Overview¶

Shield on Cloud Next is a comprehensive suite of advanced networking features that enables organizations to implement enhanced security controls and maintain strict compliance requirements for their digital experiences. This solution provides seamless network isolation, secure connectivity, and flexible access management capabilities in Cloud Next. In Shield on Cloud Next, subscriber deployments in an isolated network environment are separated from other subscriber deployments at the network level.

Shield on Cloud Next delivers a modern, integrated approach that allows you to manage advanced network configurations and security controls for your Cloud Platform applications. Like Shield, it provides enterprise-grade networking capabilities that enable you to implement robust security measures and maintain strict compliance requirements. This solution addresses the demanding security requirements of organizations that operate in highly regulated environments.

With Shield on Cloud Next, you can:

• Control how your applications are accessed.
• Manage applications hosted in isolated network in Acquia’s infrastructure.
• Establish secure connections between your network and Cloud Platform.
• Configure private access patterns for both incoming SSH traffic and outgoing VPN traffic.

Key features¶

Advanced network isolation

• Dedicated network subnets for enhanced network segmentation and isolation of customer workloads
• Additional network-level controls to complement the logical isolation already provided by Kubernetes on Cloud Next
• Enhanced security controls for sensitive workload

Secure connectivity

• VPN connectivity options to ensure sensitive traffic remains private
• Private SSH ingress capabilities to have controlled SSH access to your applications
• Private Egress capabilities to secure outbound connections through VPN

Access management

• Self-service IP allowlisting for SSH access and selection of CIDRs for the purpose
  This feature is available only for Cloud Platform subscribers and not for Site Factory.
• Dedicated SSH ingress endpoints

Private IP range with optional VPN connection

• Adds an optional Virtual Private Network (VPN) hosted by Cloud Platform to connect between Cloud Platform and your private network. The VPN connection ensures that you have secure bi-directional interaction between your websites and your internal IT systems such as CRM. Packaged in the price of Shield on Cloud Next is the VPN configured to connect Cloud Platform with one subscriber-defined gateway device point. 
  
  To enable the VPN, you must first buy a subscription to Cloud Platform. If you change endpoints during the Subscription Term, you will incur added fees of $250 per hour of work. For Acquia to enable the VPN connection, you must meet the technical requirements described in the Amazon VPC FAQs.

Shield vs Shield on Cloud Next¶

Use cases¶

With Shield on Cloud Next, organizations can:

• Operate under strict compliance requirements.
• Maintain private network connections to internal systems.
• Maintain granular control over application access.
• Implement network-level security controls.
• Isolate sensitive applications and data.

Quotas and constraints¶

• A private network can have a minimum of 0 and a maximum of 100 environments.
• All environments in the single private network must belong to the same region.
• A private network can have a minimum of 0 and a maximum of 10 VPNs.
• For ACLs, access restriction can be applied to a maximum 25 IP addresses.
• After the first connection of VPN, additional connections will incur extra charges.

Upgrading from Shield to Shield on Cloud Next¶

Contact your account manager for guidance on the upgrade process to Shield on Cloud Next.

Prerequisites¶

• If you use the Private SSH Ingress feature:
  
  After Acquia upgrades your VPC from Shield to Shield on Cloud Next, Acquia gets a list of DNS resolver endpoint IPs. The SSH endpoint can be resolved through that or propagated to your peer VPC, if that is set up. In addition, Acquia generates the IP addresses for the SSH endpoint. As you need IP and host header, Acquia shares IP after SSH stack is ready on Cloud Next. Host header remains the same as the current one. You must upgrade the SSH endpoint after Acquia communicates the new endpoint. If this is not done, private SSH ingress feature does not work.

Using Shield on Cloud Next with VPN¶

To configure Shield on Cloud Next with VPN:

1. Buy and deploy a VPN device.
2. Provide detailed information of your VPN device and network to Acquia.

Acquia provisions and configures a dedicated network for your applications. In addition, Acquia provides you with the Internet Protocol Security (IPSec)/ Internet Key Exchange information so that you can properly configure your VPN.

For more information, visit:

• Tips for setting up a VPN Tunnel to your Cloud Platform servers
• My VPN Tunnel is connected to Cloud Platform, but is not working

Network information¶

For Acquia to configure Shield on Cloud Next, you must provide Acquia with the following information:

• Contact information for the members of your internal network team. This includes name, phone, and email.
• VPN device details, including but not limited to:
  • VPN device type (vendor and model)
  • Gateway IP address of the subscriber VPN device
• Confirm that your VPN device meets the requirements.
• Network details, including but not limited to:
  • A network diagram showing the systems where Shield on Cloud Next must connect.
• Maintenance plan or schedule for your network services and hardware
• CIDR IP blocks

VPN device requirements¶

To connect to Shield on Cloud Next with VPN, your network must use a VPN (a secure Internet gateway) using IPsec. The gateway devices are compatible with Shield on Cloud Next with VPN. Other devices may work, but Acquia does not support them.

You must properly configure your network’s gateway to connect to Shield on Cloud Next with VPN. After provisioning your dedicated section, Acquia will provide you with the configuration and VPN details containing the Pre-Shared Key (PSK) information you must use to properly configure your VPN. Using SSH, you will access the information stored in a secure location.

Shield on Cloud Next uses Dead Peer Detection (DPD), exchanging UDP packets between VPN peers to ensure that both ends are available. If no traffic crosses the VPN tunnel in ten seconds, Shield on Cloud Next sends a request. Three successive requests without a response will cause Shield on Cloud Next to close the VPN tunnel.

Initiating your Shield on Cloud Next tunnel¶

After Acquia provisions Shield on Cloud Next and provides connection information to you, it is your responsibility to configure your VPN device, establish the secure tunnel, and keep the network connection alive.

You must also confirm that your secondary tunnel is configured properly in case your primary tunnel becomes unavailable. When properly configured, your gateway must fail over to the secondary tunnel in your tunnel pair, if needed.

Private Network Service APIs¶

Through the Private Network Service APIs in Cloud Platform, you can perform the following:

• Create a new private network
• Retrieve a private network by ID
• Update a private network
• Delete a private network
• List private networks for a subscription
• Add a new VPN to an existing private network
• Get VPNs for a private network
• Retrieve a VPN for a private network
• Create, update, or delete a VPN for a private network
• Add a new VPC peer to an existing private network
• Get VPC peers for a private network
• Create, update, or delete a VPC peer for a private network
• Get a specific VPC peer from a private network
• Update or get connections for a private network
• Get isolation for a private network
• Update isolation settings of a private network
• Update or get Ingress for a private network