Overview

Cloud with raindrops and a plus sign, symbolizing increased cloud storage or weather app.

Important

Shield is aailable for Cloud Platform and Site Factory subscribers with dedicated load balancers and current-generation hardware.
Self-service IP allowlist management is not available for Site Factory subscribers.
This feature is not yet available to applications running on Cloud Next technologies.
For more information on Shield, sign in to Acquia Academy and access the E-learning material.

Overview

Shield provides isolated networks for Cloud Platform applications. Subscriber deployments in an isolated network environment are separated from other subscriber deployments at the network level.

Benefits of using Shield

Shield combines the benefits of Cloud Platform-as-a-service with extra security benefits and capabilities, giving you a greater degree of isolation for your Cloud Platform instances.

Shield includes the following product features:

Shield access management: Provides self-service IP allowlisting for occasions when you must manage SSH access to the environments in your subscription. This feature is available only for Cloud Platform subscribers and not for Site Factory.
Private IP range with optional VPN connection: Adds an optional Virtual Private Network (VPN) hosted by Cloud Platform to connect between Cloud Platform and your private network. The VPN connection ensures you have secure bi-directional interaction between your websites and your internal IT systems (such as a CRM). Packaged in the price of Shield is the VPN configured to connect Cloud Platform with one subscriber-defined gateway device point. Added virtual private cloud (VPC) peering connections are available for a fee.
To enable the VPN, you must first buy a subscription to Cloud Platform.
If you change endpoints during the Subscription Term, you will incur added fees of $250 per hour of work. For Acquia to enable the VPN connection, you must meet the technical requirements described in the Amazon VPC FAQs.
AWS VPC Peering Connection: Enables a VPC peering connection between your Shield VPC and another AWS VPC. You can enable added VPC peering connections for a fee.

Note

Shield and internal DNS

Currently, Shield does not support resolution to your internal DNS servers. While Shield gives you access to your internal network through a VPN gateway, your network systems are only accessible through IP. Therefore, if you have a service or site in your internal network that changes IP addresses and resolves to an internal-only DNS, the system does not resolve the domain for that service or site.

Shared Services

While Acquia Shield provides network isolation for your production and non-production servers and environments, Cloud Platform shared services are not hosted in your Shield VPC. This includes, but is not limited to:

Git, which is your code repository
Acquia Search
CD and IDE environments
Any SaaS offerings

Using Shield

To use Shield, you must buy Shield with your Cloud Platform or Site Factory subscription. Acquia provisions your servers in your dedicated network.

To use Shield with VPN, you must buy Shield with VPN and use it with your Cloud Platform or Site Factory subscription. To configure Shield with VPN:

Buy and deploy a VPN device.
Provide detailed information of your VPN device and network to Acquia.

Acquia provisions and configures a dedicated section for your applications. In addition, Acquia provides you the Internet Protocol Security (IPSec)/ Internet Key Exchange information so that you can properly configure your VPN.

Important

Shield supports Internet Key Exchange version 1 (IKEv1) and Internet Key Exchange version 2 (IKEv2).

For more information, visit:

For Acquia to configure Shield, you must provide Acquia with the following information:

Contact information for the members of your internal network team. This includes name, phone, and email.
VPN device details, including but not limited to:
- VPN device type (vendor and model)
- Gateway IP address of the subscriber VPN device
Confirm that your VPN device meets the requirements.
Network details, including but not limited to:
- A network diagram showing the systems where Shield must connect.
Maintenance plan or schedule for your network services and hardware
CIDR IP blocks
Note
Shield requires a private, non-routable /16 or /20 private address space conforming with RFC 1597. Shield can use private, non-routable /16 or /20 CIDR blocks from the 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 ranges. Blocks of this size provide resources for Acquia-controlled servers (such as Elastic Load Balancers) and other elastic scaling needs, and also provide expansion space for your application’s future needs.
Subnet allocations
A list of networks requiring traffic statically routed to them
(Optional) A name for the Acquia VPN. If you have various VPNs, providing a name to Acquia may be useful for later communication.

For more information, contact your Acquia account manager.

Initiating your Shield tunnel

After Acquia provisions Shield and provides connection information to you, it’s your responsibility to configure your VPN device, establish the secure tunnel, and keep the network connection alive.

You must also confirm your secondary tunnel is configured properly in case your primary tunnel becomes unavailable. When properly configured, your gateway must fail over to the secondary tunnel in your Shield tunnel pair, if needed.

Changing your IP addresses

Moving an existing application hosted by Cloud Platform or Site Factory to Shield with VPN changes your IP address. You cannot move IP addresses into or out of a VPC. However, EIPs are retained if VPC provisioning is in the same region.

As a result, when you configure your application in Shield with VPN, you must point the DNS records of your application to the new IP address in the VPC. For more information, see Configuring DNS records for your application.

Did not find what you were looking for?

If this content did not answer your questions, try searching or contacting our support team for further assistance.

Important

Shield is aailable for Cloud Platform and Site Factory subscribers with dedicated load balancers and current-generation hardware.
Self-service IP allowlist management is not available for Site Factory subscribers.
This feature is not yet available to applications running on Cloud Next technologies.
For more information on Shield, sign in to Acquia Academy and access the E-learning material.

Overview

Shield provides isolated networks for Cloud Platform applications. Subscriber deployments in an isolated network environment are separated from other subscriber deployments at the network level.

Benefits of using Shield

Shield combines the benefits of Cloud Platform-as-a-service with extra security benefits and capabilities, giving you a greater degree of isolation for your Cloud Platform instances.

Shield includes the following product features:

Shield access management: Provides self-service IP allowlisting for occasions when you must manage SSH access to the environments in your subscription. This feature is available only for Cloud Platform subscribers and not for Site Factory.
Private IP range with optional VPN connection: Adds an optional Virtual Private Network (VPN) hosted by Cloud Platform to connect between Cloud Platform and your private network. The VPN connection ensures you have secure bi-directional interaction between your websites and your internal IT systems (such as a CRM). Packaged in the price of Shield is the VPN configured to connect Cloud Platform with one subscriber-defined gateway device point. Added virtual private cloud (VPC) peering connections are available for a fee.
To enable the VPN, you must first buy a subscription to Cloud Platform.
If you change endpoints during the Subscription Term, you will incur added fees of $250 per hour of work. For Acquia to enable the VPN connection, you must meet the technical requirements described in the Amazon VPC FAQs.
AWS VPC Peering Connection: Enables a VPC peering connection between your Shield VPC and another AWS VPC. You can enable added VPC peering connections for a fee.

Note

Shield and internal DNS

Shared Services

Git, which is your code repository
Acquia Search
CD and IDE environments
Any SaaS offerings

Using Shield

To use Shield, you must buy Shield with your Cloud Platform or Site Factory subscription. Acquia provisions your servers in your dedicated network.

To use Shield with VPN, you must buy Shield with VPN and use it with your Cloud Platform or Site Factory subscription. To configure Shield with VPN:

Buy and deploy a VPN device.
Provide detailed information of your VPN device and network to Acquia.

Important

Shield supports Internet Key Exchange version 1 (IKEv1) and Internet Key Exchange version 2 (IKEv2).

For more information, visit:

For Acquia to configure Shield, you must provide Acquia with the following information:

Contact information for the members of your internal network team. This includes name, phone, and email.
VPN device details, including but not limited to:
- VPN device type (vendor and model)
- Gateway IP address of the subscriber VPN device
Confirm that your VPN device meets the requirements.
Network details, including but not limited to:
- A network diagram showing the systems where Shield must connect.
Maintenance plan or schedule for your network services and hardware
CIDR IP blocks
Note
Shield requires a private, non-routable /16 or /20 private address space conforming with RFC 1597. Shield can use private, non-routable /16 or /20 CIDR blocks from the 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 ranges. Blocks of this size provide resources for Acquia-controlled servers (such as Elastic Load Balancers) and other elastic scaling needs, and also provide expansion space for your application’s future needs.
Subnet allocations
A list of networks requiring traffic statically routed to them
(Optional) A name for the Acquia VPN. If you have various VPNs, providing a name to Acquia may be useful for later communication.

For more information, contact your Acquia account manager.

Initiating your Shield tunnel

After Acquia provisions Shield and provides connection information to you, it’s your responsibility to configure your VPN device, establish the secure tunnel, and keep the network connection alive.

Changing your IP addresses

Did not find what you were looking for?

If this content did not answer your questions, try searching or contacting our support team for further assistance.

Important

Shield is aailable for Cloud Platform and Site Factory subscribers with dedicated load balancers and current-generation hardware.
Self-service IP allowlist management is not available for Site Factory subscribers.
This feature is not yet available to applications running on Cloud Next technologies.
For more information on Shield, sign in to Acquia Academy and access the E-learning material.

Overview

Shield provides isolated networks for Cloud Platform applications. Subscriber deployments in an isolated network environment are separated from other subscriber deployments at the network level.

Benefits of using Shield

Shield combines the benefits of Cloud Platform-as-a-service with extra security benefits and capabilities, giving you a greater degree of isolation for your Cloud Platform instances.

Shield includes the following product features:

Shield access management: Provides self-service IP allowlisting for occasions when you must manage SSH access to the environments in your subscription. This feature is available only for Cloud Platform subscribers and not for Site Factory.
Private IP range with optional VPN connection: Adds an optional Virtual Private Network (VPN) hosted by Cloud Platform to connect between Cloud Platform and your private network. The VPN connection ensures you have secure bi-directional interaction between your websites and your internal IT systems (such as a CRM). Packaged in the price of Shield is the VPN configured to connect Cloud Platform with one subscriber-defined gateway device point. Added virtual private cloud (VPC) peering connections are available for a fee.
To enable the VPN, you must first buy a subscription to Cloud Platform.
If you change endpoints during the Subscription Term, you will incur added fees of $250 per hour of work. For Acquia to enable the VPN connection, you must meet the technical requirements described in the Amazon VPC FAQs.
AWS VPC Peering Connection: Enables a VPC peering connection between your Shield VPC and another AWS VPC. You can enable added VPC peering connections for a fee.

Note

Shield and internal DNS

Shared Services

Git, which is your code repository
Acquia Search
CD and IDE environments
Any SaaS offerings

Using Shield

To use Shield, you must buy Shield with your Cloud Platform or Site Factory subscription. Acquia provisions your servers in your dedicated network.

To use Shield with VPN, you must buy Shield with VPN and use it with your Cloud Platform or Site Factory subscription. To configure Shield with VPN:

Buy and deploy a VPN device.
Provide detailed information of your VPN device and network to Acquia.

Important

Shield supports Internet Key Exchange version 1 (IKEv1) and Internet Key Exchange version 2 (IKEv2).

For more information, visit:

For Acquia to configure Shield, you must provide Acquia with the following information:

Contact information for the members of your internal network team. This includes name, phone, and email.
VPN device details, including but not limited to:
- VPN device type (vendor and model)
- Gateway IP address of the subscriber VPN device
Confirm that your VPN device meets the requirements.
Network details, including but not limited to:
- A network diagram showing the systems where Shield must connect.
Maintenance plan or schedule for your network services and hardware
CIDR IP blocks
Note
Shield requires a private, non-routable /16 or /20 private address space conforming with RFC 1597. Shield can use private, non-routable /16 or /20 CIDR blocks from the 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 ranges. Blocks of this size provide resources for Acquia-controlled servers (such as Elastic Load Balancers) and other elastic scaling needs, and also provide expansion space for your application’s future needs.
Subnet allocations
A list of networks requiring traffic statically routed to them
(Optional) A name for the Acquia VPN. If you have various VPNs, providing a name to Acquia may be useful for later communication.

For more information, contact your Acquia account manager.

Initiating your Shield tunnel

After Acquia provisions Shield and provides connection information to you, it’s your responsibility to configure your VPN device, establish the secure tunnel, and keep the network connection alive.

Changing your IP addresses

Did not find what you were looking for?

If this content did not answer your questions, try searching or contacting our support team for further assistance.

Important

Shield is aailable for Cloud Platform and Site Factory subscribers with dedicated load balancers and current-generation hardware.
Self-service IP allowlist management is not available for Site Factory subscribers.
This feature is not yet available to applications running on Cloud Next technologies.
For more information on Shield, sign in to Acquia Academy and access the E-learning material.

Overview

Shield provides isolated networks for Cloud Platform applications. Subscriber deployments in an isolated network environment are separated from other subscriber deployments at the network level.

Benefits of using Shield

Shield combines the benefits of Cloud Platform-as-a-service with extra security benefits and capabilities, giving you a greater degree of isolation for your Cloud Platform instances.

Shield includes the following product features:

Shield access management: Provides self-service IP allowlisting for occasions when you must manage SSH access to the environments in your subscription. This feature is available only for Cloud Platform subscribers and not for Site Factory.
Private IP range with optional VPN connection: Adds an optional Virtual Private Network (VPN) hosted by Cloud Platform to connect between Cloud Platform and your private network. The VPN connection ensures you have secure bi-directional interaction between your websites and your internal IT systems (such as a CRM). Packaged in the price of Shield is the VPN configured to connect Cloud Platform with one subscriber-defined gateway device point. Added virtual private cloud (VPC) peering connections are available for a fee.
To enable the VPN, you must first buy a subscription to Cloud Platform.
If you change endpoints during the Subscription Term, you will incur added fees of $250 per hour of work. For Acquia to enable the VPN connection, you must meet the technical requirements described in the Amazon VPC FAQs.
AWS VPC Peering Connection: Enables a VPC peering connection between your Shield VPC and another AWS VPC. You can enable added VPC peering connections for a fee.

Note

Shield and internal DNS

Shared Services

Git, which is your code repository
Acquia Search
CD and IDE environments
Any SaaS offerings

Using Shield

To use Shield, you must buy Shield with your Cloud Platform or Site Factory subscription. Acquia provisions your servers in your dedicated network.

To use Shield with VPN, you must buy Shield with VPN and use it with your Cloud Platform or Site Factory subscription. To configure Shield with VPN:

Buy and deploy a VPN device.
Provide detailed information of your VPN device and network to Acquia.

Important

Shield supports Internet Key Exchange version 1 (IKEv1) and Internet Key Exchange version 2 (IKEv2).

For more information, visit:

For Acquia to configure Shield, you must provide Acquia with the following information:

Contact information for the members of your internal network team. This includes name, phone, and email.
VPN device details, including but not limited to:
- VPN device type (vendor and model)
- Gateway IP address of the subscriber VPN device
Confirm that your VPN device meets the requirements.
Network details, including but not limited to:
- A network diagram showing the systems where Shield must connect.
Maintenance plan or schedule for your network services and hardware
CIDR IP blocks
Note
Shield requires a private, non-routable /16 or /20 private address space conforming with RFC 1597. Shield can use private, non-routable /16 or /20 CIDR blocks from the 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 ranges. Blocks of this size provide resources for Acquia-controlled servers (such as Elastic Load Balancers) and other elastic scaling needs, and also provide expansion space for your application’s future needs.
Subnet allocations
A list of networks requiring traffic statically routed to them
(Optional) A name for the Acquia VPN. If you have various VPNs, providing a name to Acquia may be useful for later communication.

For more information, contact your Acquia account manager.

Initiating your Shield tunnel

After Acquia provisions Shield and provides connection information to you, it’s your responsibility to configure your VPN device, establish the secure tunnel, and keep the network connection alive.

Changing your IP addresses

Did not find what you were looking for?

If this content did not answer your questions, try searching or contacting our support team for further assistance.