Table of Contents

Configuring public access between your Pega Cloud environment and your enterprise network

This content applies only to Cloud environments.

Pega Cloud® Services offers a range of connectivity options to manage traffic between your Pega Cloud environment and your enterprise network while fulfilling your network topology security requirements. Pega Cloud Services supports clients who choose to employ allow lists as a practice in their security model.

This article describes placing public internet-facing connections between your enterprise network and your Pega Cloud environment. For information about configuring private connections, as well as other private access services, see Configuring private access services to your Pega Cloud environments.

When implementing allow lists for public connections, refer to the section Allow-list options for public access to your Pega Cloud environment to understand the supported connectivity options, and the Responsibility model table to understand how to fulfill those connectivity processes between you and Pega through an allow list. 

For more information, refer to the allow-list options and the associated responsibility model sections.

Pega Cloud networking definitions

Pega Cloud Services uses precise terminology to describe the flow of network traffic between your enterprise network and your Pega Cloud environment from connection source to connection destination. 

Inbound traffic: Refers to traffic entering either your enterprise network or your Pega Cloud environment to the destination IP address.

Outbound traffic: Refers to traffic leaving either your enterprise network or your Pega Cloud environment from the source IP address.

    Allow-list options for public access to your Pega Cloud environment 

    The following methods are used to configure allow lists for public inbound and outbound traffic between your enterprise network and your Pega Cloud environments. Enterprise networks and Pega Cloud environments can implement allow lists for both inbound traffic and outbound traffic on their respective network firewalls. To ensure that you meet your security requirements, refer to the following allow list implementations for information on supported networking options between your client enterprise network and your Pega Cloud environment.

    Inbound and outbound connections between and client enterprise network and Pega Cloud environment
    Inbound and outbound connections
    Inbound and outbound connections between and client enterprise network and Pega Cloud environment

    Client-to-Pega allow list configuration options

    Outbound connection from client enterprise network; inbound connection to Pega Cloud environment
    Client-to-Pega connections
    Outbound connection from client enterprise network; inbound connection to Pega Cloud environment

    The following items describe potential options for adding Client-to-Pega connections to an allow list.

    Pega-side configuration (inbound traffic)

    By default, the Pega Cloud environment does not restrict inbound connections at the network level (see SFTP service inbound traffic below for an exception).  If you want to allow connectivity to your Pega Cloud environment only from specific source IP addresses or networks, Pega can apply allow lists to your Pega Cloud environments on request. For more information, see the row entitled Client provides Pega static source IP addresses for Pega to add to an allow list on the Pega Cloud environments.

    Client-side configuration (outbound traffic)

    The Pega Cloud environment does not support static destination IP addresses for outbound traffic (see SFTP service outbound traffic below for an exception). If your enterprise network security requirements include restrictions on traffic leaving your network, Pega Cloud Services recommends filtering based on the DNS names of your Pega Cloud environments. For more information, see Pega Cloud Services networking.

    Pega-side configuration for the SFTP service (inbound traffic)

    Inbound connections to your Pega SFTP service are denied by default.  To enable access, you can provide Pega with a list of known source IP addresses.  For more information, see the row entitled Client provides Pega a static source IP addresses to allow connection to the Pega Cloud SFTP Service.

    Client-side configuration for the SFTP service (outbound traffic)

    Pega supports static destination IP addresses for outbound traffic to your Pega SFTP service.  If your enterprise network security requirements include restrictions on traffic leaving your network, you can add the IP address of your Pega SFTP service to your outbound allow list. For more information, see the row entitled Client adds the static destination IP addresses of their Pega Cloud SFTP service to an allow list.

    Pega-to-client allow list configuration options

    The following items describe potential configuration options for adding Pega-to-client connections to an allow list.

    Inbound connection to client enterprise network; outbound connection from Pega Cloud environment
    Pega-to-client connections
    Inbound connection to client enterprise network; outbound connection from Pega Cloud environment

    Pega-side configuration (outbound traffic)

    Pega Cloud Services does not apply network-level restrictions to traffic leaving your Pega Cloud environment.

    Client-side configuration (inbound traffic)

    Pega Cloud Services provides three static source IP addresses shared by all your Pega Cloud environments. You can place these IP addresses on an allow list on your enterprise network. For more information, see the row entitled Client adds three static source IP addresses provided by Pega for Pega Cloud environments to an allow list.

    Integration add-on services, such as Splunk for log streaming, also require client-side configuration of allow lists for inbound connections. For more information, see the row entitled Client provides Pega with service add-on connection information.

    Responsibility model

    The process for adding public connections to an allow list relies on a shared responsibility model between you and Pega Cloud Services. To initiate any process involving adding a connection to an allow list, clients must make a request with their regional Pega Support representative by using the Support Requests tab in My Support Portal, then follow the information in the Client Responsibilities column of the table below.

    Responsibility model table

    Configuration method Connectivity Client responsibilities Pega responsibilities
    Client provides Pega static source IP addresses for Pega Cloud Servies to add to an allow list on the Pega Cloud environments Client enterprise network to Pega Cloud environment Make a request that includes a list of static source IP addresses for Pega Cloud Services to add to an allow list on the Pega Cloud environment. Adds client-provided static source IP addresses on the Pega Cloud environments to an allow list.
    Client adds three static IP addresses provided by Pega Cloud Services for Pega Cloud environments to an allow list Pega Cloud environment to client enterprise network
     

    Obtain static source IP addresses at time of provisioning IP addresses, and add the static source IP addresses on your enterprise network allow list.

    Provisions a pool of static source IP addresses, assigns to all environments within the Pega Cloud environment, and then sends static source IP addresses to client.
    Client provides Pega Cloud Services a static source IP to allow connection to the Pega Cloud SFTP Service 

    Client enterprise network to Pega Cloud environment
     

    Make a request that includes a list of and send Pega Cloud Services a list of static source IP addresses that are on an allow list to connect to the Pega Cloud SFTP Service.

    For more information, see Pega Cloud Services SFTP Service.

    Adds client-provided static source IP addresses to an allow list on the Pega Cloud SFTP environment.
    Client adds the static destination IP of their Pega Cloud SFTP service to an allow list Client enterprise network to Pega Cloud environment

    Make a request to obtain a static destination IP addresses to your Pega Cloud SFTP service and add the static destination IP addresses to your enterprise network allow list.

    For more information, see Pega Cloud Services SFTP Service.

    Provisions an IP address, assigns the IP address to the Peag Cloud SFTP service, and then sends the static destination IP address to client.
    Client provides Pega with service add-on connection information Pega Cloud environment to client enterprise network 

    Add add-on service static source IP addresses on your enterprise-network allow list, and then provide Pega Cloud Services the add-on service connection information.

    For an example add-on service, see Pega Cloud log streaming service

    Provisions a set of IP addresses assigned to the add-on service for outbound traffic.
    Suggest Edit

    Have a question? Get answers now.

    Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.