Pega Cloud services offers a robust set of networking and security controls that enable customers to leverage the power of Pega Platform™ and strategic applications as a cloud-delivered service. Your service is deployed in a dedicated virtual private cloud (VPC) that includes sandbox and production environments. A dedicated VPC ensures isolated and secure networking, and you can schedule work without affecting other customers.
Connecting to Pega Cloud
You have access to applications and integration services deployed in the VPC through a secure Internet connection. Pega Cloud supports the following connectivity methods:
- Internet only
- Internet plus private connection
- Private connection only
This option supports secure Internet access for all user traffic, such as hosted applications and Designer Studio, as well as integration services traffic.
Internet plus private connection
This option includes secure Internet access for all user traffic, as described above, as well as the option to have the VPN connected to your private network for integration services traffic.
Private connection only
For private network connectivity, an optional site-to-site IPSec VPN connection for all traffic is also available.
Secure Internet access
All hosted application traffic is routed by default to a secure Internet gateway for HTTPS access to Pega Cloud. To ensure the highest level of perimeter security, Pega Cloud 2.1 requires the use of TLS 1.2 only for inbound HTTPS access.
IP addressing and DNS
Each customer environment has a series of Pegasystems application computing resources that supports it. Each web node has a private IP address and a public IP address. Inbound traffic is disabled by default and is only enabled based on each customer’s application needs during the onboarding discovery process. Pegasystems allows all outbound traffic for each instance by default.
Data and application nodes currently do not use a static IP addressing scheme. All public IP addresses are dynamically assigned for the most secure, flexible, and scalable configuration.
Pega Cloud services relies on the DNS server in your enterprise for communication between all environments and the public Internet. Pega Cloud services does not use IP addresses directly; instead Pega Cloud services uses name resolution to communicate between your enterprise and your Pega applications. As long as the DNS Server in your environment provides name resolution, the process of accessing remote addresses is transparent to Pega applications. Support for both IPv4 and IPv6 in Pega Cloud services are based on the capabilities of your DNS server.
Each Pega Cloud customer VPC is assigned a single public domain for public Internet access. In addition, Pega Cloud maintains a private host zone for internal communications.
Use the following naming conventions for each domain:
- Secure Internet access: <customer name>.pegacloud.io
- Private host zone: <customerID>.Internal
For remote access of customer private servers or private services through the Pega Cloud VPN, Pega Cloud can add custom DNS entries to the private host zone. To ensure secure private integration, HTTPS is recommended for REST and SOAP services. The SSL certificate for each private domain, however, must match the certificate on the customer-managed server.
For Pega Cloud integration, you can protect your network by placing IP addresses from Pega Cloud on an IP whitelist. Submit a service request for a set of static IP addresses for outbound connections between your Pega Cloud environment and endpoints in your internal network, and then add these addresses to your IP whitelist for optimal security.