You have the option of using the Pega Cloud Virtual Private Network (VPN) service to extend your private networks to Pega Cloud for managing proprietary data traffic, such as on-premises web services or data integration. The Pega Cloud VPN securely connects the existing network to Pega Cloud through an IPSec VPN connection between the virtual private gateway and the customer-managed gateway. The service currently supports a single-gateway to single-gateway configuration, also known as a single site-to-site VPN. The use of SSL VPN clients for remote user access is not supported.
There are two tunnels (active and passive) within the connection. Your organization's VPN gateway and Pega VPN gateway each have two addresses that are assigned to this connection. Each gateway contains an outside address through which encrypted traffic is exchanged, and each also contains an inside address that is associated with the tunnel interface.
While the Pega Cloud VPN does not impose artificial bandwidth limitations, the maximum bandwidth to which a VPN can scale to is 1Gbps per tunnel; actual performance can be affected by many factors. For this reason, Pegasystems does not guarantee minimum bandwidth and latency. For sustained throughput higher than 1Gbps, you should consider using Direct Connect for your Pega Cloud private connectivity.
- During onboarding, you must complete a questionnaire to help Pega Cloud Operations identify the correct private IP range and configuration settings for VPN interconnection with Pega Cloud. For internal Classless Inter-Domain Routing (CIDR) ranges, Pega Cloud cannot guarantee that there will be no potential IP conflicts, but will make every effort to avoid them. Actual CIDR implementation is determined by the customer VPN interconnection questionnaire and at the time of onboarding.
- You must have a VPN gateway, for which you are responsible, that is configured with a tunnel interface that is associated with the IPSec tunnel. This VPN gateway must have a static public IP address that should not change to avoid re-creation of the tunnel.
Supported customer-managed VPN gateways
Amazon Web Services (AWS) provides a list of hardware devices that are known to work for VPN connections with the AWS Virtual Private Cloud and that are supported by command-line tools for automatic generation of configuration files.
For help with configuring your customer gateway for use with your AWS Virtual Private Cloud, see the Amazon Virtual Private Cloud Network Administrator Guide.
The customer VPN gateway initiates the connection. Depending on how the customer VPN gateway is configured, it is possible for the gateway to disconnect the VPN connection because of network inactivity between the private network and Pega Cloud. Pegasystems recommends using native VPN gateway features such as Dead Peer Detection (DPD) to prevent the gateway from terminating an inactive tunnel.
If such a feature is not available or cannot be implemented on the customer VPN gateway, a TCP-based keep-alive script, such as TCP ping, is required to routinely initiate outbound TCP traffic to Pega Cloud to keep the connection active.
The following configuration settings are recommended for each tunnel on the customer VPN gateway.
|Internet Key Exchange Configuration||Lifetime: 28800 seconds|
|IPSec Configuration||Lifetime: 3600 seconds|
|IPSec Dead Peer Detection (DPD)|
Enabled on Pega Cloud endpoint. Recommended customer configuration:
- DPD Interval: 10
- DPD Retries: 3
|IPSec ESP (Encapsulating Security Payload)|
This parameter inserts additional headers in transmit packets. To limit what headers in the transmit packets are inserted to IPSec, use these settings:
- TCP MSS Adjustment: 1387 bytes (Max session size: Layer4)
- Clear Don't Fragment Bit: enabled
- Fragmentation: Before encryption
Multisite VPN failover
Pega Cloud supports multiple VPN connections from a customer's virtual private cloud (VPC) to separate customer sites to provide network failover in the event of a disruption. In this configuration, you build two VPN connections from two separate locations to your VPC. Each connection has a unique IP address at the customer location endpoint. Configure Border Gateway Protocol (BGP) or your own public DNS records to determine which connection is primary and which is secondary.
If the primary connection becomes unavailable, network traffic is automatically routed to the secondary connection, based on how you configure your BGP or DNS settings.
Pega Cloud supports a manual DNS entry for internal DNS records that cannot be propagated to the Internet. To update this record, you need to submit a standard service request.
VPN for AWS Direct Connect failover
You can use a VPN connection for AWS Direct Connect failover. For more information, see Configuring Amazon Web Services (AWS) Direct Connect in your Pega Cloud virtual private cloud.