In order to allow Appian Cloud customers access to computer resources on a private network from an Appian Cloud instance, IPSec VPN connections can be configured. Each Appian Cloud instance can have multiple VPN tunnels enabled to securely integrate with resources in different networks. This enables the use of Appian smart services such as the Query Database or the Web Service smart service to connect to resources that are located on your private network, as well as securely integrating with a corporate authentication system (e.g. Active Directory).
Note that VPN tunnels are associated with a single Appian Cloud instance. Also keep in mind that, for production instances running Appian 16.1 or higher, Appian Cloud writes data to 2 isolated locations, within the same geographic area. We require customers setting up VPN tunnels for their Appian Cloud production instances, to setup VPN tunnels to both locations, in order to accelerate service recovery time in the event of a major incident disabling an entire location.
To setup a VPN connection, have your network administrator fill out the Appian Cloud VPN Worksheet and send it to Appian Technical Support, attached to a new support case.
Once the VPN tunnel has been established, you can access the VPN tunnel through your Appian Cloud instance.
Appian Cloud instances can have VPN tunnels configured to failover between two (2) customer VPN gateways. Failover will be attempted upon failure of a ping test of a single IP address within the private network space on the customer network. This IP address must be reachable and ping must be enabled from both gateways. Appian strongly recommends that you implement failover for production sites.
In order to use the VPN tunnel to connect to a resource on a private network, refer to the resource using its fully qualified domain name in any location where Appian allows the use of a URL for a resource, such as the Call Web Service or the Query Database smart services.
By default, Appian Cloud instances receive all web inbound traffic through the public Internet. Upon request, Appian can configure Appian Cloud instances to require web traffic to go through a VPN tunnel. With this configuration, the site will not be accessible over the Internet and all users must first be on their corporate network before navigating to their Appian Cloud sites.
Alternatively, customers can also request their Appian Cloud instances to be configured in dual mode in which their instances receive inbound web traffic over the Internet and the VPN tunnel. Please see KB-1537 for prerequisites and details on how to set up your sites in dual mode.
Both of these custom configurations require additional network hops for web traffic to enter Appian Cloud. Performance, as well as compatibility with mobile devices, needs to be taken into consideration and carefully evaluated by customers who wish to enable any of these configurations.
Traffic addressed to a host within your corporate domain and for which the DNS lookup (from the corporate DNS servers if provided, otherwise the Internet) returns a private IP address (RFC 1918) is sent over the VPN tunnel. Appian Technical Support can configure traffic to certain public IP addresses to also be sent over the VPN tunnel if requested by the customer. All other traffic will be sent over the Internet.
This is applicable even if an Appian Cloud instance is configured to require all inbound traffic to go through the VPN tunnel.
Customers are responsible for keeping their VPN gateway running with appropriate network connectivity. If the VPN gateway goes down, Appian cannot connect to internal resources. We strongly recommend that you take this into account when designing your process applications. For example, build the appropriate error handling and recovery mechanisms within the process models.
The VPN connection is set up so that either side can initiate the connection. Appian may disconnect the Appian Cloud instance during scheduled maintenance windows.
Please refer to Figure 1 for the examples described next.
http://db1.mycorp.comin the web services smart service
http://db2.mycorp.comin the web services smart service
http://db.otherdomain.comin the Call Web Service smart service.
To setup a VPN connection between your Appian Cloud instance and your private network, download the Appian Cloud VPN worksheet.
Complete the sections in marked in yellow on the form and submit it to Appian Technical Support, creating a new case for your organization.