Thank you to everyone who joined our December 11, 2025 webinar on network configuration and the new deny-by-default policy in Pega Cloud. The session generated excellent technical questions from our community. Below you'll find the questions asked during the live session, along with answers from our expert panel: Ivan Anikanov (Technical Solutions Director), Jakub Stando (Director of Product Management), and Dara Brosseau (Director of Networking Delivery).

Watch the full webinar recording: https://community.pega.com/event/network-configuration-pega-service

Check out the blog for extra notes and links to documentation: https://community.pega.com/blog/strengthening-security-deny-default-network-configuration-pega-service

Q1: What is an "environment" in this context? Typical PROD would have number of nodes, are they configured together or separately one-by-one?

Answered by: Jakub Stando and Dara Brosseau

Answer: In Pega Cloud, an environment refers to a complete deployment instance such as Production (PROD), Development (DEV), or Staging (STAGE) that would be part of a single route to life. The concept of nodes is intentionally abstracted from the client's point of view. You don't need to configure nodes individually—when you configure inbound access for an environment, it applies to the entire environment automatically. This abstraction is a fundamental feature you should expect from Pega-as-a-Service.

Q2: When would this capability be available for us?

Answered by: Jakub Stando and Dara Brosseau

Answer: The inbound access configuration capabilities are being rolled out gradually across different flavors of Pega environments and configuration states to ensure seamless operation. You may currently see a subset of capabilities in MyPegaCloud today. If you're interested in early access to more complex capabilities like path-based allow listing, you can request to be added as an early adopter. Keep in mind that all of these capabilities are currently available for any Pega Cloud environment by requesting them through a support ticket, even if they're not yet available in self-service. Contact your Account Executive to discuss early adopter access.

Q3: What happens when source IP ranges are not stable and frequently move outside of the configured CIDR ranges? Is there any alternative mechanism that does not rely on stability of source IP?

Answered by: Jakub Stando and Dara Brosseau

Answer: Path-based allow listing is an excellent choice for scenarios where source IPs are not stable or when end users are on the open internet. With path-based allow lists, you can restrict access to specific application paths (e.g., /prweb/Claims) without requiring known source IP addresses. This allows you to expose only designated portions of your environment to public internet users while keeping other applications protected.

Another option to consider is implementing a cloud proxy or Web Application Firewall (WAF) that accepts traffic from your end users and routes it via a known source IP. Many Pega clients have adopted this type of solution, which provides rich features including the ability to inspect traffic, control it, and establish a known source IP that you can then use for allow listing.

Q4: We are on version 24.2. We do not see "Manage Inbound allow list" under MyPegaCloud > Action Center. Which version would this feature require?

Answered by: Jakub Stando

Answer: There is no dependency on your Pega Infinity platform version for this capability. Whether you're running version 24.2 or any earlier version, you can leverage inbound access configuration. The capability is being rolled out gradually to different environment types, so if you don't see it in MyPegaCloud yet, you have two options: request early adopter access, or submit a support ticket to implement access restrictions immediately. The rollout schedule is not tied to your platform version but rather to ensuring stability across different environment configurations.

Q5: If I need to migrate from on-premise to Pega Cloud as a single developer, do I need to do anything special for network configuration?

Answered by: Jakub Stando and Dara Brosseau

Answer: Pega has a dedicated team that helps assess the current state of your on-premise system and works with you through a phased approach. This includes writing an assessment, discussing possible migration options, and setting the entire project timeline for the cloud migration activity.

Q6: Will this capability be available in Pega Cloud for Government (PCFG) as well?

Answered by: Jakub Stando

Answer: For Pega Cloud for Government (the U.S. FedRAMP program), we don't currently have MyPegaCloud self-service available. However, the inbound access configuration capability itself is absolutely available—clients can submit a support ticket and our dedicated support team will execute the configuration. Looking ahead on our roadmap, we're exploring how to deliver MyPegaCloud in a way that meets all the requirements of the highly regulated FedRAMP program. This is a matter of time rather than capability availability.

Additional Topics Discussed

During the webinar, several other important topics were covered:

Deny-by-Default Impact on Connectivity Types: The deny-by-default policy applies to both internet-based and private connectivity. Clients with access to MyPegaCloud can configure whether they want only private connectivity access. Clients can also request to fully disable public connectivity if required by their enterprise security teams.

Outbound Connectivity: The deny-by-default policy discussed in this webinar only applies to inbound connectivity. Outbound connectivity is open by default—Pega doesn't restrict what your applications can connect to outbound. For clients requiring outbound deny-by-default, Pega Cloud offers an Advanced Networking option (not covered in this webinar).

GenAI Compatibility: The deny-by-default policy applies uniformly across the Pega platform, including GenAI capabilities. There are no special or different considerations for GenAI-clients on Pega Cloud still get GenAI features as part of the platform.

Exception Tracking: When implementing wide-open access or other exceptions to security best practices, clients can use the description field in MyPegaCloud to reference their internal ticketing system, creating an auditable trail for security changes. The audit log in MyPegaCloud tracks who executed changes and when, supporting governance across organizations with multiple teams and partners.

Trust Center Resources: For detailed information about Pega Cloud security certifications, attestations, and controls, visit the Pega Trust Center at https://www.pega.com/trust. If you have questions not answered on the website, you can open a support ticket to connect with Pega's dedicated security assessment team.

Join the Conversation

Have additional questions about network configuration on Pega-as-a-Service? Post them below and our community experts will help. If you haven't already, join the Pega-as-a-Service Expert Circle to stay informed about upcoming webinars and resources.

Coming Soon: Mark your calendars for the Pega Cloud Summit in February! Registration details are available on the Expert Circle community.