Configuring private access to Pega Cloud services (legacy options)
Pega Cloud services supports several connectivity options to manage private network traffic between your Pega Cloud services environment and your enterprise network while fulfilling your network security requirements.
Important Pega Cloud networking definitions
Pega Cloud uses precise terminology to describe the flow of network traffic between your enterprise network and your Pega Cloud environment from connection source to connection destination.
- Inbound traffic: Refers to traffic entering either your enterprise network or your Pega Cloud environment to the destination IP address.
- Outbound traffic: Refers to traffic leaving either your
enterprise network or your Pega Cloud environment from the
source IP address.
Network traffic flow definitions between and client enterprise network and Pega Cloud environment
Client-to-Pega allow list configuration options
By default, Pega only enables public-facing URLs for Pega applications. Create a service request to enable your Pega application URLs to be accessible over your private connection endpoints. For more information, see the row entitled "Client requests to enable private connection endpoints for their application."
- Pega-side configuration (inbound traffic): By default, Pega does not restrict external traffic from entering your private connection endpoints. To allow private connectivity only from specific private IP addresses, request Pega to apply allow lists to your Pega Cloud environments for private connections. For more information, see the row entitled "Client provides Pega private source IP addresses for Pega to add to an allow list on the Pega Cloud environment."
- Client-side configuration (outbound traffic): The Pega Cloud environment does not support static private destination IP addresses for private outbound traffic. Pega does provide three private IP address ranges for each of your Pega Cloud environments. You can place these IP address ranges on an allow list on your enterprise network for private connectivity. For more information, see the row entitled "Client adds three private IP address ranges provided by Pega for their Pega Cloud environments to an allow list."
Pega-to-client allow list configuration options
- Pega-side configuration (outbound traffic): Pega Cloud Services does not restrict outbound traffic for client environments. This support model offers the most flexibility for clients integrating with external services while maintaining client data security and confidentiality as described in Security and data protection.
- Client-side configuration (inbound traffic): Pega provides three private IP address ranges for each of your Pega Cloud environments. You must add these IP address ranges on an allow list on your enterprise network for private connectivity. For more information, see the row entitled "Client adds three private IP address ranges provided by Pega for their Pega Cloud environments to an allow list."
Private access services
To create a more secure network topology for your Pega Cloud,
contact Pega Cloud support to integrate the following supported private access
services:
- Your own Transit Gateway to provide central management of connectivity between your external connections and your Pega Cloud environments in a monitored and secure private network.
- A Pega VPN connection to create a site-to-site encrypted connection to give your enterprise network secure remote access to your Pega Cloud environment.
- An AWS Direct Connect connection to create a dedicated connection from your enterprise network to your Pega Cloud environment that can provide dedicated bandwidth and increase network performance.
- A VPC Peering connection if you need to create a connection between your Pega Cloud VPC and an external AWS VPC in the same region.
Adding private connections responsibility model
The process for adding private connections to an allow list and configuring private
access services relies on a shared responsibility model between you and Pega Cloud. To initiate any process involving adding a connection to
an allow list, you must make a service request with your regional Pega support representative by selecting New
request in My Support Portal, then follow the
guidance in the Client Responsibilities column in the following table.
For the latest documentation on making requests, see My Support Portal: New design, streamlined features.
If you require additional means of privately connecting to your Pega Cloud environment, contact your regional Pega support representative.
Responsibility model table
Configuration method | Connectivity | Client Responsibilities | Pega Responsibilities |
Private connection through the Pega VPN service | Pega Cloud environment to client and client to Pega Cloud environment | Configure your enterprise VPN and provide requisite information to Pega. For more information, see Pega Cloud VPN service. | Provides a form to configure the Pega VPN service. |
VPC Peering | Pega Cloud environment to an Amazon VPC | Make a request to obtain the information required for a VPC Peer connection to another Amazon VPC. For more information, see Requesting a virtual private cloud (VPC) peering connection. | Provides client with the information required to create a VPC Peer connection with another Amazon VPC. |
AWS Direct Connect | Pega Cloud environment to client and client to Pega Cloud environment | Configure AWS Direct Connect with your Pega Cloudenvironment. For more information, see Configuring Amazon Web Services (AWS) Direct Connect in your Pega Cloud Services virtual private cloud. | Authenticates Amazon Direct Connect from Pega Cloudenvironment. |
Client requests to enable private connection endpoints for their application | Client to Pega Cloud environment | Make a request for Pega to enable private endpoints for applications. | Enables internal connections for private connection endpoints. |
Client adds three private IP address ranges provided by Pega for their Pega Cloud environments to an allow list | Pega Cloud environment to client and client to Pega Cloud environment | Make a request to obtain three private IP address ranges, and add the static source IP address ranges to your enterprise network allow list. | Provisions private source IP address ranges for each Pega Cloud environment, and then sends IP address ranges to client. |
Client provides Pega private source IP addresses for Pega to add to an allow list on the Pega Cloud environment | Client to Pega Cloud environment | Make a request that includes a list of private source IP addresses for Pega to add to an allow list on the Pega Cloud environment. | Adds client-provided private source IP addresses on the Pega Cloud environments to an allow list. |
Previous topic Private connectivity using AWS PrivateLink Next topic AWS Transit Gateway