Dynamic VPN routing allows customers to connect their production Appian Cloud instances to their on-premise resources in a secure and reliable manner. With this feature, traffic through IPSec VPN tunnels can be rerouted automatically to a secondary path as soon as a node or a connection failure is detected. Dynamic VPNs use Border Gateway Protocol (BGP) to exchange routing information and reachability between Appian Cloud and customer networks.
Dynamically-routed VPNs have several benefits, including:
When dynamic VPN routing is enabled, customers can “peer” their BGP-capable VPN device with their Appian Cloud instances. Once BGP peering is established between both sides, Appian Cloud will inform the availability of the Appian private network (or prefixes) through BGP messages within the IPSec tunnels. Similarly, customer VPN devices will advertise the private IP prefixes where the customer resources can be reached by their Appian Cloud instance.
With this feature, Appian Cloud instances are configured with a pair of Site-to-Site IPSec VPN tunnels in an Active-Passive setup. Appian Cloud provides two Appian Gateways, each with a public IP address that will be used by the customer to configure the tunnels in their VPN gateways. BGP sessions run inside both of the VPN tunnels and BGP peers are configured in their respective Autonomous Systems.
The diagram below shows an example setup of an integration with an on-premise resource through dynamic VPNs. Application server traffic originated in the Appian Cloud instance and destined to a customer’s resource is routed over the active VPN tunnel. The exact configuration depends on the architecture of each customer network.
When the primary VPN tunnel is down or the remote Customer VPN Gateway is unreachable, BGP detects the failure in the network path and recovers automatically by rerouting traffic to the second VPN tunnel.
The same setup applies for Appian Cloud instances configured with High-Availability. A pair of dynamic VPN tunnels is required to route outbound traffic originating from each application server in the Appian Cloud instance. With Appian Cloud HA, Appian Gateways are located in separate Availability Zones to recover from an outage of an Availability Zone.
Customers who wish to access their sites over VPNs exclusively can also use Dynamic VPN routing. With this configuration, customers are assigned a single HTTPS private endpoint accessible from both the active and the standby tunnel for each Appian Cloud instance regardless of its number of nodes. The HTTPS private endpoint will be part of the prefix advertised by Appian Cloud through BGP.
In the example below, the Appian Cloud instance is accessed using the custom name _my-instance.acme.org. _Customers configure their DNS infrastructure to resolve their custom Appian Cloud instance name to the Private HTTPS Endpoint. End user requests are routed over the active VPN tunnel and processed by the web server running on the Appian Cloud instance. The exact configuration depends on the architecture of each customer network.
If the active tunnel goes down, end users requests to the Private HTTPS endpoint will be rerouted by the Customer VPN gateway to the second tunnel. The same setup applies for Appian Cloud instances configured with High-Availability.
For more information on inbound traffic over VPN, refer to Support for inbound HTTPS over VPN tunnel
The table below lists the tasks that the customer needs to perform and the typical role in your organization to be involved in this process. Roles may vary depending on your organization.
|Prerequisite||Description||Role in customer organization|
|Ensure customer VPN device compatibility||Customer VPN device must be able to establish Border Gateway Protocol (BGP) peering and bind tunnels to logical interfaces (route-based VPN). Refer to the vendor documentation of your VPN device to ensure that it supports these capabilities.||Networking department|
|Customize the Appian Cloud instance domain (Optional)||Appian Cloud instances with inbound web traffic over dynamic VPNs are required to have custom domains. This is only required when web access is restricted over the VPN. See Configure custom domain in Appian Cloud sites.||Networking Department|
Once all prerequisites have been met, create a support case and submit the VPN Worksheet to Appian Support. To enable this feature, Appian Support will coordinate with the customer one or more Maintenance Windows if needed.