Dynamic VPN Routing

Overview

Dynamic VPN routing allows customers to connect their production Appian Cloud instances to their on-premise resources in a secure and reliable manner. With this feature, traffic through IPSec VPN tunnels can be rerouted automatically to a secondary path as soon as a node or a connection failure is detected. Dynamic VPNs use Border Gateway Protocol (BGP) to exchange routing information and reachability between Appian Cloud and customer networks.

Benefits

Dynamically-routed VPNs have several benefits, including:

  • Enhanced VPN resiliency. Different from static VPN tunnels, dynamic VPN tunnels allow both sides to detect failures and route traffic around network failures. This minimizes the impact of service disruption between Appian Cloud and the customer network when a VPN tunnel or a node failure occurs.
  • Reduced complexity of VPN integrations. Instead of setting up two static VPN tunnels per Application Server node to implement failover, Appian Cloud instances configured with High-Availability (HA) will require only two dynamic VPN tunnels per instance (regardless of the number of nodes in cluster) to avoid single points of failure in the connectivity between Appian Cloud and the customer network.
  • Simplified name resolution and address space. When an Appian Cloud instance is accessed over VPN, customers connect to a single private endpoint provided by Appian Cloud and configure their DNS infrastructure to resolve to a single IP address.

Architecture

When dynamic VPN routing is enabled, customers can “peer” their BGP-capable VPN device with their Appian Cloud instances. Once BGP peering is established between both sides, Appian Cloud will inform the availability of the Appian private network (or prefixes) through BGP messages within the IPSec tunnels. Similarly, customer VPN devices will advertise the private IP prefixes where the customer resources can be reached by their Appian Cloud instance.

With this feature, Appian Cloud instances are configured with a pair of Site-to-Site IPSec VPN tunnels in an Active-Passive setup. Appian Cloud provides two Appian Gateways, each with a public IP address that will be used by the customer to configure the tunnels in their VPN gateways. BGP sessions run inside both of the VPN tunnels and BGP peers are configured in their respective Autonomous Systems.

Outbound traffic

The diagram below shows an example setup of an integration with an on-premise resource through dynamic VPNs. Application server traffic originated in the Appian Cloud instance and destined to a customer’s resource is routed over the active VPN tunnel. The exact configuration depends on the architecture of each customer network.

images:Dynamic-VPN0.png

When the primary VPN tunnel is down or the remote Customer VPN Gateway is unreachable, BGP detects the failure in the network path and recovers automatically by rerouting traffic to the second VPN tunnel.

images:Dynamic-VPN1.png

The same setup applies for Appian Cloud instances configured with High-Availability. A pair of dynamic VPN tunnels is required to route outbound traffic originating from each application server in the Appian Cloud instance. With Appian Cloud HA, Appian Gateways are located in separate Availability Zones to recover from an outage of an Availability Zone.

Inbound traffic

Customers who wish to access their sites over VPNs exclusively can also use Dynamic VPN routing. With this configuration, customers are assigned a single HTTPS private endpoint accessible from both the active and the standby tunnel for each Appian Cloud instance regardless of its number of nodes. The HTTPS private endpoint will be part of the prefix advertised by Appian Cloud through BGP.

In the example below, the Appian Cloud instance is accessed using the custom name _my-instance.acme.org. _Customers configure their DNS infrastructure to resolve their custom Appian Cloud instance name to the Private HTTPS Endpoint. End user requests are routed over the active VPN tunnel and processed by the web server running on the Appian Cloud instance. The exact configuration depends on the architecture of each customer network.

images:Dynamic-VPN2.png

If the active tunnel goes down, end users requests to the Private HTTPS endpoint will be rerouted by the Customer VPN gateway to the second tunnel. The same setup applies for Appian Cloud instances configured with High-Availability.

For more information on inbound traffic over VPN, refer to Support for inbound HTTPS over VPN tunnel

Prerequisites

The table below lists the tasks that the customer needs to perform and the typical role in your organization to be involved in this process. Roles may vary depending on your organization.

Prerequisite Description Role in customer organization
Ensure customer VPN device compatibility Customer VPN device must be able to establish Border Gateway Protocol (BGP) peering and bind tunnels to logical interfaces (route-based VPN). Refer to the vendor documentation of your VPN device to ensure that it supports these capabilities. Networking department
Customize the Appian Cloud instance domain (Optional) Appian Cloud instances with inbound web traffic over dynamic VPNs are required to have custom domains. This is only required when web access is restricted over the VPN. See Configure custom domain in Appian Cloud sites. Networking Department

Procedure

Once all prerequisites have been met, create a support case and submit the VPN Worksheet to Appian Support. To enable this feature, Appian Support will coordinate with the customer one or more Maintenance Windows if needed.

FEEDBACK