Configuring Inbound Dual Access

This page applies to Appian Cloud only. It may not reflect the differences with Appian Government Cloud.

Overview

For customers who require that their Appian Cloud environments are accessed over a VPN tunnel and through the public internet at the same time, Appian Cloud offers the ability to configure a dual access configuration. This page outlines the steps required to set up an Appian Cloud environment with this configuration.

Appian Cloud also offers the ability to configure inbound HTTPS access only over an IPsec VPN tunnel. For more details, see Configuring Inbound Access over VPN.

Appian Cloud environments running in a high availability configuration will require additional configuration. If you set up static VPN tunnels, you need to set up the necessary network configuration on your infrastructure to forward web requests to a healthy web server. Web servers are accessible on the Appian Network interface IP addresses configured when setting up your VPN tunnel.

Step 1: Set up an IPsec VPN tunnel

Required role: Network Administrator or Authorized support contact

Configure VPN tunnel(s) from your corporate network to your Appian Cloud environment. See Appian Cloud VPN Integration for instructions.

Step 2: Set up a custom domain

Required role: Authorized support contact

Configure a custom domain for your Appian Cloud Environment. See Using a Custom Domain in Appian Cloud for instructions.

Step 3: Set up name resolution

Required role: DNS/Server administrator

Update your DNS infrastructure to resolve the fully qualified domain name (FQDN) of your Appian Cloud environment to one of two values based on the source of the DNS query:

  • If the query originates over the public internet, the public load balancer domain name (using a DNS Canonical Name (CNAME) record) that Appian Support provided you with during custom domain setup.
  • If the query originates from within your corporate network, the assigned private IP address (using a DNS Address (A) record) of the VPN tunnel.

Step 4: Create a support case

Required role: Authorized support contact

Schedule a maintenance window for the environment by opening a new Support Case with Appian Support.

During the maintenance window, Appian Support will enable the environment to receive inbound HTTPS traffic over VPN and the public internet. Once the maintenance window has completed, the environment will be accessible through both methods.

Example Traffic Flow for HTTPS traffic over VPN

The diagram below illustrates a sample traffic flow when end users and systems access an Appian Cloud environment over the Internet and the VPN tunnel at the same time. This diagram assumes a customer managed DNS server has been set up to resolve to a private IP address or a public CNAME based on the origin of the request. End users will access the site using its FQDN.

Traffic Type Flow Description
Inbound traffic over the internet (blue steps)
  1. End users make a request to your environment running on your custom domain. Your public-facing DNS server performs a lookup which resolves to a CNAME record pointing to the public load balancer.
  2. The request is routed over the Internet and is received by the load balancer.
  3. The load balancer forwards the traffic to Appian Cloud Web Layer and then to your environment.
  4. The request is processed by the application server of your environment and returned over the same path.
Inbound traffic over VPN (red steps)
  1. End users (or systems) located in your corporate network make a request to your environment running on your custom domain. Your private DNS server performs a lookup which resolves to the private IP address accessible over the VPN tunnel.
  2. The request is routed over to the VPN tunnel.
  3. The request is processed by the local web server and then by the application server. The response is sent back through the same VPN tunnel.
Outbound traffic (green steps)
  1. All traffic originating from your environment to a resource in your network is forwarded over the IPsec VPN tunnel. Resources in your network might include a business datasource or an LDAP server.
Open in Github Built: Fri, Jun 24, 2022 (02:11:14 PM)

On This Page

FEEDBACK