LinkedIn
Copied!

Table of Contents

Configuring public access between your Pega Cloud environment and your enterprise network

Pega Cloud Services offers a range of connectivity options to manage traffic between your Pega Cloud Services environment and your enterprise network while fulfilling your network topology security requirements. Pega Cloud Services supports clients who choose to employ allow lists as a practice in their security model.

This article describes placing public internet-facing connections between your enterprise network and your Pega Cloud Services environment. For information about configuring private connections, as well as other private access services, see Configuring private access services to your Pega Cloud environments.

When implementing allow lists for public connections, refer to the section Allow-list options for public access to your Pega Cloud environment to understand the supported connectivity options, and the Adding public connection responsibility model table to understand how to fulfill those connectivity processes between you and Pega through an allow list.

Pega Cloud networking definitions

Pega Cloud Services uses precise terminology to describe the flow of network traffic between your enterprise network and your Pega Cloud Services environment from connection source to connection destination.

  • Inbound traffic: Refers to traffic entering either your enterprise network or your Pega Cloud Services environment to the destination IP address.
  • Outbound traffic: Refers to traffic leaving either your enterprise network or your Pega Cloud Services environment from the source IP address.

Allow-list options for public access to your Pega Cloud environment

Use the following methods to configure allow lists for public inbound and outbound traffic between your enterprise network and your Pega Cloud environments and block all other traffic. Enterprise networks and Pega Cloud environments can implement allow lists for both inbound traffic and outbound traffic on their respective network firewalls. Refer to the following allow list implementations for information on supported networking options between your client enterprise network and your Pega Cloud environment.

Inbound and outbound connections between and client enterprise network and Pega Cloud environment

Client-to-Pega allow list configuration options

Outbound connection from client enterprise network; inbound connection to Pega Cloud environment

The following items describe options for to add Client-to-Pega connections to an allow list.

Pega-side configuration (inbound traffic)

By default, the Pega Cloud environment does not restrict inbound connections at the network level (see SFTP service inbound traffic below for an exception). To allow connectivity to your Pega Cloud environment only from specific source IP addresses or networks, Pega can apply allow lists to your Pega Cloud environments on request. For more information, see the row entitled Client provides Pega static source IP addresses for Pega to add to an allow list on the Pega Cloud environments.

Client-side configuration (outbound traffic)

Pega supports static IP addresses to your Pega Cloud Services environment. If your enterprise network security requirements includes restrictions on traffic leaving your network, provide Pega with your static source IP addresses and Pega will add them to an appropriate allow list. For more information, see the row entitled Client provides Pega static source IP addresses for Pega to add to an allow list on the Pega Cloud environments.

Pega-side configuration for the SFTP service (inbound traffic)

Inbound connections to your Pega SFTP service are denied by default. To enable access, provide Pega with a list of known source IP addresses and Pega will add them to an SFTP service-specific allow list. For more information, see the row entitled Client provides Pega a static source IP addresses to allow connection to the Pega Cloud SFTP Service.

Client-side configuration for the SFTP service (outbound traffic)

Pega supports static destination IP addresses for outbound traffic to your Pega SFTP service. If your enterprise network security requirements include restrictions on traffic leaving your network, you must add the IP address of your Pega SFTP service to your outbound allow list. For more information, see the row entitled Client adds the static destination IP addresses of their Pega Cloud SFTP service to an allow list.

Pega-to-client allow list configuration options

Inbound connection to client enterprise network; outbound connection from Pega Cloud environment

The following items describe configuration options to add Pega-to-client connections to an allow list.

Pega-side configuration (outbound traffic)

Pega Cloud Services can apply network-level outbound restrictions to traffic leaving your Pega Cloud environment. Pega Cloud then restricts traffic leaving your Pega Cloud environment to client destination IP addresses. Pega provides the source IP addresses for you to place on your enterprise network allow list. For more information, see the row entitled Client adds three static source IP addresses provided by Pega for Pega Cloud environments to an allow list.

Client-side configuration (inbound traffic)

Pega Cloud Services provides three static source IP addresses shared by all your Pega Cloud environments. You must add these IP addresses on your enterprise network allow list. For more information, see the row entitled Client adds three static source IP addresses provided by Pega for Pega Cloud environments to an allow list.

Integration add-on services, such as Splunk for log streaming, also require client-side configuration of allow lists for inbound connections. For more information, see the row entitled Client provides Pega with service add-on connection information.

Adding public connections responsibility model

The process for adding public connections to an allow list relies on a shared responsibility model between you and Pega Cloud Services. To initiate any process involving adding a connection to an allow list, you must make a request with your regional Pega Support representative by using the New Request tab in My Support Portal, then follow the information in the Client responsibilities column of the table below. For the latest documentation on making requests, see My Support Portal: New Design, Streamlined Features.

Responsibility model table

Configuration method Connectivity Client responsibilities Pega responsibilities
Client provides Pega static source IP addresses for Pega Cloud Services to add to an allow list on the Pega Cloud environments Client enterprise network to Pega Cloud environment Make a request that includes a list of static source IP addresses for Pega Cloud Services to add to an allow list on the Pega Cloud environment. Adds client-provided static source IP addresses on the Pega Cloud environments to an allow list.
Client adds three static IP addresses provided by Pega Cloud Services for Pega Cloud environments to an allow list Pega Cloud environment to client enterprise network Obtain static source IP addresses at time of provisioning IP addresses, and add the static source IP addresses on your enterprise network allow list. Provisions a pool of static source IP addresses, assigns to all environments within the Pega Cloud environment, and then sends static source IP addresses to client.
Client provides Pega Cloud Services a static source IP to allow connection to the Pega Cloud SFTP Service Client enterprise network to Pega Cloud environment Make a request and send Pega Cloud Services a list of static source IP addresses that are on an allow list to connect to the Pega Cloud SFTP Service.

For more information, see Pega Cloud Services SFTP Service.
Adds client-provided static source IP addresses to an allow list on the Pega Cloud SFTP environment.
Client adds the static destination IP of their Pega Cloud SFTP service to an allow list Client enterprise network to Pega Cloud environment Make a request to obtain a static destination IP addresses to your Pega Cloud SFTP service and add the static destination IP addresses to your enterprise network allow list.

For more information, see Pega Cloud Services SFTP Service.
Provisions an IP address, assigns the IP address to the Pega Cloud SFTP service, and then sends the static destination IP address to client.
Client provides Pega with service add-on connection information Pega Cloud environment to client enterprise network Add add-on service static source IP addresses on your enterprise-network allow list, and then provide Pega Cloud Services the add-on service connection information.

For an example add-on service, see Pega Cloud log streaming service.
Provisions a set of IP addresses assigned to the add-on service for outbound traffic.
Suggest Edit
Did you find this content helpful?

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.