This page applies to Appian Cloud only. It may not reflect the differences with Appian Government Cloud.
This page documents how to configure an Appian Cloud to access your resources through AWS Privatelink. For an overview of integrating with Appian Cloud using AWS Privatelink, see AWS PrivateLink integration with Appian Cloud.
In order to integrate with PrivateLink, the Appian Cloud VPC is configured as the service consumer connecting to your resource through an interface VPC endpoint. You will need to create a VPC endpoint service inside your own VPC (service provider) to expose your resources.
The end-to-end traffic flow is shown in the diagram below where the Appian Cloud environment forwards requests to the interface VPC endpoint over a private connection to your VPC endpoint service. In your VPC, this traffic is received by the Network Load Balancer (NLB) and routed to your service.
Alternatively, you may also want to leverage PrivateLink to connect with supported AWS managed services. In order to do this, skip the steps to create a VPC Endpoint Service, and use the managed service "service name" in your Appian Support Case notes.
You can use PrivateLink to connect your Appian Cloud High-Availability environment with your external resources. An Appian Cloud HA environment is composed of three nodes distributed across three different Availability Zones. The application server running on each node forwards requests to a single VPC interface endpoint located in the Appian Cloud VPC. From there, the traffic is routed to the customer's service in the same fashion as described in the architecture section.
The below example displays two Appian Cloud environments (Production and Development) forwarding requests to a customer's service over PrivateLink. The request originates from the Appian Cloud environment, which is routed over the interface VPC endpoint, to the customer's NLB. In this case, the customer has configured their NLB to distribute traffic between two different EC2 instances hosted in separate availability zones.
You may also utilize PrivateLink in conjunction with your own AWS Direct Connect to expose your systems to your Appian Cloud environments. Rather than forwarding traffic from the NLB directly to an AWS hosted service, you may configure your NLB with the target private IP address of your resource behind AWS Direct Connect.
Once traffic is received by the NLB, traffic can be routed through the virtual private gateway linked to your AWS Direct Connect. With this connection model, requests can be made directly to a service hosted in your private network without traversing the Internet. Note that the exact traffic flow will depend on the architecture of your network.
The prerequisites below are not necessary to connect to a supported AWS managed service. To connect with one of these, open a Support Case and specify the service name that is provided in the AWS documentation for that managed service.
Prerequisite Steps | Description | Organizational Role |
---|---|---|
Create a VPC endpoint service | This service must be created in the same AWS region as your Appian Cloud environments. To create a VPC endpoint service, follow the steps here. | Your AWS Administrator |
Allow Principals | Upon creation of a VPC endpoint service, Appian will need access to send connection requests to the endpoint service. This can be achieved by adding IAM principals to the allowed principals list. You may add an entry of `*` to allow connection requests from any principal. The connection request from Appian can then be manually approved. Alternatively, you may request Appian Support to provide a specific principal to allow. | Your AWS Administrator |
Create a Support Case | Open a support case with Appian Support. Include the following information:
|
Your Business Relationship Owner |
Once the prerequisite steps above have been completed, Appian Support will work with you through the following configuration procedure.
We recommend testing on lower environments prior to elevating to production usage.
Configuration Action | Description | Owner |
---|---|---|
Create VPC endpoint | Appian will create a VPC endpoint to connect to the VPC endpoint service you have provided. | Appian |
Accept VPC endpoint connection | You will need to accept the VPC endpoint connection on your VPC endpoint service, unless the service is set to automatically accept connection requests. | Your AWS Administrator |
Provide endpoint-specific DNS hostname | In the case that the your service does not employ server side authentication, Appian Support will provide you with an endpoint-specific DNS hostname that can be used to send requests to the endpoint service from your Appian Cloud environment. | Appian |
Schedule a Maintenance Window for the Affected environments | Appian Support will work with you to schedule Maintenance Windows for the affected environments once the request has been accepted. The changes will be applied during this window. | Appian |
Update Admin Console to utilize new configurations | Admin Console updates may be required to begin integrating with the new endpoint service. You may need to make updates to pre-existing configurations using the new DNS hostnames resolving to PrivateLink. Alternatively, you may need to create new entries for brand new integrations. | Your Business Relationship Owner |
Verify the integration works as expected | Appian Support will work with you to ensure connectivity to your resources is working as expected. | Appian / Your Business Relationship Owner |
PrivateLink does not inherently encrypt traffic. In order to enhance your application level security, some implementations may employ encryption. Depending on the implementation, these clients may perform server-side authentication (for example, HTTPS, TLS, LDAPS) in order to prove the identity of the server to the client. This type of authentication may require the caller to reference your resource using a valid DNS hostname that matches the server certificate. In these cases, the certificate on your resource server will need to be trusted by a public Certificate Authority. Alternatively, in some implementations, you may be able to disable server certificate validation while still encrypting traffic; however, this is not recommended as your environment would still be susceptible to a man-in-the-middle attack to circumvent the encryption.
In order to ensure that the traffic from a particular hostname routes through PrivateLink, the hostname must resolve directly to the Appian VPC interface endpoint DNS name or to a particular Appian interface VPC endpoint ENI (Elastic Network Interface).
Appian Cloud currently supports two methods of enabling server name resolution:
In this method, you will need to add a publicly resolvable CNAME record in your DNS infrastructure that resolves the DNS hostname of your resource to the interface VPC endpoint DNS name provided by Appian. This means that DNS resolution will occur over the Internet, with the subsequent requests being sent over PrivateLink.
Appian will resolve any calls to specific hostnames within the application to an Appian Cloud interface VPC endpoint ENI IP Address. This will allow any requests destined to that particular hostname to resolve directly to an ENI without traversing over the Internet. For this case, it is also recommended that you enable Cross Zone Load Balancing on your NLB to ensure traffic is load balanced among your instances evenly.
Appian Cloud supports inbound access using a different set of configurations. This is because the nature of AWS PrivateLink is inherently unidirectional. See the Access an Appian Cloud Environment Using AWS PrivateLink documentation for more details.
Due to AWS limitations on supporting CloudHSM behind Network Load Balancers, BYOK is currently not supported over AWS PrivateLink.
RDS integrations can be successful; however, the implementation is not straightforward. RDS is not officially supported behind a Network Load Balancer; therefore, if you would like to connect to RDS environments over AWS PrivateLink, you will have to employ one of many workarounds to create a VPC endpoint service in their VPC. There are three common options that you may attempt:
We strongly recommend that you conduct your own tests on your test and development Appian environments prior to implementing these setups in production.
Gateway endpoints are currently not supported.
VPC Endpoint policies are ways to restrict the use of an endpoint to specific resources (usually in relation to a particular AWS managed service such as API Gateway.) These policies are currently not supported for use with Appian Cloud integrations.