Overview¶

Shield on Cloud Next is a comprehensive suite of advanced networking features that enables organizations to implement enhanced security controls and maintain strict compliance requirements for their digital experiences. This solution provides seamless network isolation, secure connectivity, and flexible access management capabilities in Cloud Next. In Shield on Cloud Next, subscriber deployments in an isolated network environment are separated from other subscriber deployments at the network level.

Shield on Cloud Next delivers a modern, integrated approach that allows you to manage advanced network configurations and security controls for your Cloud Platform applications. Like Shield, it provides enterprise-grade networking capabilities that enable you to implement robust security measures and maintain strict compliance requirements. This solution addresses the demanding security requirements of organizations that operate in highly regulated environments.

With Shield on Cloud Next, you can:

• Control how your applications are accessed.
• Manage applications hosted in isolated network in Acquia’s infrastructure.
• Establish secure connections between your network and Cloud Platform.
• Configure private access patterns for both incoming SSH traffic and outgoing VPN traffic.

Key features¶

Advanced network isolation

• Dedicated network subnets for enhanced network segmentation and isolation of customer workloads
• Additional network-level controls to complement the logical isolation already provided by Kubernetes on Cloud Next
• Enhanced security controls for sensitive workload

Secure connectivity

• VPN connectivity options to ensure sensitive traffic remains private
• Private SSH ingress capabilities to have controlled SSH access to your applications
• Private Egress capabilities to secure outbound connections through VPN

Access management

• Self-service IP allowlisting for SSH access and selection of CIDRs for the purpose
  This feature is available only for Cloud Platform subscribers and not for Site Factory.
• Dedicated SSH ingress endpoints

Private IP range with optional VPN connection

• Adds an optional Virtual Private Network (VPN) hosted by Cloud Platform to connect between Cloud Platform and your private network. The VPN connection ensures that you have secure bi-directional interaction between your websites and your internal IT systems such as CRM. Packaged in the price of Shield is the VPN configured to connect Cloud Platform with one subscriber-defined gateway device point. 
  
  To enable the VPN, you must first buy a subscription to Cloud Platform. If you change endpoints during the Subscription Term, you will incur added fees of $250 per hour of work. For Acquia to enable the VPN connection, you must meet the technical requirements described in the Amazon VPC FAQs.

Shield vs Shield on Cloud Next¶

Use cases¶

With Shield on Cloud Next, organizations can:

• Operate under strict compliance requirements.
• Maintain private network connections to internal systems.
• Maintain granular control over application access.
• Implement network-level security controls.
• Isolate sensitive applications and data.

Quotas and constraints¶

• One subscription can have a minimum of one to maximum X private networks (in context of only subscriptions with the Shield entitlement).
• A private network can have a minimum of 0 and a maximum of 100 environments.
• All environments in the single private network must belong to the same region.
• A private network can have a minimum of 0 and a maximum of 10 VPNs.
• For ACLs, access restriction can be applied to a maximum 25 IP addresses.
• After the first connection of VPN, additional connections will incur extra charges.

Upgrading from Shield to Shield on Cloud Next¶

Contact your account manager for guidance on the upgrade process to Shield on Cloud Next.

Prerequisites¶

• If you use the Private SSH Ingress feature:
  
  After Acquia upgrades your VPC from Shield to Shield on Cloud Next, Acquia gets a list of DNS resolver endpoint IPs. The SSH endpoint can be resolved through that or propagated to your peer VPC, if that is set up. In addition, Acquia generates the IP addresses for the SSH endpoint. As you need IP and host header, Acquia shares IP after SSH stack is ready on Cloud Next. Host header remains the same as the current one. You must upgrade the SSH endpoint after Acquia communicates the new endpoint. If this is not done, private SSH ingress feature does not work.

Initiating your Shield on Cloud Next tunnel¶

After Acquia provisions Shield on Cloud Next and provides connection information to you, it is your responsibility to configure your VPN device, establish the secure tunnel, and keep the network connection alive.

You must also confirm that your secondary tunnel is configured properly in case your primary tunnel becomes unavailable. When properly configured, your gateway must fail over to the secondary tunnel in your tunnel pair, if needed.

Private Network APIs¶

This service will be made available to customers in the near future. Through this service, you will be able to manage your configurations and provision resources related to Shield on Cloud Next. This service will expose multiple APIs through https://cloudapi-docs.acquia.com/. For example, you will be able to use these APIs to add environments to your private network.

Meanwhile, you can use the Cloud Platform user interface to allowlist IPs or contact Support if you need additional help.

Watch our video for an overview of Acquia's Product Resources and Enablement