Does Auth0 offer anything like a VPC endpoint that would permit backend servers (hosted in a VPC that lacks outbound access to the internet) to contact the Auth0 API? Alternatively stated, is it possible to set up an AWS PrivateLink or VPC peering connection to Auth0 in a way that permits access to the API?
To prevent security vulnerabilities (including remote code execution and server-side request forgery) from exfiltrating sensitive data, it is a best practice to restrict connectivity of backend servers to the wider internet. This can be achieved for servers hosted at AWS by utilizing VPC endpoints that permit secure connection to specific services (S3, CloudWatch, Systems Manager), and then blocking all outbound access to the wider internet.
Unfortunately, a blocker to realizing this defense-in-depth scenario is if any server needs to access the Auth0 Authentication API (to exchange authorization codes/refresh tokens for access tokens) or the Auth0 Management API (to create/update/link users, create tickets, or any other administrative actions), as these APIs are hosted behind a CDN that necessitates connectivity to arbitrary IP addresses on the public internet.
Therefore I’m curious whether Auth0 offers any solution for AWS-hosted servers to connect to its APIs in a manner that does not require outbound access to arbitrary IPs on the public internet.