SLA.
      • Versioned functions/workflows, strict schema validation, exception routing, etc.—Private Link doesn’t change the core product, only how you reach it.

What is not included in the $500/month:

  • The AWS-side costs in your account:
    • VPC Endpoint hourly charges.
    • Data processing / data transfer charges for PrivateLink.
  • Any on-prem connectivity (e.g., Direct Connect) you might set up if you’re bridging from a data center into AWS.

Common Mistakes to Avoid

  • Treating Private Link as “just another endpoint URL”

    • Mistake: Flipping your app’s URL but leaving wide-open outbound internet.
    • How to avoid it: Have your network team lock outbound traffic from workloads so they can only reach the specific VPC Endpoint ID for Bem. The value of PrivateLink is in the boundary enforcement, not just the DNS name.

  • Not planning DNS and service discovery

    • Mistake: Hardcoding the AWS-generated endpoint DNS per environment and then fighting with staging/prod parity.
    • How to avoid it: Use internal DNS (Route 53 private hosted zones or your existing DNS) to map a stable internal hostname to the VPC endpoint. That way your app config doesn’t change even if you recreate endpoints.

Real-World Example

A healthcare customer wanted to move PHI-heavy intake packets (PDFs, faxes, image uploads) into Bem workflows for schema-enforced JSON that their EMR could trust. Security had two hard constraints:

  1. No traffic to public internet APIs from the PHI VPC.
  2. Clear, auditable definition of which external services were reachable.

With Bem Private Link:

  • We created a dedicated endpoint service in Bem’s AWS account.
  • They created an Interface VPC Endpoint in their PHI VPC, locked to the Bem service.
  • Security Groups were set to allow egress only to that VPC Endpoint ID from the subnets hosting their ingestion services.
  • Their workloads called the same Bem API (same auth, same workflows) but via a private DNS name mapped to the endpoint.

Operationally:

  • Compliance teams could see a single, clearly-defined network dependency to Bem.
  • Infra teams didn’t have to run their own document/LLM stack in their VPC.
  • Product teams shipped the pipeline in weeks instead of a year of infra projects.

Pro Tip: When you implement Private Link, bring security and network teams in early—not at the end. Share the AWS PrivateLink architecture and the Bem endpoint service details upfront, and agree on the Security Group rules and DNS pattern before you start wiring application code.

Summary

Bem’s Private Link add-on is for teams that want Bem’s fully managed, production-grade unstructured data pipeline—but cannot (or will not) send traffic over public internet to a SaaS API. For $500/month, Bem provides a dedicated AWS PrivateLink endpoint service backed by a multi-AZ Network Load Balancer, so your workloads can reach Bem only over the AWS private backbone. You keep the simplicity of SaaS, get the network posture of on-prem, and avoid re-building a full AI stack behind your own firewall.

Next Step

Get Started

Back to Unstructured Data Extraction APIs

Keep Reading

More from Unstructured Data Extraction APIs

Bem fine-tuning add-on: how does the $500/month per trained function work, and how do corrections feed retraining?

Read more

Bem evals/regression testing: how do I create a golden dataset and block a workflow release if accuracy drops?

Read more

How do I contact Bem for enterprise deployment (dedicated VPC or on-prem/air-gapped Kubernetes) and get SOC 2/HIPAA/GDPR + 99.99% SLA details?

Read more