Pega Cloud services offers Internet connectivity as the default option to securely connect Pega Cloud to your enterprise network.
- Lowest cost, implementation time, and overall maintenance.
- Ubiquitous access for your users and systems.
- Highly scalable and reliable connection.
- Transport Layer Security (TLS) provides security for data in transit. For details, see Data-in-transit encryption.
Public connectivity allows for connections to multiple sites including corporate datacenters and IaaS or other IaaS providers; however, it is limited to resources that are exposed publicly through secure gateways and well-defined APIs. If public connectivity does not fully meet your organization’s needs, see Pega Cloud Connect: unifying access to Pega Cloud.
Inbound access configuration options
- The following items describe options to add Client-to-Pega public connections to an allow list.
- Pega-side configuration (inbound traffic): By default, Pega Cloud does not restrict inbound connections at the network level with the exception of the SFTP service as mentioned below. To allow connectivity to Pega Cloud from only specific source IP addresses or networks, Pega can apply allow lists to your Pega Cloud on request.
- Client-side configuration (outbound traffic): Pega supports static IP addresses to Pega Cloud. If the security requirements of your enterprise network include restrictions on traffic leaving your network, provide Pega with your static source IP addresses and Pega will add them to an appropriate allow list.
- Pega-side configuration for the SFTP service (inbound traffic): By default, Pega Cloud denies inbound connections to your Pega Cloud SFTP service. To enable access, provide Pega with a list of known source IP addresses so Pega adds them to an SFTP service-specific allow list.
- Client-side configuration for the SFTP service (outbound traffic): Pega Cloud supports static destination IP addresses for outbound traffic to your Pega Cloud SFTP service. If your enterprise network security requirements include restrictions on traffic leaving your network, add the IP address of your Pega Cloud SFTP service to your outbound allow list.
For more information, see the Responsibility model table.
Pega-to-client allow list configuration options
- The following items describe configuration options to add Pega-to-client connections to an allow list.
- Pega-side configuration (outbound traffic): Pega Cloud services does not restrict outbound traffic. This support model offers the most flexibility when you integrate with external services while maintaining client data security and confidentiality as described in Security and data protection.
- Client-side configuration (inbound traffic): Pega Cloud services provides three static source IP addresses shared by Pega Cloud. Add these IP addresses on your enterprise network allow list.
For more information, see the Responsibility model table.
Responsibility model for adding public connections
The process for adding public connections to an allow list relies on a shared responsibility model between you and Pega Cloud. To initiate any process involving adding a connection to an allow list, make a request with your regional Pega Support representative by using the New Request tab in My Support Portal, and then follow the information in the Client responsibilities column of the following table. For the latest documentation on making requests, see My Support Portal: New design, streamlined features.
|Configuration method||Connectivity||Client responsibilities||Pega responsibilities|
|Client provides Pega static source IP addresses for Pega Cloud services to add to the Pega Cloud allow list.||Client enterprise network to Pega Cloud.||Requests that includes a list of static source IP addresses for Pega Cloud services to add to the Pega Cloud allow list.||Adds client-provided static source IP addresses to the Pega Cloud allow list.|
|Client adds three static IP addresses provided by Pega Cloud services for Pega Cloud to an allow list.||Pega Cloud to client enterprise network.||Obtains static source IP addresses at time of provisioning IP addresses, and then adds the static source IP addresses on your enterprise network allow list.||Provisions a pool of static source IP addresses and assigns them to Pega Cloud, and then sends static source IP addresses to client.|
|Client provides Pega Cloud services a static source IP to allow connection
to the Pega Cloud SFTP Service. `|
Prerequisite: For clients still using legacy public connectivity, client environments must be migrated to use these static IP addresses. For migration details, see Network migrations: benefits and impacts and Network migration FAQ.
|Client enterprise network to Pega Cloud.||Requests and sends Pega Cloud services a list of static source IP addresses that are on an allow list to connect to the Pega Cloud SFTP Service. For more information, see Services SFTP Service.||Adds client-provided static source IP addresses to an allow list on the Pega Cloud allow list.|
|Client adds the static destination IP of their Pega Cloud SFTP service to an allow list.||Client enterprise network to Pega Cloud.||Requests static destination IP addresses to your Pega Cloud SFTP service and then adds the static destination IP addresses to your enterprise network allow list. For more information, see Services SFTP Service.||Provisions an IP address, assigns the IP address to the Pega Cloud SFTP service, and then sends the static destination IP address to client.|
|Client provides Pega with service add-on connection information.||Pega Cloud to client enterprise network.||Adds add-on service static source IP addresses on your enterprise-network allow list, and then provides the add-on service connection information to Pega Cloud services. For an example add-on service, see Streaming Pega logs to Splunk.||Provisions a set of IP addresses assigned to the add-on service for outbound traffic.|