KB-1537 Support for inbound dual HTTPS access (VPN and Internet)

Purpose

This guide outlines the steps required to set up an Appian Cloud site to receive inbound HTTPS access over a VPN tunnel and the Internet at the same time. This configuration is intended for customers who require to have systems within their network initiate HTTPS requests to Appian Cloud over an IPSec VPN tunnel.

Prerequisites

  • Set up IPSEC VPN tunnel to customer corporate network: Refer to the documentation for details.
  • Configure custom domain. Sites with dual HTTPS access are required to have a custom domain. See KB-1536 How to configure a custom domain in Appian Cloud sites for more details. 
  • Set up name resolution:  Customers with this configuration are required to have a mechanism in their DNS infrastructure to resolve the fully qualified domain name (FQDN) of their Appian Cloud site to a public CNAME or a private IP address based on the source of the query.

Note: When generating the CA-signed certificate required to set up a custom domain, Appian does not allow the use of SAN or wildcard certificates with sites are accessed over the VPN tunnel.

Instructions

Once all prerequisites are completed, contact Appian Support to schedule a maintenance window and enable the site to receive inbound HTTPS traffic over the VPN.  Inbound traffic from the Internet is configured in prerequisite "Configure custom domain" outlined above. After the maintenance window is completed, the site(s) will be accessible through the VPN and the Internet.

Note: Sites running on a high availability configuration will require additional configurations (for the connections over VPN). In this scenario, Appian provides three private IP addresses and network configuration is performed by the customer to forward web requests to a healthy web server. 

Example of traffic flow in a dual HTTPS configuration

The following diagram illustrates a sample traffic flow when end users and systems access an Appian Cloud site over the Internet and the VPN tunnel at the same time. This diagram assumes a customer-managed DNS server has been set up to resolve to a private IP address or a public CNAME based on the origin of the request.

Note: This is not the only method to meet the prerequisites outlined above and the implementation details will largely depend on each customer environment.

 

 

Please refer to the diagram above when following the flow description in this table.

Traffic Type Flow Description
Inbound traffic over internet 1. End users make a request to yoursite.customdomain
2. Customer DNS server performs a lookup and resolves to a CNAME record pointing to the public load balancer.
3. The request goes over the Internet and is received by the Appian load balancer.
4. The Appian load balancer forwards the traffic to the Web Server layer and then to the Appian Cloud site.
5. The request is processed by the application server and returned over the same path.
Inbound traffic over VPN 1. End users (or systems) in your network make a request to yoursite.customdomain
2. Customer DNS server performs a lookup and resolve to the private IP address in the VPN tunnel
3. The request is directed to the VPN tunnel
4. The request is processed by the local web server and then by the application server. The response is sent back to the VPN tunnel.
Outbound traffic 1. All traffic originating from an Appian Cloud site to a resource in your network is forwarded over the IPSec VPN tunnel. Resources in your network might include a business datasource or an LDAP server.

Affected Versions

This article applies to all versions of Appian Cloud.

Last Reviewed: September 2019

Related
Recommended