At Pega Cloud Summit 2026: From Blueprint to Go-Live, one of the sessions on Day 2 took a deep and practical look at Pega Cloud network connectivity — a topic that sits at the heart of every successful cloud deployment. The Pega Cloud Network Configuration session brought together networking experts to explore how organisations can move beyond the public internet to build more secure, resilient, and scalable cloud environments.
The session was hosted by Ivan Anikanov (Technical Solutions Director, EMEA Consulting), joined by Dara Brosseau (Networking Director, Cloud Delivery) and Jakub Stando (Product Manager, Network and Infrastructure). Together, they unpacked a range of connectivity options, security best practices, and upcoming roadmap features — giving clients and partners a clear view of what's possible today and what's coming next.
You can watch the recording via the Pega Cloud Summit 2026 event page.
Key Highlights
Deny by Default — A New Security Posture for Pega Cloud 3
One of the most important messages from this session: public inbound internet access is now blocked by default for all new Pega Cloud 3 environments. This "deny-by-default" policy represents a significant step forward in cloud security, requiring clients to explicitly whitelist source networks. Notably, this policy also applies to cloned environments — new clones default to the same deny-by-default stance and must be explicitly configured to match the source environment's access settings.
Pega Cloud Secure Connect — Beyond the Public Internet
The session introduced Pega Cloud Secure Connect, a suite of private connectivity options that bypass the public internet entirely. These include:
- AWS PrivateLink and GCP Private Service Connect for private, isolated connections
- AWS Direct Connect and GCP Google Peering for peering with enhanced reliability
For organisations handling mission-critical or highly sensitive workloads, these options offer a more controlled and auditable path to Pega Cloud.
CIDR-Based vs. Path-Based Access Control
Attendees learned about two complementary approaches to access control:
- CIDR-based control restricts access by IP range — ideal for locked-down enterprise environments
- Path-based control restricts access to specific application paths — useful when some degree of public internet access is unavoidable
Recommended Architecture: Hub/Transit VPC Model
The recommended enterprise pattern is a Hub or Transit VPC architecture — a hub-and-spoke model where VPNs, Direct Connect, and other connections terminate centrally, with Pega Cloud reached via PrivateLink. This allows for centralised data inspection (DLP), unified governance, and a single point of policy enforcement.
Best Practice Checklist
The session closed with a practical set of recommendations for any organisation planning or revisiting their Pega Cloud network configuration:
- Involve your enterprise network team early — understand your traffic flow before you build
- Avoid the public internet for mission-critical or highly secure systems
- Use path-based restrictions when public internet access cannot be avoided
- Plan explicitly for cloned environments — they require their own access configuration
Join the Conversation
Have questions about Pega Cloud network configuration, or want to go deeper on any of the topics covered in this session? Join the Pega as-a-Service Expert Circle — a dedicated community hub where Pega's consulting and product engineering teams share practical knowledge, real-world best practices, and answer your questions directly.
We'd love to hear from you. Head over to the Q&A discussion in the Expert Circle and post your questions — whether they're about the topics covered in this session or anything else on your Pega Cloud journey. Additional questions are always welcome, and the team is committed to following up on key topics raised by the community.
