Appian Cloud VPN Integration

In order to allow Appian Cloud customers access to computer resources on a private network from an Appian Cloud instance, IPSec VPN connections can be configured. Each Appian Cloud instance can have multiple VPN tunnels enabled to securely integrate with resources in different networks. This enables the use of Appian smart services such as the Query Database or the Web Service smart service to connect to resources that are located on your private network, as well as securely integrating with a corporate authentication system (e.g. Active Directory).

Setup

Requirements
  • Resources that need to be accessed from an Appian Cloud instance must have fully qualified domain names (FQDN). All resources must be within the same domain.
  • You can provide one or more IP Addresses for DNS servers on your private network to be used for DNS resolution of names within your domain.
    • If the corporate DNS information is not provided, host names are referenced using Internet DNS.

Note that VPN tunnels are associated with a single Appian Cloud instance. Also keep in mind that, for production instances running Appian 16.1 or higher, Appian Cloud writes data to 2 isolated locations, within the same geographic area. We require customers setting up VPN tunnels for their Appian Cloud production instances, to setup VPN tunnels to both locations, in order to accelerate service recovery time in the event of a major incident disabling an entire location.

To setup a VPN connection, have your network administrator fill out the Appian Cloud VPN Worksheet and send it to Appian Technical Support, attached to a new support case.

Once the VPN tunnel has been established, you can access the VPN tunnel through your Appian Cloud instance.

Failover / Resiliency

Appian Cloud instances can have VPN tunnels configured to failover between two (2) customer VPN gateways. Failover will be attempted upon failure of a ping test of a single IP address within the private network space on the customer network. This IP address must be reachable and ping must be enabled from both gateways. Appian strongly recommends that you implement failover for production sites.

Using the VPN Tunnel

In order to use the VPN tunnel to connect to a resource on a private network, refer to the resource using its fully qualified domain name in any location where Appian allows the use of a URL for a resource, such as the Call Web Service or the Query Database smart services.

Inbound Traffic

By default, Appian Cloud instances receive all web inbound traffic through the public Internet. Upon request, Appian can configure Appian Cloud instances to require web traffic to go through a VPN tunnel. With this configuration, the site will not be accessible over the Internet and all users must first be on their corporate network before navigating to their Appian Cloud sites.

Alternatively, customers can also request their Appian Cloud instances to be configured in dual mode in which their instances receive inbound web traffic over the Internet and the VPN tunnel. Please see KB-1537 for prerequisites and details on how to set up your sites in dual mode.

Both of these custom configurations require additional network hops for web traffic to enter Appian Cloud. Performance, as well as compatibility with mobile devices, needs to be taken into consideration and carefully evaluated by customers who wish to enable any of these configurations.

Outbound Traffic

Only the traffic addressed to a host within your corporate domain and for which the DNS lookup (from the corporate DNS servers if provided, otherwise the Internet) returns a private IP address (RFC 1918) is sent over the VPN tunnel. All other traffic is sent to the Internet. This is applicable even if an Appian Cloud instance is configured to require all inbound traffic to go through the VPN tunnel.

Customer Network VPN Considerations

Customers are responsible for keeping their VPN gateway running with appropriate network connectivity. If the VPN gateway goes down, Appian cannot connect to internal resources. We strongly recommend that you take this into account when designing your process applications. For example, build the appropriate error handling and recovery mechanisms within the process models.

The VPN connection is set up so that either side can initiate the connection. Appian may disconnect the Appian Cloud instance during scheduled maintenance windows.

Examples

Assume the following setup: Cloud\_VPN\_Example.png

  • Domain = mycorp.com
  • Private network has 10.0.0.0/8 address space
  • Private DNS servers (10.0.0.2 and 10.0.0.3) has the following records:
    • db1.mycorp.com 10.5.0.1
    • db2.mycorp.com 1.1.1.1

Please refer to Figure 1 for the examples described next.

Example 1

  1. User enters http://db1.mycorp.com in the web services smart service
  2. Since db1.mycorp.com is a FQDN under mycorp.com, the DNS lookup is done using the DNS servers provided
  3. Since the DNS servers return a private ip address, the request for db1.mycorp.com is made over the VPN tunnel

Example 2

  1. User enters http://db2.mycorp.com in the web services smart service
  2. Since db2.mycorp.com is a FQDN under mycorp.com, the DNS lookup is done using the DNS servers provided
  3. Since the DNS servers return an IP address which is not a private IP address, the request for this URL is made through the Internet.

Example 3

  • User enters http://db.otherdomain.com in the Call Web Service smart service.
  • Since otherdomain.com does not match the corporate domain, this request is handled using the Internet.

Enable VPN on Your Appian Cloud Instance

To setup a VPN connection between your Appian Cloud instance and your private network, download the Appian Cloud VPN worksheet.

Complete the sections in marked in yellow on the form and submit it to Appian Technical Support, creating a new case for your organization.

FEEDBACK