KB-1541 Support for inbound HTTPS traffic over VPN

Purpose

This guide outlines the steps required to set up an Appian Cloud site to receive inbound HTTPS traffic only over an IPSec VPN tunnel. With this configuration, the site will not be accessible over the Internet and all users must first be on their corporate network before navigating to their Appian Cloud sites. This configuration is intended for customers who require that only users and systems within their network can access the Appian Cloud site.

To allow inbound traffic to the Appian Cloud site over the VPN tunnel and over the Internet see KB-1537: Support for dual inbound HTTPS access (VPN and Internet).

Prerequisites

The following are required for this configuration to be enabled on the Appian Cloud site(s):

  • Set up IPSEC VPN tunnel to the corporate network: Refer to the documentation for details.
  • Choose a custom domain: Sites with HTTPS traffic over VPN are required to have a custom domain. Complete the section “Generate certificates for HTTPS traffic” from KB-1536: Configure a custom domain in Appian Cloud sites.
  • Set up name resolution: Customers with this configuration must update their DNS infrastructure to resolve the fully qualified domain name (FQDN) of their Appian Cloud site to the assigned private IP address during the VPN tunnel configuration.

Instructions

Once all prerequisites are met, schedule a maintenance window with Appian Support to enable site(s) to receive inbound HTTPS traffic over the VPN. Once the maintenance window is completed, site(s) will be accessible only through the VPN.

Note: Sites running on a high availability configuration will require additional configurations. In this scenario, Appian provides three private IP addresses and network configuration is performed by the customer to forward web requests to a healthy web server. 

Example Traffic Flow for HTTPS Traffic Over VPN

The following diagram illustrates a sample traffic flow when end users and systems access an Appian Cloud site over the VPN tunnel. This diagram assumes a DNS server contains a host record pointing to the private IP address assigned to the site during the VPN tunnel configuration. End users will access the site using its FQDN.

Please refer to the diagram above when following the flow description in this table.

Traffic Type Flow description
Inbound traffic over VPN
  1. End users (or systems) on the corporate network make a request to yoursite.customdomain.
  2. The DNS server performs a lookup and resolves to the private IP address in the VPN tunnel.
  3. The request is directed to the VPN tunnel.
  4. The request is processed by the local web server and then by the application server. The response is sent back to the VPN tunnel. 
Outbound traffic
  1. All traffic originating from your Appian Cloud site to a resource in your network is forwarded over the IPSec VPN tunnel. Resources in your network might include a business datasource or an LDAP server.

Affected Versions

This article applies to all versions of Appian Cloud.

Last Reviewed: September 2019 

Related
Recommended