Customers of Appian Cloud can use AWS PrivateLink to enable secure access from their Appian Cloud instances to their AWS resources hosted on their private networks. PrivateLink can be used to integrate with customer-owned services such as business data sources or authentication systems (LDAP or Single sign-On) through a customer’s AWS Virtual Private Cloud (VPC). This integration option is an alternative to VPN Tunnels for customers who have IT infrastructure running on AWS.
PrivateLink connectivity gives customers several benefits, including, but not limited to:
In order to integrate with PrivateLink, the Appian Cloud VPC is configured as the Service Consumer connecting to a customer resource through an Interface VPC Endpoint. Customers need to create a VPC Endpoint Service inside their VPC (Service Provider) to expose their resources.
The end-to-end traffic flow is shown in the diagram below where the Appian Cloud instance forwards requests to the Interface VPC Endpoint over a private connection to the customer’s VPC Endpoint Service. In the customer VPC, this traffic is received by the Network Load Balancer and routed to the customer’s service.
Customers can use PrivateLink to connect their Appian Cloud High-Availability instance with their resources. An Appian Cloud HA instance is composed of three nodes distributed across three different Availability Zones. The application server running on each node forwards requests to a single VPC Interface Endpoint located in the Appian Cloud VPC. From there, the traffic is routed to the customer’s service in the same fashion as described in the architecture section.
The below example displays two Customer Appian Cloud instances (Production and Development) forwarding requests to the customer’s service over PrivateLink. The request originates from the Appian Cloud instance, which is routed over the Interface VPC Endpoint, to the customer NLB. In this case, the customer has configured their NLB to distribute traffic between two different EC2 Instances hosted in separate availability zones.
Customers can also utilize PrivateLink in conjunction with their own AWS Direct Connect to expose on-premise systems to their Appian Cloud instances. Rather than forwarding traffic from the NLB directly to an AWS hosted service, customers can configure their NLB with the target private IP address of their on-premise resource.
Once traffic is received by the NLB, traffic can be routed through the Virtual Private Gateway linked to the customer’s AWS Direct Connect. With this connection model, requests can be made directly to a service hosted in the customer’s private network without traversing the Internet. Note that the exact traffic flow will depend on the architecture of each customer network.
|Prerequisite Steps||Description||Organizational Role|
|Create a VPC Endpoint Service||This service must be created in the same AWS region as the customer’s Appian Cloud instances. To create a VPC Endpoint Service, follow the steps here.||Customer AWS Administrator|
|Whitelist Principals||Upon creation of a VPC Endpoint Service, Appian will need access to send connection requests to the Endpoint Service. This can be achieved by adding IAM principals to the whitelisted principals list. Customers can add an entry of `*` to allow all principals to send connection requests and will manually accept the request submitted by Appian. Alternatively, the customer can request Appian Support to provide a specific principal to whitelist.||Customer AWS Administrator|
|Create a Support Case||Open a support case with Appian Support. Include the following information:
||Customer Business Relationship Owner|
Once the prerequisite steps above have been completed, Appian Support will work with the customer through the following configuration procedure.
|Create VPC Endpoint||Appian will create a VPC Endpoint to connect to the VPC Endpoint Service the customer has provided.||Appian|
|Accept VPC Endpoint Connection||Customers will need to accept the VPC Endpoint connection on their VPC Endpoint Service, unless the Service is set to automatically accept connection requests.||Customer AWS Administrator|
|Provide Endpoint-Specific DNS hostname||In the case that the customer’s service does not employ server side authentication, Appian Support will provide the customer with an endpoint-specific DNS hostname that can be used to send requests to the endpoint service from the customer’s Appian Cloud Instance.||Appian|
|Schedule a Maintenance Window for the Affected Instances||Appian Support will work with the customer to schedule Maintenance Windows for the affected instances once the request has been accepted. The changes will be applied during this window.||Appian|
|Update Admin Console to utilize new configurations||Admin Console updates may be required to begin integrating with the new endpoint service. The customer may need to make updates to pre-existing configurations using the new DNS hostnames resolving to PrivateLink. Alternatively, the customer may need to create new entries for brand new integrations.||Customer Business Relationship Owner|
|Verify the integration works as expected||Appian Support will work with the customer to ensure connectivity to customer resources is working as expected.||Appian / Customer Business Relationship Owner|
Some systems employ server-side authentication (for example, HTTPS, TLS, LDAPS) in order to prove the identity of the server to the client. This type of authentication will require to reference the customer resource using a valid DNS hostname that matches the server certificate.
In order to ensure that the traffic from a particular hostname routes through PrivateLink, the hostname must resolve directly to the Appian VPC Interface Endpoint DNS name or to a particular Appian Interface VPC Endpoint ENI (Elastic Network Interface).
Appian Cloud currently supports two methods of enabling server name resolution:
The customer will add a publicly resolvable CNAME record in their DNS infrastructure that resolves the DNS hostname of the customer resource to the Interface VPC Endpoint DNS name provided by Appian. This means that DNS resolution will occur over the Internet, with the subsequent requests being sent over PrivateLink.
Appian will resolve any calls to specific customer hostnames within the application to an Appian Cloud Interface VPC Endpoint ENI IP Address. This will allow any requests destined to that particular hostname to resolve directly to an ENI without traversing over the Internet.