This page applies to Appian Cloud only. It may not reflect the differences with Appian Government Cloud. |
Note: The Dedicated Customer Virtual Private Cloud feature is available to customers that are on Enterprise Support. Appian customers must purchase Enterprise Support to use the functionality described below. The functionality described below is not included in the base Appian platform.
You can choose to have your Appian Cloud environments hosted in a dedicated Virtual Private Cloud (VPC). This feature provides additional isolation and the ability to easily integrate with your self-managed or cloud external resources. This document provides details on the architecture for our dedicated Virtual Private Cloud configuration.
If you are an Enterprise Support customer, you can choose to have all the EC2 instances that support your environments hosted in a dedicated VPC managed by us. No EC2 instances for other customers' environments are hosted within this dedicated customer VPC.
A Transit Gateway is used to establish a connection between the dedicated VPC hosting your instances and the Appian Cloud VPC where infrastructure is maintained, including: load balancers, web servers, Appian Gateway servers, email servers, etc.
Application servers running in the dedicated VPC will have outbound Internet connectivity using the Appian gateway in the Appian Cloud VPC for any Web Services integration. You are responsible for the security and encryption configuration when integrating with systems outside Appian Cloud. If this is not required, outbound Internet traffic can be disabled and the connection between the instances in the dedicated VPC and the Appian Gateway can be removed.
The following diagram depicts a high-level overview of the architecture for Dedicated Customer VPC and its interactions with the Appian Cloud VPC.
You access the environment from your browsers or your mobile devices. All your data in transit to the Appian Web Tier is secured using industry-standard Transport Layer Security (TLS) encryption. The Appian Web Tier is behind a Load Balancing Tier which forwards the traffic to one of multiple web servers processing the user request. The Appian Web Tier is also protected using AWS security groups and only allows HTTPS traffic originating from the Load Balancing Tier.
A connection is established between the Appian Cloud VPC and the dedicated VPC to your EC2 instances using a Transit Gateway connection. This allows traffic from the Web Tier in the Appian Cloud VPC to the application server running on your instances in the dedicated VPC. The communication between the servers is controlled using security groups. Security groups are default deny-all and configured with firewall rules to restrict access only from specific Appian Cloud services.
Once the request is processed by the instances in the dedicated VPC, the security group will allow the response back for the TCP session created with the Appian Web Tier. Traffic sent back to the user will be encrypted in the same fashion as it was received.
You can extend applications running on their Appian Cloud instance integrating with external systems, data repositories, and web services.
We will be responsible for maintaining and securing the dedicated VPC and Appian Cloud’s VPC. You will be responsible for implementing any required configuration to integrate with your self-managed or cloud external resources.
Yes, the diagram above shows the solution for a single instance environment. High Availability configuration replicates to 3 availability zones within the same geographic region, delivering load balancing among environments and with RTO and RPO as described in High Availability for Appian Cloud).
Similar to a regular migration. An archive of the entire Appian structure (engines, databases, attachments) is created and transferred via a shared AWS S3 bucket or via sFTP, and then deployed to another Appian installation. The only difference is that the archive will be transferred to the instances in the dedicated VPC.
Appian supports TLS 1.2 for end users connecting through a web browser. Data at rest is protected at the disk level using industry-standard algorithms (AES) at key lengths considered to be strong for that algorithm (256-bit).
EC2 instances running on your Dedicated VPC will use the AWS default tenancy model. For more details see the AWS documentation.
Any region supported in Appian Cloud.
A scheduled maintenance window is required to migrate a environment to this architecture. The downtime will be similar to a scheduled restart.
Yes, environments in a Dedicated VPC will have the same Appian Cloud features as regular environments. Review Cloud Exclusive Feature Support.
Yes, review Appian Cloud Integration.
No, there will be only one dedicated VPC that will be shared by your different environments.
Dedicated Customer Virtual Private Cloud