Free cookie consent management tool by TermsFeed

Configuring Inbound Access Over VPN

Requires Appian Protect Essential or higher

This page applies to Appian Cloud only. It may not reflect the differences with Appian Government Cloud.

Note:  Customers who are subscribed to Basic Support cannot connect to resources in a self-managed network or in a private cloud environment.

Overview

For customers who require that only users and systems within their corporate network can access their Appian Cloud environments, Appian Cloud offers the ability to configure inbound web access only over an IPsec VPN tunnel. With this configuration, all users must first be on their corporate network before navigating to their Appian Cloud environments, as they will not be available over the public internet. This page outlines the steps required to set up an Appian Cloud environment with this configuration.

Appian Cloud also offers support for Inbound Dual Web Access, over both the public internet and a VPN. For more details, see Configuring Inbound Dual Access.

Note:  Appian Cloud environments running in a High Availability configuration will require additional configuration. If you set up static VPN tunnels, you need to set up the necessary network configuration on your infrastructure to forward web requests to a healthy web server. Web servers are accessible on the Appian Network interface IP addresses configured when setting up your VPN tunnel.

Step 1: Set up an IPsec VPN tunnel

Required role: Network Administrator or Authorized Support Contact

Configure VPN tunnel(s) from your corporate network to your Appian Cloud environment. See Appian Cloud VPN Integration for instructions.

Step 2: Set up a custom domain

Required role: Authorized support contact

Configure a custom domain for your Appian Cloud Environment. See Using a Custom Domain in Appian Cloud for instructions.

Step 3: Set up name resolution

Required role: DNS/Server administrator

Update your DNS infrastructure to resolve the fully qualified domain name (FQDN) of your Appian Cloud environment to an assigned private IP address (using a DNS Address (A) record).

Step 4: Create a support case

Required role: Authorized support contact

Schedule a maintenance window for the environment by opening a new Support Case with Appian Support.

During the maintenance window, Appian Support will enable the environment to receive inbound web traffic over the VPN. Once the maintenance window has completed, the environment will only be accessible through the VPN.

Example traffic flow for inbound traffic over VPN

The diagram below illustrates a sample traffic flow when end users and systems access an Appian Cloud environment over the VPN tunnel. This diagram assumes your DNS server contains a host record pointing to the private IP address assigned to the environment during the VPN tunnel configuration. End users will access the environment using its FQDN.

Inbound Web Access over VPN

Traffic Type Flow Description
Inbound traffic over VPN
  1. End users (or systems) on the corporate network make a request to your environment running on your custom domain.
  2. Your DNS server performs a lookup which resolves to the private IP address in the VPN tunnel.
  3. The request is directed to the VPN tunnel.
  4. The request is processed by the local web server and then by the application server. The response is sent back to the VPN tunnel.
Outbound traffic
  1. All traffic originating from your environment to a resource in your network is forwarded over the IPsec VPN tunnel. Resources in your network might include a business datasource or an LDAP server.

Compare and deploy across connected environments with VPN only access

Given that inbound access to environments will be restricted to VPN, leveraging the Compare and Deploy Across Connected Environments feature will require additional configurations, as detailed below:

Option 1 - Enable Connected Environments for Private Access

Enable Connected Environments for Private Access between your nominated environments. This is the recommended approach to enable Connected Environments when the environments are only accessed over VPN. For more details, see Configuring Connected Environments for Private Access.

Option 2 - Configuring networking infrastructure on the customer side

Requirements

  • Your DNS servers should resolve the FQDNs of all connected environments to their corresponding private IP address (Appian Network interface IP addresses).
  • VPN configurations should allow forwarding traffic from source to target environments on both sides of the tunnel.
  • You should set up proper routing on your network to allow connectivity between environments.

Example traffic flow between connected environments

Given a connected system request from a Dev environment to a Test environment in Appian Cloud, the following 3 steps occur:

  1. When attempting to connect Test to Dev, the Test FQDN resolution from the Dev environment occurs on your DNS server over the Dev VPN tunnel.
  2. The DNS query returns the IP address of the Test environment to the Dev environment over the Dev VPN tunnel.
  3. The request is sent from the Dev environment over the Dev VPN tunnel to your network, and then rerouted over the Test VPN tunnel to the Test environment.

A visual explanantion of this flow is shown below.

A Connected System Request over VPN

Feedback