Free cookie consent management tool by TermsFeed Configuring Inbound Access over AWS PrivateLink [admincontent-cloud]
Configuring Inbound Access over AWS PrivateLink

This page applies to Appian Cloud only. It may not reflect the differences with Appian Government Cloud.

Overview

This page documents how to configure an Appian Cloud environment for access over AWS PrivateLink. For an overview of integrating with Appian Cloud using AWS PrivateLink, see AWS PrivateLink integration with Appian Cloud.

Use Cases

Note:  Enhanced Data Pipeline over PrivateLink is available to customers that are on Advanced or Enterprise Support with High Availability.

A PrivateLink integration may be used to provide the network connectivity required for the Enhanced Data Pipeline feature.

Note:  Inbound Web access over PrivateLink is available to customers that have configured a custom domain. See Using a Custom Domain in Appian Cloud for details on configuring a custom domain.

By default, Appian Cloud environments receive all inbound web traffic through the public Internet. Upon request, Appian can configure an Appian Cloud environment to require web traffic to go through a PrivateLink connection. In this configuration, the environment will not be accessible over the Internet.

In this configuration, additional network considerations are required to use Appian DevOps features such as Compare and Deploy Across Connected Environments. The recommended way to enable Appian DevOps features for environments with Private Access over PrivateLink is to enable Connected Environments. For more details, see Configuring Connected Environments for Private Access.

Alternatively, you can also request to configure your Appian Cloud environment in dual mode, to receive inbound web traffic over the Internet and the PrivateLink connection. See Configuring Dual Inbound Access for prerequisites and details on how to set up your environments in dual mode.

Architecture

To integrate with AWS PrivateLink, the Appian Cloud environment is exposed as a service provider using an AWS VPC endpoint service. To use this endpoint service, you need to create an interface VPC endpoint inside your VPC to access the Appian Cloud environment for each of your Appian Cloud environments.

In the diagram below, an EC2 instance in a customer VPC sends requests to the interface VPC endpoint, showing the end-to-end traffic flow.

Access an Appian Cloud environment over PrivateLink Architecture Image

Prerequisites

Prerequisite steps Description Organizational role
Create AWS principals In order to access the Appian Cloud environment, you will need to provide Appian with a list of AWS principals that will send connection requests to the endpoint service. Customer AWS Administrator
Create a VPC Once Appian has created a VPC endpoint service, you will be required to create resources in a VPC in the same region and availability zones as the Appian Cloud environment. Customer AWS Administrator
Create a support case Open a support case with Appian Support. Include the following information:
  • Principals: The ARN-formatted AWS principals that can access the endpoint (e.g. arn:aws:iam::123456789012:root). These are the principles created in the previous step.
  • Use Case: The purpose of the connection - either Enhanced Data Pipeline or Inbound Web Access.
Customer Business Relationship Owner

Setup

Once the prerequisite steps above have been completed, Appian Support will work with you through the following configuration procedure.

Configuration action Description Owner
Create VPC endpoint service Appian will create a VPC endpoint service that can be connected to with the provided AWS principals. Appian will share the endpoint service details with you. Appian
Configure the Appian Cloud environment Any required configurations will be applied to the affected environment. Appian
Create an interface VPC endpoint You will create an interface VPC endpoint that connects to the VPC endpoint service using the details provided by Appian. Customer AWS Administrator
Schedule a maintenance window for the affected environments Appian Support will work with you to schedule maintenance windows for the affected environment. Appian
Set up name resolution Update your DNS infrastructure to resolve the fully qualified domain name (FQDN) of your Appian Cloud environment to the private IP address associated with the interface VPC endpoint you created in the previous step.

Caution:  Your Appian Cloud environment will not be accessible until this step is completed. You should plan to complete this step as close to the scheduled maintenance window as possible.

Customer Network Administrator
Verify the integration works as expected Appian Support will work with you to ensure connectivity to the Appian Cloud environment is working as expected. Appian / Customer Business Relationship Owner

Configuring Inbound Access over AWS PrivateLink

FEEDBACK