Table of Contents

Configuring private access to your Pega Cloud environment

This content applies only to Cloud environments.

Pega Cloud® Services offers a range of connectivity options to manage traffic between your Pega Cloud environment and your enterprise network while fulfilling your network security requirements.  Pega Cloud Services supports the use of several private access protocols, including hybrid topologies that use multiple secure connection types for redundant and high-availability configurations, to deliver secure connectivity between your Pega Cloud Services and external endpoints.

When implementing private connections, refer to the section Connectivity options for private connections to understand Pega-supported private access services and methods, and the Responsibility model table to understand how to implement connectivity procedures for Pega private access services and lists of allowed private connections between yourself and Pega Cloud environment. 

For more information, refer to the private-access services options and the associated responsibility model sections.

Important Pega Cloud networking definitions

Pega Cloud Services uses precise terminology to describe the flow of network traffic between your enterprise network and your Pega Cloud environment from connection source to connection destination.

Inbound traffic: Refers to traffic entering either your enterprise network or your Pega Cloud environment to the destination IP address.

Outbound traffic: Refers to traffic leaving either your enterprise network or your Pega Cloud environment from the source IP address.

    Connectivity options for private connections

    Pega Cloud Services cannot guarantee the absence of IP address conflicts when using private connections in a changing client environment. Pega Cloud Services will collaborate with you to identify potential overlap in IP address ranges during initial onboarding if you choose to use private connections.

    Private access services

    Use private access services such as integrating the Pega VPN into your network, Amazon Web Services (AWS) Direct Connect, or VPC Peering to another Amazon Web Services VPC to create a more secure network topology:

    • The Pega VPN creates a site-to-site encrypted connection to give your enterprise network secure remote access to your Pega Cloud environment.
    • AWS Direct Connect creates a dedicated connection from your enterprise network to your Pega Cloud environment that can provide dedicated bandwidth and increase network performance.
    • VPC Peering offers a private connection between a Pega Cloud environment and another VPC deployed in AWS with which to share resources and exchange data.

    See the Client Responsibilities column of the Responsibility model table for the methods of configuring each private access service.

    Allow-list options for private access to your Pega Cloud environment

    After enabling private access services, a client can place inbound and outbound connections through that service on an allow list. Enterprise networks and Pega Cloud environments can implement allow lists for both private inbound traffic and private outbound traffic on their respective network firewalls. To ensure that you match your security requirements, refer to the following allow list implementations for information on supported networking options between your client enterprise network and your Pega Cloud environment.

    Inbound and outbound connections between and client enterprise network and Pega Cloud environment
    Inbound and outbound connections
    Inbound and outbound connections between and client enterprise network and Pega Cloud environment

    Client-to-Pega allow list configuration options 

    The following items describe potential options for adding Client-to-Pega private connections to an allow list.

    By default, Pega only enables public-facing URLs for Pega applications. File a service request if you want your Pega application URLs to be accessible over your private connection endpoints. For more information, see the row entitled Client requests to enable private connection endpoints for their application.

    Outbound connection from client enterprise network; inbound connection to Pega Cloud environment
    Client-to-Pega connections
    Outbound connection from client enterprise network; inbound connection to Pega Cloud environment

    Pega-side configuration (inbound traffic)

    By default, the Pega Cloud environment does not restrict external traffic from entering your private connection endpoints. If you want to allow private connectivity only from specific private IP addresses, on request Pega Cloud Services can apply allow lists to your Pega Cloud environments for private connections. For more information, see the row entitled Client provides Pega private source IPs for Pega to add to an allow list on the Pega Cloud environment.

    Client-side configuration (outbound traffic)

    The Pega Cloud environment does not support static private destination IP addresses for private outbound traffic. Pega does provide three private IP address ranges for each of your Pega Cloud environments. You can place these IP address ranges on an allow list on your enterprise network for private connectivity. For more information, see the row entitled Client adds three private IP ranges provided by Pega for their Pega Cloud environments to an allow list.

    Pega-to-client allow list configuration options

    The following items describe potential allow list configurations for adding private Pega-to-client connections to an allow list.

    Inbound connection to client enterprise network; outbound connection from Pega Cloud environment
    Pega-to-client connections
    Inbound connection to client enterprise network; outbound connection from Pega Cloud environment

    Pega-side configuration (outbound traffic)

    Pega Cloud Services does not restrict private outbound traffic leaving the Pega Cloud environment.

    Client-side configuration (inbound traffic)

    Pega Cloud Services provides three private IP address ranges for each of your Pega Cloud environments. You can place these IP ranges on an allow list on your enterprise network for private connectivity. For more information, see the row entitled Client adds three private IP ranges provided by Pega for their Pega Cloud environments to an allow list.

    Responsibility model

    The process for adding private connections to an allow list and configuring private access services relies on a shared responsibility model between you and Pega Cloud Services. To initiate any process involving adding a connection to an allow list, clients must make the request with their regional Pega Support representative by using the Support Requests tab in My Support Portal, then follow the information in the Client Responsibilities column in the following table. 

    If you require additional means of privately connecting to your Pega Cloud environment, contact your regional Pega Support representative. 

    Responsibility model table

    Configuration method Connectivity Client Responsibilities Pega Responsibilities
    Private connection through the Pega VPN service Pega Cloud environment to client and client to Pega Cloud environment
     

    Configure your enterprise VPN and provide requisite information to Pega. 
     

    For more information, see Pega Cloud VPN service.

    Provides a form to configure the Pega VPN service.
    VPC Peering Pega Cloud environment to an Amazon VPC

    Make a request to obtain the information required for a VPC Peer connection to another Amazon VPC.

    For more information, see Requesting a virtual private cloud (VPC) peering connection.

    Provides client with the information required to create a VPC Peer connection with another Amazon VPC.
    AWS Direct Connect Pega Cloud environment to client and client to Pega Cloud environment
     

    Configure AWS Direct Connect with your Pega Cloud environment.

    For more information, see Configuring Amazon Web Services (AWS) Direct Connect in your Pega Cloud Services virtual private cloud.

    Authenticates Amazon Direct Connect from Pega Cloud environment.
    Client requests to enable private connection endpoints for their application Client to Pega Cloud environment Make a request for Pega to enable private endpoints for applications. Enables internal connections for private connection endpoints.
    Client adds three private IP ranges provided by Pega for their Pega Cloud environments to an allow list Pega Cloud environment to client and client to Pega Cloud environment
     
    Make a request to obtain three private IP ranges, and add the static source IP address ranges to your enterprise network allow list. Provisions private source IP ranges for each Pega Cloud environment, and then sends IPs ranges to client.
    Client provides Pega private source IPs for Pega to add to an allow list on the Pega Cloud environment Client to Pega Cloud environment Make a request that includes a list of private source IPs for Pega to add to an allow list on the Pega Cloud environment. Adds client-provided private source IPs on the Pega Cloud environments to an allow list.
    Suggest Edit

    Have a question? Get answers now.

    Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.