Bem Private Link add-on: how do we enable it, and what exactly is included for $500/month?

Quick Answer: Private Link is a $500/month add-on that gives you a dedicated, private AWS connection to Bem so your traffic never touches the public internet. To enable it, you contact our team, we provision a PrivateLink endpoint service in Bem’s VPC, and your infra team creates a VPC interface endpoint that talks to Bem only over the AWS backbone.

Why This Matters

If your security team has “no public internet” in big red letters on every AI project, Private Link is how you ship anyway. You get the operational simplicity of SaaS, but the network posture of on-prem: no IP whitelisting games, no inbound firewall holes, and no data crossing the public internet. For teams building AI-native workflows on sensitive documents, this is the difference between a blocked project and a production launch.

Key Benefits:

• Zero public exposure: Your traffic to Bem stays entirely on the AWS private backbone; nothing is routed over the public internet.
• Enterprise-ready posture: Matches the network model your CISO already trusts (similar to how you connect to major data platforms).
• Predictable, managed cost: Flat $500/month for the Private Link add-on, including a highly available Network Load Balancer across three AZs.

Core Concepts & Key Points

Concept	Definition	Why it's important
Private Link Endpoint Service	A dedicated AWS Endpoint Service that Bem provisions in its VPC for your account(s).	This is the “other side” of the connection that your VPC Interface Endpoint connects to, keeping traffic on the AWS backbone.
Interface VPC Endpoint	An elastic network interface in your VPC that privately connects to Bem’s Endpoint Service.	You can lock down outbound traffic to this Endpoint ID, ensuring your workloads only talk to Bem via a private path.
Zero Public Exposure	Architecture where requests never traverse the public internet—no public IPs, no internet gateways involved in the data path.	This aligns Bem with strict network isolation policies and reduces your attack surface for AI workloads.

How It Works (Step-by-Step)

At a high level: Bem sets up a PrivateLink endpoint service; you create a VPC interface endpoint targeting it; then you route your Bem API calls through that endpoint instead of the public API hostname.

1. Request Private Link from Bem:

   • Talk to our team to enable the Private Link add-on on your account (it’s a $500/month line item).
   • We’ll confirm your AWS region(s), account(s), and any naming constraints from your infra team.
   • Bem provisions a dedicated Endpoint Service in our VPC and grants your AWS account permission to connect.

2. Create the Interface Endpoint in Your VPC:

   • Your infra team creates an AWS Interface VPC Endpoint (AWS Console, Terraform, or CloudFormation) targeting Bem’s Endpoint Service.
   • Configure:
     • VPC and subnets where your apps run.
     • Security Groups that control which instances/containers can talk to the endpoint.
   • You now have a private DNS name (and ENIs) inside your VPC that forward to Bem over the AWS backbone.

3. Lock Down and Point Traffic to Bem:

   • Update Security Groups/Network ACLs so outbound traffic from your workloads is allowed only to the VPC Endpoint ID (not broad “0.0.0.0/0”).
   • Enable Private DNS for the endpoint (recommended), so the standard Bem API hostname resolves to the PrivateLink interface inside your VPC.
   • Your applications keep calling Bem’s REST API as usual; under the hood, traffic no longer touches the public internet.

From the perspective of your application code and Bem’s workflows/functions, nothing else changes. Same API calls, same workflows, same schema-enforced JSON back. Only the network path changes.

What Exactly Is Included for $500/Month?

Here’s what the Private Link add-on covers:

• Dedicated PrivateLink Endpoint Service in Bem’s VPC

  • Bem creates and manages an AWS Endpoint Service specifically for Bem traffic.
  • Your AWS account gets explicit permissions to connect.
  • You don’t manage any of this on our side; it’s fully handled by Bem.

• Highly Available Network Load Balancer (NLB) Across 3 AZs

  • The Endpoint Service is fronted by a Network Load Balancer spanning three availability zones.
  • This gives you:
    • Zonal redundancy.
    • Stable, production-grade connectivity.
    • No need to roll your own NLB or availability setup for Bem traffic.

• Private Backbone Routing

  • All traffic goes over the AWS private backbone, not the public internet.
  • No public IPs required for Bem access from your VPC.
  • You can configure Security Groups to allow outbound traffic only to the VPC Endpoint, matching strict egress controls.

• Managed Operations & Maintenance

  • Bem monitors and maintains the Endpoint Service and NLB.
  • Changes on our side (scaling, upgrades) are transparent to your endpoint.
  • You get the same 99.99% uptime SLA we commit to for production workloads.

• Simple Billing Model

  • $500/month from Bem for the Private Link add-on.
  • AWS will also bill you directly for:
    • Your Interface VPC Endpoint hours.
    • Data processed through that endpoint.
  • No extra Bem platform fees, no per-VPC markups, and no minimum annual commitments from Bem for Private Link itself.

What it does not change:

• Your existing per-function call pricing.
• Your workflow/function semantics, evals, or Surfaces.
• How you authenticate to Bem (same keys, same headers; just a different network path).

Common Mistakes to Avoid

• Treating Private Link as “nice-to-have” instead of a requirement:

  • If your security/compliance team has strict network isolation policies, assume they will block public-internet SaaS for sensitive unstructured data sooner or later.
  • Involve them early and frame Private Link as the architecture that aligns with existing data platforms they already approved.

• Half-configured network policies:

  • Don’t enable Private Link and then leave outbound traffic wide open to the public internet.
  • Tighten Security Groups so your workloads:
    • Talk to Bem only via the VPC Endpoint.
    • Block direct egress to Bem’s public IPs/hostnames.

Real-World Example

A healthcare customer wanted to push PHI-bearing PDFs and image packets through Bem for schema-enforced extraction. Their policy: no external vendor over the public internet, even with TLS.

They enabled the Private Link add-on and we provisioned a dedicated Endpoint Service in our VPC. Their infra team created an Interface VPC Endpoint in their HIPAA-aligned AWS VPC, restricted Security Groups so only their application subnets could hit the endpoint, and disabled direct outbound access to Bem’s public endpoints.

From the app’s perspective, nothing changed: same REST calls to Bem, same workflows, same schema-validated JSON with per-field confidence and hallucination detection. From the CISO’s perspective, everything changed: traffic stayed on the AWS backbone, there was no public exposure, and the architecture matched their existing pattern for data warehouses and core SaaS vendors.

Pro Tip: When you plan Private Link, loop in your networking and security teams with a simple one-pager: “Bem provides an AWS PrivateLink Endpoint Service; we create an Interface Endpoint in our VPC; all AI extraction traffic stays on AWS private backbone, no public IPs.” It short-circuits a month of back-and-forth.

Summary

The Bem Private Link add-on gives you a dedicated, private AWS connection to Bem for $500/month, including a managed Endpoint Service and a highly available NLB across three AZs. You get zero public internet exposure, a network posture your CISO actually approves, and the ability to keep using Bem’s workflows, schema enforcement, and evals without changing your application code.

If your team has been blocked from modernizing unstructured data pipelines because of network isolation requirements, Private Link is the unlock: SaaS-level operations with on-prem-style network boundaries.

Next Step

Get Started