This page applies to Appian Cloud only. It may not reflect the differences with Appian Government Cloud. |
Note: Customers who are subscribed to Basic Support cannot connect to resources in a self-managed network or in a private cloud environment.
Dynamic VPN routing allows customers to connect their production Appian Cloud environments to their resources in a secure and reliable manner. With this feature, traffic through IPSec VPN tunnels can be rerouted automatically to a secondary path as soon as a node or a connection failure is detected. Dynamic VPNs use Border Gateway Protocol (BGP) to exchange routing information and reachability between Appian Cloud and customer networks.
Dynamically-routed VPNs have several benefits, including:
When dynamic VPN routing is enabled, customers can "peer" their BGP-capable VPN device with their Appian Cloud environments. Once BGP peering is established between both sides, Appian Cloud will inform the availability of the Appian private network (or prefixes) through BGP messages within the IPSec tunnels. Similarly, customer VPN devices will advertise the private IP prefixes where the customer resources can be reached by their Appian Cloud environment.
With this feature, Appian Cloud environments are configured with a pair of Site-to-Site IPSec VPN tunnels in an Active-Passive setup. Appian Cloud provides two Appian Gateways, each with a public IP address that will be used by the customer to configure the tunnels in their VPN gateways. BGP sessions run inside both of the VPN tunnels and BGP peers are configured in their respective Autonomous Systems.
The diagram below shows an example setup of an integration with a self-managed resource through dynamic VPNs. Application server traffic originated in the Appian Cloud environment and destined to a customer’s resource is routed over the active VPN tunnel. The exact configuration depends on the architecture of each customer network.
When the primary VPN tunnel is down or the remote Customer VPN Gateway is unreachable, BGP detects the failure in the network path and recovers automatically by rerouting traffic to the second VPN tunnel.
The same setup applies for Appian Cloud environments configured with High-Availability. A pair of dynamic VPN tunnels is required to route outbound traffic originating from each application server in the Appian Cloud environment. With Appian Cloud HA, Appian Gateways are located in separate Availability Zones to recover from an outage of an Availability Zone.
Customers who wish to access their environments over VPNs can also use Dynamic VPN routing. With this configuration, customers are assigned a single HTTPS private endpoint accessible from both the active and the standby tunnel for each Appian Cloud environment regardless of its number of nodes. The HTTPS private endpoint will be part of the prefix advertised by Appian Cloud through BGP.
In the example below, the Appian Cloud environment is accessed using the custom name my-instance.acme.org. Customers configure their DNS infrastructure to resolve their custom Appian Cloud environment name to the Private HTTPS Endpoint. End user requests are routed over the active VPN tunnel and processed by the web server running on the Appian Cloud environment. The exact configuration depends on the architecture of each customer network.
If the active tunnel goes down, end users requests to the Private HTTPS endpoint will be rerouted by the Customer VPN gateway to the second tunnel. The same setup applies for Appian Cloud environments configured with High Availability.
For more information on inbound traffic over VPN, refer to Configuring Inbound Traffic over VPN and Configuring Dual Inbound Access.
The table below lists the tasks that the customer needs to perform and the typical role in your organization to be involved in this process. Roles may vary depending on your organization.
Prerequisite | Description | Role in customer organization |
---|---|---|
Ensure customer VPN device compatibility | Customer VPN device must be able to establish Border Gateway Protocol (BGP) peering and bind tunnels to logical interfaces (route-based VPN). Refer to the vendor documentation of your VPN device to ensure that it supports these capabilities. | Networking department |
Customize the Appian Cloud environment domain (Optional) | Appian Cloud environments with inbound web traffic over dynamic VPNs are required to have custom domains. This is only required when your environment is accessed over the VPN tunnel. See Request a Custom Domain. | Networking Department |
Once all prerequisites have been met, create a support case and submit the VPN Worksheet to Appian Support. To enable this feature, Appian Support will coordinate with the customer one or more Maintenance Windows if needed.
Allowed Private Network Address spaces may vary based on the region of your Appian Cloud environment(s). Typically, network spaces in the 192.* range are unrestricted, while certain subnets within the 172.16.0.0/12 and 10.0.0.0/8 ranges are restricted. Contact Appian Support to verify the restricted spaces for your specific Appian Cloud environment(s) if you would like to use subnets in these ranges. When configuring your private network space participating in the VPN tunnel, we recommend to narrow down your subnets as much as possible (see IP address range restrictions).
The Allow List of IP address ranges that are generally available for your use can be found below:
If you have configurations that include private IP addresses that fall outside Appian Cloud's allowed IP ranges, then you must implement one of the following alternatives:
When configuring what traffic should go over your VPN tunnels, use specific IP addresses with a /32 Classless Inter-Domain Routing (CIDR) notation in your VPN configurations as much as possible. Note that specifying IP address or CIDR ranges larger than a /24 is not supported. You may specify multiple /24 ranges if necessary.
The following combinations of encryption configurations are supported for your VPN tunnels.
Encryption algorithm | Authentication algorithm | DH Group |
---|---|---|
AES128-CBC | SHA2-256 or SHA2-384 or SHA2-512 | DH15 or DH16 or DH17 or DH18 or DH19 or DH20 or DH21 |
AES256-CBC | SHA2-256 or SHA2-384 or SHA2-512 | DH20 or DH21 |
AES128-GCM | N/A | DH15 or DH16 or DH17 or DH18 or DH19 or DH20 or DH21 |
AES256-GCM | N/A | DH20 or DH21 |
The supported encryption configurations are set to ensure the security of your VPN tunnels. Other encryption configurations are deprecated and will be removed in a future release.
Dynamic VPN Routing