Skip to main content

Configuring private access to Pega Cloud services (legacy options)

Suggest edit Updated on June 2, 2022

Pega Cloud services supports several connectivity options to manage private network traffic between your Pega Cloud services environment and your enterprise network while fulfilling your network security requirements.

Important Pega Cloud networking definitions

Pega Cloud uses precise terminology to describe the flow of network traffic between your enterprise network and your Pega Cloud environment from connection source to connection destination.

  • Inbound traffic: Refers to traffic entering either your enterprise network or your Pega Cloud environment to the destination IP address.
  • Outbound traffic: Refers to traffic leaving either your enterprise network or your Pega Cloud environment from the source IP address.

    Network traffic flow definitions between and client enterprise network and Pega Cloud environment

Client-to-Pega allow list configuration options

Outbound connection from client enterprise network; inbound connection to Pega Cloud environment

The following items describe options for to add Client-to-Pega private connections to an allow list.

By default, Pega only enables public-facing URLs for Pega applications. Create a service request to enable your Pega application URLs to be accessible over your private connection endpoints. For more information, see the row entitled "Client requests to enable private connection endpoints for their application."

  • Pega-side configuration (inbound traffic): By default, Pega does not restrict external traffic from entering your private connection endpoints. To allow private connectivity only from specific private IP addresses, request Pega to apply allow lists to your Pega Cloud environments for private connections. For more information, see the row entitled "Client provides Pega private source IP addresses for Pega to add to an allow list on the Pega Cloud environment."
  • Client-side configuration (outbound traffic): The Pega Cloud environment does not support static private destination IP addresses for private outbound traffic. Pega does provide three private IP address ranges for each of your Pega Cloud environments. You can place these IP address ranges on an allow list on your enterprise network for private connectivity. For more information, see the row entitled "Client adds three private IP address ranges provided by Pega for their Pega Cloud environments to an allow list."

Pega-to-client allow list configuration options

Inbound connection to client enterprise network; outbound connection from Pega Cloud environment
The following items describe options for adding Client-to-Pega private connections to an allow list.

  • Pega-side configuration (outbound traffic): Pega Cloud Services does not restrict outbound traffic for client environments. This support model offers the most flexibility for clients integrating with external services while maintaining client data security and confidentiality as described in Security and data protection.
  • Client-side configuration (inbound traffic): Pega provides three private IP address ranges for each of your Pega Cloud environments. You must add these IP address ranges on an allow list on your enterprise network for private connectivity. For more information, see the row entitled "Client adds three private IP address ranges provided by Pega for their Pega Cloud environments to an allow list."

Private access services

To create a more secure network topology for your Pega Cloud, contact Pega Cloud support to integrate the following supported private access services:Note: As of April 2022, Pega Cloud is ending support for all new configurations of the following legacy connectivity options. For more information, please see Change of support for connectivity options.

  • Your own Transit Gateway to provide central management of connectivity between your external connections and your Pega Cloud environments in a monitored and secure private network.
  • A Pega VPN connection to create a site-to-site encrypted connection to give your enterprise network secure remote access to your Pega Cloud environment.
  • An AWS Direct Connect connection to create a dedicated connection from your enterprise network to your Pega Cloud environment that can provide dedicated bandwidth and increase network performance.
  • A VPC Peering connection if you need to create a connection between your Pega Cloud VPC and an external AWS VPC in the same region.

Adding private connections responsibility model

The process for adding private connections to an allow list and configuring private access services relies on a shared responsibility model between you and Pega Cloud. To initiate any process involving adding a connection to an allow list, you must make a service request with your regional Pega support representative by selecting New request in My Support Portal, then follow the guidance in the Client Responsibilities column in the following table. For the latest documentation on making requests, see My Support Portal: New design, streamlined features.Note: Pega Cloud cannot guarantee the absence of IP address conflicts when using private connections in a changing client environment. Pega Cloud will collaborate with you to identify potential overlap in IP address ranges during initial onboarding if you choose to use private connections.

If you require additional means of privately connecting to your Pega Cloud environment, contact your regional Pega support representative.

Responsibility model table

Configuration method ConnectivityClient ResponsibilitiesPega Responsibilities
Private connection through the Pega VPN servicePega Cloud environment to client and client to Pega Cloud environmentConfigure your enterprise VPN and provide requisite information to Pega.

For more information, see Pega Cloud VPN service.
Provides a form to configure the Pega VPN service.
VPC PeeringPega Cloud environment to an Amazon VPCMake a request to obtain the information required for a VPC Peer connection to another Amazon VPC.

For more information, see Requesting a virtual private cloud (VPC) peering connection.
Provides client with the information required to create a VPC Peer connection with another Amazon VPC.
AWS Direct ConnectPega Cloud environment to client and client to Pega Cloud environment Configure AWS Direct Connect with your Pega Cloudenvironment.

For more information, see Configuring Amazon Web Services (AWS) Direct Connect in your Pega Cloud Services virtual private cloud.
Authenticates Amazon Direct Connect from Pega Cloudenvironment.
Client requests to enable private connection endpoints for their applicationClient to Pega Cloud environmentMake a request for Pega to enable private endpoints for applications.Enables internal connections for private connection endpoints.
Client adds three private IP address ranges provided by Pega for their Pega Cloud environments to an allow listPega Cloud environment to client and client to Pega Cloud environmentMake a request to obtain three private IP address ranges, and add the static source IP address ranges to your enterprise network allow list. Provisions private source IP address ranges for each Pega Cloud environment, and then sends IP address ranges to client.
Client provides Pega private source IP addresses for Pega to add to an allow list on the Pega Cloud environmentClient to Pega Cloud environmentMake a request that includes a list of private source IP addresses for Pega to add to an allow list on the Pega Cloud environment.Adds client-provided private source IP addresses on the Pega Cloud environments to an allow list.
Did you find this content helpful? YesNo

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

We'd prefer it if you saw us at our best.

Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us