Access an Appian Cloud Environment Using AWS PrivateLink

This page applies to Appian Cloud only. It may not reflect the differences with Appian Government Cloud.

Overview

This page documents how to configure an Appian Cloud environment to be accessed over AWS PrivateLink. For an overview of integrating with Appian Cloud using AWS PrivateLink, see AWS PrivateLink integration with Appian Cloud.

Use Cases

Enhanced Data Pipeline over PrivateLink is available to customers that are on Advanced or Enterprise Support with High Availability.

A PrivateLink integration may be used to provide the network connectivity required for the Enhanced Data Pipeline feature.

Inbound Web access over PrivateLink is available to customers that have configured a custom domain. See Using a Custom Domain in Appian Cloud for details on configuring a custom domain.

By default, Appian Cloud environments receive all inbound web traffic through the public Internet. Upon request, Appian can configure an Appian Cloud environment to require web traffic to go through a PrivateLink connection. In this configuration, the site will not be accessible over the Internet.

Alternatively, you can also request your Appian Cloud environment to be configured in dual mode in which the environment receives inbound web traffic over the Internet and the PrivateLink connection. See Configuring Dual Inbound Access for prerequisites and details on how to set up your instances in dual mode.

Architecture

In order to integrate with AWS PrivateLink, the Appian Cloud environment is exposed as a service provider using an AWS VPC endpoint service. To use this endpoint service, you need to create an interface VPC endpoint inside your VPC to access the Appian Cloud environment.

In the diagram below, an EC2 instance in a customer VPC sends requests to the interface VPC endpoint, showing the end-to-end traffic flow.

Access a Cloud environment over PrivateLink Architecture Image

Prerequisites

Prerequisite Steps Description Organizational Role
Create AWS Principals In order to access the Appian Cloud environment, you will need to provide Appian with a list of AWS Principals that will send connection requests to the endpoint service. Customer AWS Administrator
Create a VPC Once Appian has created a VPC endpoint service, you will be required to create resources in a VPC in the same region and availability zones as the Appian Cloud environment. Customer AWS Administrator
Create a Support Case Open a support case with Appian Support. Include the following information:
  • Principals: The ARN-formatted AWS Principals that can access the endpoint (e.g. arn:aws:iam::123456789012:root). These are the principles created in the previous step.
  • Use Case: The purpose of the connection. At this time, only Enhanced Data Pipeline is supported.
Customer Business Relationship Owner

Setup

Once the prerequisite steps above have been completed, Appian Support will work with you through the following configuration procedure.

Configuration Action Description Owner
Create VPC endpoint service Appian will create a VPC endpoint service that can be connected to with the provided AWS Principals. Appian will share the endpoint service details with you. Appian
Configure the Appian Cloud environment Any required configurations will be applied to the affected environment. Appian
Create an interface VPC endpoint You will create an interface VPC endpoint that connects to the VPC endpoint service using the details provided by Appian. Customer AWS Administrator
Schedule a Maintenance Window for the Affected Instances Appian Support will work with you to schedule Maintenance Windows for the affected environment. Appian
Verify the integration works as expected Appian Support will work with you to ensure connectivity to the Appian Cloud environment is working as expected. Appian / Customer Business Relationship Owner

Limitations

Single Site Support

Due to the nature of AWS PrivateLink when acting as a service provider, a single VPC endpoint service may only expose a single Appian Cloud environment. To expose multiple environments, a VPC endpoint service must be created for each.

Open in Github Built: Fri, Jun 24, 2022 (02:10:55 PM)

On This Page

FEEDBACK