KB-1541 Support for inbound HTTPS traffic over VPN

Purpose

This guide outlines the steps required to set up an Appian Cloud site to receive inbound HTTPS traffic only over an IPSec VPN tunnel. With this configuration, the site will not be accessible over the Internet and all users must first be on their corporate network before navigating to their Appian Cloud sites. This configuration is intended for customers who require that only users and systems within their network can access the Appian Cloud site.

To allow inbound traffic to the Appian Cloud site over the VPN tunnel and over the Internet see KB-1537: Support for dual inbound HTTPS access (VPN and Internet).

Prerequisites

The following are required for this configuration to be enabled on the Appian Cloud site(s):

• Set up IPSEC VPN tunnel to the corporate network: Refer to the documentation for details.
• Choose a custom domain: Sites with HTTPS traffic over VPN are required to have a custom domain. Complete the section “Generate certificates for HTTPS traffic” from KB-1536: Configure a custom domain in Appian Cloud sites.
• Set up name resolution: Customers with this configuration must update their DNS infrastructure to resolve the fully qualified domain name (FQDN) of their Appian Cloud site to the assigned private IP address during the VPN tunnel configuration.

Instructions

Once all prerequisites are met, schedule a maintenance window with Appian Support to enable site(s) to receive inbound HTTPS traffic over the VPN. Once the maintenance window is completed, site(s) will be accessible only through the VPN.

Note: Sites running on a high availability configuration will require additional configurations. In this scenario, Appian provides three private IP addresses and network configuration is performed by the customer to forward web requests to a healthy web server. 

Example Traffic Flow for HTTPS Traffic Over VPN

The following diagram illustrates a sample traffic flow when end users and systems access an Appian Cloud site over the VPN tunnel. This diagram assumes a DNS server contains a host record pointing to the private IP address assigned to the site during the VPN tunnel configuration. End users will access the site using its FQDN.

Please refer to the diagram above when following the flow description in this table.

Disclaimer - Compare and Deploy Across Connected Environments

Given that inbound site access will be restricted to VPN, leveraging the Compare and Deploy Across Connected Environments feature will require special network considerations which can be found below:

Prerequisites

• The customer DNS servers should resolve the hostnames of all connected environments to their corresponding private IP address.
• VPN configurations should allow forwarding traffic from source to target environments on both sides of the tunnel.
• Customers should set up proper routing on their network to allow connectivity between environments.

Example of traffic flow between connected environments

Given a connected system request from a Dev site to a Test site in Appian Cloud, the following 3 steps occur and are illustrated in the diagram below:

• Step 1: When attempting to connect Test to Dev, the Test domain hostname resolution from the Dev environment occurs on the customer DNS server over the Dev VPN tunnel.
• Step 2: The DNS query returns the IP address of the Test environment to the Dev environment over the Dev VPN tunnel.
• Step 3: The DevOps request is sent from the Dev environment over the Dev VPN tunnel to the customer network, and then rerouted over the Test VPN tunnel to the Test environment.

Affected Versions

This article applies to all versions of Appian Cloud.

Last Reviewed: September 2020