Pega Cloud Services networking details
Pega Cloud® maintains a robust set of networking and security controls that enables you to take advantage of the power of Pega Platform™, strategic applications, and third-party integrations delivered as a cloud-delivered service.
Connecting to Pega Cloud
You have access to applications and integration services deployed in your VPC through a secure internet connection. Pega Cloud supports the following connectivity methods:
This option supports secure internet access for all user traffic, such as hosted applications and Dev Studio, as well as integration services traffic.
For private network connectivity, several private access services for connection traffic are available.Internet plus private connection
This option includes secure internet access for all user traffic, as described above, as well as the option to have private access services to your private network for all inbound and outbound traffic.
Accessing the Pega VPC
Each client environment within the client VPC supports a series of Pegasystems application computing resources. You can connect to each application with a public IP address and a private IP address. During the client onboarding delivery process, Pega Cloud disables inbound traffic (client to Pega Cloud environment) by default and only enables inbound traffic based on your application needs. Pegasystems allows all outbound traffic (Pega Cloud environment to client) for each instance by default.
In your Pega Cloud environment, your connections originate from a pool using three static source IP addresses to connect to your enterprise network. This highly available connection system offers a secure, flexible, and scalable way to integrate with your enterprise network. All environments in your Pega Cloud environment share from this pool of static source IP addresses.
For the best experience with your Pega VPC, use an entirely public connection topology with encryption. Connections that rely on an entirely public connection topology offer the most flexibility for the following use cases:
- Integrations (such as adding additional third-party services)
- Enterprise network variations (such as scaling your enterprise network)
Other changes made from the client end after your Pega Cloud environments are integrated into your network.
For more information about adding public connections to an allow list and configuring private access to and from your Pega Cloud environment, see Configuring public access between your Pega Cloud environment and your enterprise network and Configuring private access to your Pega Cloud environment.
Pega Cloud Services does not resolve network connectivity to your Pega Cloud environments using IP addresses. Instead, Pega Cloud relies on the DNS (Domain Name System) server for the enterprise network of each client for communication between your Pega Cloud environments and the public internet. During onboarding, Pega requires you to share your DNS name resolution protocol so that Pega Cloud Services can configure your environment connectivity to use your DNS server. As long as the DNS server in your enterprise environment provides name resolution, network traffic can access your Pega applications. Depending on the capabilities of your DNS server, Pega Cloud can support both IPv4 and IPv6 protocols.
Pega Cloud Services assigns each client a single public domain for public internet access for their Pega VPC. In addition, Pega Cloud Services maintains a private host zone for internal communications.Pega Cloud Services uses the following naming convention for the public domain:
If you only want remote access to your private servers or private services through the Pega Cloud environment, Pega Cloud can add custom DNS entries to the private host zone.
Pega Cloud uses the following naming convention for the private host zone:
Pega Cloud provides the option for clients to use a customized domain, for example:
For details about creating a custom domain, see Requesting a custom domain name for applications hosted in Pega Cloud.
Pega also supports the ability to forward traffic to domains, IP addresses, or host zones that you have specified in your DNS server resolver rules.
- For inbound connections, Pega Cloud Services can resolve domains to a private host zone on your Pega Cloud environment.
- For outbound connections, Pega Cloud Services can specify domains and IP addresses that you want to forward to match a specific resolver rule. For example, if you connect to a domain that contains multiple resolver rules (
mortgage.com), Pega can forward the query to the domain with the most specific match (
To ensure secure private integration, HTTPS is recommended for REST and SOAP services. The SSL certificate for each private domain must match the certificate on the client-managed server.
- Configuring public access between your Pega Cloud environment and your enterprise network
Pega Cloud® Services offers a range of connectivity options to manage traffic between your Pega Cloud environment and your enterprise network while fulfilling your network topology security requirements. Pega Cloud Services supports clients who choose to employ allow lists as a practice in their security model.
- Configuring private access to your Pega Cloud environment
Pega Cloud® Services offers a range of connectivity options to manage traffic between your Pega Cloud environment and your enterprise network while fulfilling your network security requirements. Pega Cloud Services supports the use of several private access protocols, including hybrid topologies that use multiple secure connection types for redundant and high-availability configurations, to deliver secure connectivity between your Pega Cloud Services and external endpoints.