AWS PrivateLink Integration with Appian Cloud
The information in this topic is intended for Appian Cloud users.

PrivateLink Integration is only available to customers using Appian version 19.2 or higher.

Overview

Customers of Appian Cloud can use AWS PrivateLink to enable secure access from their Appian Cloud instances to their AWS resources hosted on their private networks. PrivateLink can be used to integrate with customer-owned services such as business data sources or authentication systems (LDAP or Single sign-On) through a customer’s AWS Virtual Private Cloud (VPC). This integration option is an alternative to VPN Tunnels for customers who have IT infrastructure running on AWS.

Benefits

PrivateLink connectivity gives customers several benefits, including, but not limited to:

  • Enhanced security: Traffic over PrivateLink is kept within the AWS network and does not traverse the public Internet.
  • Simplified access to customer resources: Appian Cloud instances with multiple application servers (e.g. High-Availability) can use a single PrivateLink connection regardless of the number of nodes. Furthermore, upon request, Appian Cloud instances owned by the same customer (e.g. development, test, staging) can share the same PrivateLink connection to access customer resources.
  • Reduced network configuration complexity: PrivateLink removes the need to rely on public IP whitelisting on customer edge firewalls. Additionally, customers will not face conflicts with Appian’s private network IP address spaces since connections through PivateLink are performed through an Endpoint Service.

Architecture

In order to integrate with PrivateLink, the Appian Cloud VPC is configured as the Service Consumer connecting to a customer resource through an Interface VPC Endpoint. Customers need to create a VPC Endpoint Service inside their VPC (Service Provider) to expose their resources.

The end-to-end traffic flow is shown in the diagram below where the Appian Cloud instance forwards requests to the Interface VPC Endpoint over a private connection to the customer’s VPC Endpoint Service. In the customer VPC, this traffic is received by the Network Load Balancer and routed to the customer’s service.

privatelink image 1

Example Usage - HA Cloud Instance Integrated With An AWS Hosted Service

Customers can use PrivateLink to connect their Appian Cloud High-Availability instance with their resources. An Appian Cloud HA instance is composed of three nodes distributed across three different Availability Zones. The application server running on each node forwards requests to a single VPC Interface Endpoint located in the Appian Cloud VPC. From there, the traffic is routed to the customer’s service in the same fashion as described in the architecture section.

privatelink image 2

Example Usage - Multiple Cloud Instances Integrated With An AWS Hosted Service

The below example displays two Customer Appian Cloud instances (Production and Development) forwarding requests to the customer’s service over PrivateLink. The request originates from the Appian Cloud instance, which is routed over the Interface VPC Endpoint, to the customer NLB. In this case, the customer has configured their NLB to distribute traffic between two different EC2 Instances hosted in separate availability zones.

privatelink image 3

Example Usage - On-Prem Service With AWS Direct Connect

Customers can also utilize PrivateLink in conjunction with their own AWS Direct Connect to expose on-premise systems to their Appian Cloud instances. Rather than forwarding traffic from the NLB directly to an AWS hosted service, customers can configure their NLB with the target private IP address of their on-premise resource.

Once traffic is received by the NLB, traffic can be routed through the Virtual Private Gateway linked to the customer’s AWS Direct Connect. With this connection model, requests can be made directly to a service hosted in the customer’s private network without traversing the Internet. Note that the exact traffic flow will depend on the architecture of each customer network.

privatelink image 4

Prerequisites

Prerequisite Steps Description Organizational Role
Create a VPC Endpoint Service This service must be created in the same AWS region as the customer’s Appian Cloud instances. To create a VPC Endpoint Service, follow the steps here. Customer AWS Administrator
Whitelist Principals Upon creation of a VPC Endpoint Service, Appian will need access to send connection requests to the Endpoint Service. This can be achieved by adding IAM principals to the whitelisted principals list. Customers can add an entry of `*` to allow all principals to send connection requests and will manually accept the request submitted by Appian. Alternatively, the customer can request Appian Support to provide a specific principal to whitelist. Customer AWS Administrator
Create a Support Case Open a support case with Appian Support. Include the following information:
  • Use Case: What type of service the customer is integrating with (i.e. LDAP, Data Source, etc)
  • Service Name: The AWS provided Service Name generated when creating the VPC Endpoint Service.
    • Example: com.amazonaws.vpce.us-east-1.vpce-svc-1234
  • Hostname: If the customer target system employs server side authentication (for example TLS), customers should also include the hostname that will be used when referencing this service in the customer’s Appian Cloud instances (see Handling Server-Side Authentication below).
  • Whitelisted Principals: Customers should provide confirmation that they have added * to the whitelisted principals list, or request for a specific principal to whitelist in the support case
Customer Business Relationship Owner

Setup

Once the prerequisite steps above have been completed, Appian Support will work with the customer through the following configuration procedure.

Configuration Action Description Owner
Create VPC Endpoint Appian will create a VPC Endpoint to connect to the VPC Endpoint Service the customer has provided. Appian
Accept VPC Endpoint Connection Customers will need to accept the VPC Endpoint connection on their VPC Endpoint Service, unless the Service is set to automatically accept connection requests. Customer AWS Administrator
Provide Endpoint-Specific DNS hostname In the case that the customer’s service does not employ server side authentication, Appian Support will provide the customer with an endpoint-specific DNS hostname that can be used to send requests to the endpoint service from the customer’s Appian Cloud Instance. Appian
Schedule a Maintenance Window for the Affected Instances Appian Support will work with the customer to schedule Maintenance Windows for the affected instances once the request has been accepted. The changes will be applied during this window. Appian
Update Admin Console to utilize new configurations Admin Console updates may be required to begin integrating with the new endpoint service. The customer may need to make updates to pre-existing configurations using the new DNS hostnames resolving to PrivateLink. Alternatively, the customer may need to create new entries for brand new integrations. Customer Business Relationship Owner
Verify the integration works as expected Appian Support will work with the customer to ensure connectivity to customer resources is working as expected. Appian / Customer Business Relationship Owner

Handling Server Side Authentication

Some systems employ server-side authentication (for example, HTTPS, TLS, LDAPS) in order to prove the identity of the server to the client. This type of authentication will require to reference the customer resource using a valid DNS hostname that matches the server certificate.

In order to ensure that the traffic from a particular hostname routes through PrivateLink, the hostname must resolve directly to the Appian VPC Interface Endpoint DNS name or to a particular Appian Interface VPC Endpoint ENI (Elastic Network Interface).

Appian Cloud currently supports two methods of enabling server name resolution:

Option 1: Customer Controlled Hostname DNS Resolution

The customer will add a publicly resolvable CNAME record in their DNS infrastructure that resolves the DNS hostname of the customer resource to the Interface VPC Endpoint DNS name provided by Appian. This means that DNS resolution will occur over the Internet, with the subsequent requests being sent over PrivateLink.

Option 2: Appian Controlled Hostname Resolution

Appian will resolve any calls to specific customer hostnames within the application to an Appian Cloud Interface VPC Endpoint ENI IP Address. This will allow any requests destined to that particular hostname to resolve directly to an ENI without traversing over the Internet.

FEEDBACK