Overview

For customers who require that their Appian Cloud environments are accessed over a private connection, such as VPN tunnel or PrivateLink, and through the public internet at the same time, Appian Cloud offers the ability to configure a dual access configuration. This page outlines the steps required to set up an Appian Cloud environment with this configuration.

Appian Cloud also offers the ability to configure inbound web access only over an IPsec VPN tunnel or PrivateLink connection. For more details, see Configuring Inbound Access over VPN or Access an Appian Cloud Environment Using AWS PrivateLink.

Step 1: Set up a private connection

Required role: Network Administrator or Authorized support contact

Configure one of the following:

• VPN tunnel(s) from your corporate network to your Appian Cloud environment. See Appian Cloud VPN Integration for instructions.
• Privatelink Connection from your corporate network to your Appian Cloud environment. See Configuring Inbound Access over AWS PrivateLink for instructions.

Step 2: Set up a custom domain

Required role: Authorized support contact

Configure a custom domain for your Appian Cloud Environment. See Using a Custom Domain in Appian Cloud for instructions.

Step 3: Set up name resolution

Required role: DNS/Server administrator

Update your DNS infrastructure to resolve the fully qualified domain name (FQDN) of your Appian Cloud environment to one of two values based on the source of the DNS query:

• If the query originates over the public internet, the public load balancer domain name (using a DNS Canonical Name (CNAME) record) that Appian Support provided you with during custom domain setup.
• If the query originates from within your corporate network, the assigned private IP address (using a DNS Address (A) record) of the VPN tunnel.

Step 4: Create a support case

Required role: Authorized support contact

Schedule a maintenance window for the environment by opening a new Support Case with Appian Support.

During the maintenance window, Appian Support will enable the environment to receive inbound HTTPS traffic over VPN and the public internet. Once the maintenance window has completed, the environment will be accessible through both methods.

Example traffic flow for HTTPS traffic over VPN

The diagram below illustrates a sample traffic flow when end users and systems access an Appian Cloud environment over the Internet and the VPN tunnel at the same time. This diagram assumes a customer managed DNS server has been set up to resolve to a private IP address or a public CNAME based on the origin of the request. End users will access the environment using its FQDN.

Traffic Type	Flow Description
Inbound traffic over the internet (blue steps)	End users make a request to your environment running on your custom domain. Your public-facing DNS server performs a lookup which resolves to a CNAME record pointing to Appian Cloud's public content delivery network (CDN). The request is routed over the Internet and is received by the CDN, which forwards traffic to your environment. The request is processed by the application server of your environment and returned over the same path.
Inbound traffic over VPN (red steps)	End users (or systems) located in your corporate network make a request to your environment running on your custom domain. Your private DNS server performs a lookup which resolves to the private IP address accessible over the VPN tunnel. The request is routed over to the VPN tunnel. The request is processed by the local web server and then by the application server. The response is sent back through the same VPN tunnel.
Outbound traffic (green steps)	All traffic originating from your environment to a resource in your network is forwarded over the IPsec VPN tunnel. Resources in your network might include a business datasource or an LDAP server.