Close popover

Table of Contents

Pega Cloud VPN service

You can use the Pega Cloud Virtual Private Network (VPN) service to extend your private networks to Pega Cloud, for management of proprietary data traffic, such as on-premises web services and data integrations.

Ensure that Pega Cloud Services reviews and approves your settings for any VPN used to connect to a Pega Cloud environment. Pega Cloud Services offers the Pega Cloud VPN service as a contractual feature. You violate your contract if you implement a VPN without the approval of Pega Cloud Services.

Use the following requirements and recommended optimizations to plan and set up your VPN connection for the best performance, while preventing dropped connections or other issues.

Your Pega Cloud VPN securely connects your existing network to your Pega Cloud environments through an IPSec VPN connection between the VPN gateway in your environment and the VPN endpoint gateway in your enterprise network. The service currently supports a single-gateway to single-gateway configuration, also known as a single site-to-site VPN. Pega Cloud VPN Service does not support the use of SSL VPN clients for remote user access.

There are two tunnels within the connection: active and passive. Your enterprise network VPN gateway and the Pega VPN gateway each have two addresses that are assigned to this connection. Each gateway contains an outside address between which encrypted traffic flows, and each gateway also contains an inside address that is associated with the tunnel interface.

While the Pega Cloud VPN does not impose bandwidth limitations, the maximum bandwidth to which a VPN can scale to is about 1Gbps per tunnel. However, many different factors can affect actual performance. For this reason, Pegasystems does not guarantee minimum bandwidth and latency. For sustained network traffic throughput than 1Gbps, you should consider using Direct Connect for your Pega Cloud private connectivity.

Client responsibilities

  • During onboarding, you must complete a questionnaire to help Pega Cloud Services identify the most appropriate configuration settings for VPN interconnection with your Pega Cloud environment. Configure your gateway parameters using the settings that Pega Cloud Services develops for your specifications. Pega Cloud Services builds these details according to your hardware and software vendor and the individual VPN gateway configurations that you provide in the questionnaire.
  • You must have a VPN gateway, for which you are responsible, that is configured with a tunnel interface that is associated with the IPSec tunnel. This VPN gateway must have a static public IP address that should not change, to avoid re-creation of the tunnel.
  • Use the configuration file that Pega Cloud Services sends you to configure your VPN gateway. This file contains the requisite keys, IP addresses, and VPN parameters that are based on the information from the questionnaire.

Pega responsibilities

  • Pega Cloud Services creates networking artifacts for your subscription that include requisite keys, IP addresses, and other custom VPN parameters you require built from the information that you provided in the questionnaire.
  • Pega Cloud Services creates and sends you a VPN configuration file with settings that are based upon the hardware that you included in the VPN interconnect form in the onboarding questionnaire.

Supported client-managed VPN gateways

Amazon Web Services (AWS) provides a list of hardware devices that are known to work for VPN connections with the AWS Virtual Private Cloud and that are supported by command-line tools for automatic generation of configuration files. Pega Cloud Services builds your configuration file to contain the requisite information required for your vendor, but cannot account for the way you configure your third-party hardware vendors or software that you may use when you implement a network configuration. For help with configuring your client gateway for use with your AWS Virtual Private Cloud, see the Amazon Virtual Private Cloud Network Administrator Guide in the AWS documentation.​

AWS VPN configuration requirements

When you initially configure the VPN gateway, your settings must comply with AWS VPN configuration requirements. Without complying with these requirements, you may lose your VPN connectivity during standard AWS routing maintenance or other incidents.

When you fill out the Pega Cloud Services onboarding questionnaire, plan to meet the AWS VPN networking configuration requirements described in the table below. Reference the information provided in the Pega Cloud Services configuration file.

For internal Classless Inter-Domain Routing (CIDR) ranges, Pega Cloud cannot guarantee that there will be no potential IP conflicts, but will make every effort to avoid them by using a non-internet-routable public IP space.

AWS configuration requirement Required actions
Internet Key Exchange Configuration Set the lifetime configuration to 28800 seconds.
IPSec Configuration Set the lifetime configuration to 3600 seconds.

Dual IPsec tunnel

Dual tunnels offer failover capabilities. Because single tunnels rely on a single point of failure within your network, and can lose VPN connectivity during AWS routing maintenance, the use of dual tunnels maintains industry-standard failover capabilities for your Pega Cloud VPN.

From the configuration file, use the two sets of the requisite keys, IP addresses, and VPN parameters to configure dual IPSec tunnels.

Ten-second keep-alive traffic.

AWS shuts down a tunnel after ten seconds if the tunnel has not received a keep-alive request.

Automate your traffic to your Pega Cloud Services environments to use a ten-second keep-alive cron configuration that uses internal targets of your Pega Cloud Services environment, such as the internal URL of the internal load balancer, for your traffic destination.

Use the scripting technique of your choice to write this automation.

IPSec ESP (Encapsulating Security Payload)

This parameter inserts additional headers in transmit packets. To limit which headers in the transmit packets are inserted to IPSec, use these settings:
  • Set the TCP MSS Adjustment: 1387 bytes (Max session size: Layer4)
  • Enable Clear Don't Fragment Bit
  • Set fragmentation to before encryption

Ten-second dead peer detection (DPD) with failure at 30 seconds.

AWS sends a dead peer detection request every ten seconds for three intervals (30 seconds total), then takes down the tunnel at the virtual private cloud end upon not receiving a response from the client network.

Enable DPD to respond to a DPD request from the Pega Cloud Services environment using a cron configuration. Use the scripting technique of your choice when writing your automation.

VPN optimized configurations

After your Pega Cloud environment network meets the AWS VPN configuration requirements, Pega Cloud Services recommends the additional best practice performance and security optimizations found in the table below. These optimizations bring your VPN gateway to parity with Pega Cloud Services VPN gateway configurations to offer the best connectivity.

Optimizations Configuration

Dynamic connections offer better performance and routing capabilities to support changes in your routing configuration.

Use a dynamic Border Gateway Protocol (BGP) over a static VPN connection.

Refer to the configuration file that the contains required BGP information.

Dynamic dual IPsec tunnels can send traffic on either tunnel randomly which causes packet loss due to inconsistency in the routing path from the firewall. Using client-side BGP Path Selection controls the tunnel path to create a consistent network path.

When configuring BGP, use path selection in the dynamic VPN configuration to avoid asymmetric routing issues.

Configure a route-based VPN to create more than one pair of security associations (SA) to travel over your VPN tunnels to enhance your network security. Policy-based VPNs only support a single pair of SAs.

Use a route-based VPN as your primary connection type, and policy-based VPN as your secondary connection type.

Configure a VPN connection that uses perfect forward secrecy to create a new key that the network uses to connect to your VPN to improve security posture.

Enable perfect forward secrecy in your VPN hardware and software.

Disable NAT-T to avoid potential issues with your connections when you do not want your traffic to translate to a destination that does not use a public IP address.

Disable Network Address Translation Traverse (NAT-T) if you do not intend to use it.

You must keep your networking hardware and software updated in order to prevent further issues.

Ensure that you update the hardware regularly to use the latest vendor software and firmware releases.

Unsupported VPN configurations

To follow best practices with your VPN configurations, you must avoid the following unsupported configurations because of the issues that they can cause with your private site-to-site network.

Unsupported configuration Known potential issue Alternative implementation

For policy-based VPNs, do not add more than one network.

Policy-based VPNs only support a single pair of SAs in the VPN tunnel. When you configure more than one network on a policy-based VPN, you require more than one pair of SAs. This can cause SA competition in the tunnel and lead to packet loss.

Use route-based VPNs if supported by your vendor software or hardware.

Do not configure load balancing in dual IPsec configuration.

VPNs use dual IPSec tunnel configurations for failover, but not load-balancing purposes.

Configure dual IPsec tunnels for failover purposes only.

Do not enable the tunnel idle timeout in your VPN network software.

Setting a value for tunnel idle timeout can override the required Pega configuration of this parameter which prevents the tunnel from shutting down your connection.

Keep tunnel idle timeout off.

Do not configure two VPNs to the same IP address.

The AWS VPN public IP address can only support a single tunnel.

Configure VPNs to use separate IP addresses.

Do not use static VPN as a backup for AWS Direct Connect.

AWS Direct Connect uses a dynamic connection; static connections cannot properly back up dynamic connections.

Use Direct Connect as the primary connection with the BGP VPN as a back-up connection.
Suggest Edit

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.