Enterprise Security Package

In addition to the various base features that are available out-of-the box in Enterprise Security Package (ESP), you can use the following security-related paid features that are available in ESP. For more information about ESP, visit Cloud Platform Product Guide.

• Network Isolation

• Private SSH Access

• Private Egress Using VPN and VPC Peering

   

These features are built on the Cloud Next infrastructure unlike the legacy Shield offering, which is built on Cloud Classic infrastructure. These features enable organizations to implement enhanced security controls and maintain strict compliance requirements for their digital experiences. You can get seamless network isolation, secure connectivity, and flexible access management capabilities in Cloud Next. Also, subscriber deployments in an isolated network environment are separated from other subscriber deployments at the network level.

This set of features uses a modern, integrated approach that allows you to manage advanced network configurations and security controls for your Cloud Platform applications. Like Shield, it provides enterprise-grade networking capabilities that enable you to implement robust security measures and maintain strict compliance requirements. This solution addresses the demanding security requirements of organizations that operate in highly regulated environments.

Key benefits

Advanced network isolation

• Dedicated network subnets for enhanced network segmentation and isolation of customer workloads
• Additional network-level controls to complement the logical isolation already provided by Kubernetes on Cloud Next
• Enhanced security controls for sensitive workload

Secure connectivity

• VPN and VPC Peering connectivity options to ensure sensitive traffic remains private
• Private SSH ingress capabilities to have controlled SSH access to your applications
• Private Egress capabilities to secure outbound connections through VPN or VPC Peering

Access management

• Self-service IP allowlisting for SSH access and selection of CIDRs for the purpose
  This feature is available only for Cloud Platform subscribers and not for Site Factory.
• Dedicated SSH ingress endpoints

Private IP range with optional VPN connection

• Adds an optional Virtual Private Network (VPN) hosted by Cloud Platform to connect between Cloud Platform and your private network. The VPN connection ensures that you have secure bi-directional interaction between your websites and your internal IT systems such as CRM.
  
  To enable the VPN, you must first buy a subscription to Cloud Platform. If you change endpoints during the Subscription Term, you will incur added fees of $250 per hour of work. For Acquia to enable the VPN connection, you must meet the technical requirements described in the Amazon VPC FAQs.

Differences with legacy Shield

Use cases

Use the security-related features in ESP to do the following:

• Control how your applications are accessed.
• Manage applications that are hosted in isolated networks within the Acquia infrastructure.
• Establish secure connections between your network and Cloud Platform.
• Configure private access patterns for both incoming SSH traffic and outgoing VPN or VPC Peering traffic.
• Operate under strict compliance requirements.
• Maintain private network connections to internal systems.
• Maintain granular control over application access.
• Implement network-level security controls.
• Isolate sensitive applications and data.

Quotas and constraints

• A private network can have a minimum of 0 and a maximum of 100 environments.
• All environments in the single private network must belong to the same region.
• A private network can have a minimum of 0 and a maximum of 10 VPNs.
• A private network can have a minimum of 0 and a maximum of 10 VPC peers.
• For ACLs, access restriction can be applied to a maximum 25 IP addresses.
• After the first connection of VPN and VPC Peer, additional connections will incur extra charges.

Network isolation

Network isolation refers to a configuration where applications operate on a dedicated pool of nodes in a Kubernetes cluster. These nodes are situated in a specific set of subnets to ensure that the applications have their own isolated environment. This setup provides an additional layer of isolation beyond the standard capabilities of Kubernetes to ensure that the application does not share memory, compute, or disk resources with applications that belong to other customers.

If your application requires stringent isolation levels, this approach offers a comparable solution while preserving the inherent benefits of the Kubernetes platform as Cloud Next is built on it.

Key features of network isolation

• Dedicated resource Pools: 
  Applications are allocated exclusive resources to ensure that they do not compete with other applications for memory, CPU, or storage. Each application is completely separated from others to ensure that performance and security are not compromised by neighboring applications.
  
  However, if your private network has multiple applications and if you want to have dedicated resources for each of such applications, you must have multiple private networks.
• Enhanced security: 
  By isolating applications at the network level, the risk of unauthorized access or data breaches at node level is significantly reduced. Applications are shielded from potential vulnerabilities that could arise from shared environments. This isolation minimizes the risk of cross-application attacks and data leaks.
• Compliance assurance: 
  This setup helps meet strict security and compliance requirements, which are often mandated by industry regulations. Network isolation provides a controlled and secure environment to help organizations meet these requirements.
• Preservation of Cloud Next advantages: 
  Despite the added isolation, the benefits of Kubernetes, such as scalability, flexibility, and efficient resource management, are maintained.

Use cases for of network isolation

• Applications requiring strict resource isolation:
  Ideal for applications that demand high levels of security and performance, where resource sharing could lead to potential risks or inefficiencies.
• Compliance-driven deployments: 
  Suitable for industries such as finance, healthcare, and government, where regulatory compliance is critical, and data protection is paramount.
• Security-sensitive Implementations: 
  Suitable for applications that handle sensitive data or perform critical operations, where any compromise could have significant consequences.

Network isolation allows organizations to achieve a balance between enhanced security and the operational efficiencies provided by Cloud Next, which makes it an attractive option for businesses with high security and compliance needs.

Network isolation infographic

Network Isolation

Enterprise Security Package

In addition to the various base features that are available out-of-the box in Enterprise Security Package (ESP), you can use the following security-related paid features that are available in ESP. For more information about ESP, visit Cloud Platform Product Guide.

• Network Isolation

• Private SSH Access

• Private Egress Using VPN and VPC Peering

   

These features are built on the Cloud Next infrastructure unlike the legacy Shield offering, which is built on Cloud Classic infrastructure. These features enable organizations to implement enhanced security controls and maintain strict compliance requirements for their digital experiences. You can get seamless network isolation, secure connectivity, and flexible access management capabilities in Cloud Next. Also, subscriber deployments in an isolated network environment are separated from other subscriber deployments at the network level.

This set of features uses a modern, integrated approach that allows you to manage advanced network configurations and security controls for your Cloud Platform applications. Like Shield, it provides enterprise-grade networking capabilities that enable you to implement robust security measures and maintain strict compliance requirements. This solution addresses the demanding security requirements of organizations that operate in highly regulated environments.

Key benefits

Advanced network isolation

• Dedicated network subnets for enhanced network segmentation and isolation of customer workloads
• Additional network-level controls to complement the logical isolation already provided by Kubernetes on Cloud Next
• Enhanced security controls for sensitive workload

Secure connectivity

• VPN and VPC Peering connectivity options to ensure sensitive traffic remains private
• Private SSH ingress capabilities to have controlled SSH access to your applications
• Private Egress capabilities to secure outbound connections through VPN or VPC Peering

Access management

• Self-service IP allowlisting for SSH access and selection of CIDRs for the purpose
  This feature is available only for Cloud Platform subscribers and not for Site Factory.
• Dedicated SSH ingress endpoints

Private IP range with optional VPN connection

• Adds an optional Virtual Private Network (VPN) hosted by Cloud Platform to connect between Cloud Platform and your private network. The VPN connection ensures that you have secure bi-directional interaction between your websites and your internal IT systems such as CRM.
  
  To enable the VPN, you must first buy a subscription to Cloud Platform. If you change endpoints during the Subscription Term, you will incur added fees of $250 per hour of work. For Acquia to enable the VPN connection, you must meet the technical requirements described in the Amazon VPC FAQs.

Note

Internal DNS

These features do not support resolution to your internal DNS servers. Although they provide access to your internal network through a VPN gateway, your network systems are only accessible through IP. Therefore, if you have a service or site in your internal network that changes IP addresses and resolves to an internal-only DNS, the system does not resolve the domain for that service or site.

Shared Services

Cloud Platform shared services are not hosted in your VPC. This includes, but is not limited to:

• Git, which is your code repository

• Acquia Search

• CD and IDE environments

• Any SaaS offerings

Differences with legacy Shield

Feature	Shield	Security features in ESP
Network Isolation	Provides network isolation for production and non-production servers based on EC2 instances in separate VPCs.	Provides network isolation for environments based on Kubernetes infrastructure, with isolated pods in subnet.
VPN Support	Supports VPN connectivity with IKEv1 and IKEv2.	Maintains existing VPN connections and configurations.
IP Allowlisting for SSH access	Is available for Shield subscribers on Cloud Platform Enterprise and has a limit of 25 IP addresses or CIDR ranges.	Preserves existing security configurations.
Infrastructure	Is based on the traditional Cloud Classic infrastructure.	Is based on the modern Cloud Next infrastructure.
Performance	Supports standard performance.	Supports enhanced performance and scalability.
Migration Path	-	Has seamless migration path to the Cloud Next infrastructure.

Use cases

Use the security-related features in ESP to do the following:

• Control how your applications are accessed.
• Manage applications that are hosted in isolated networks within the Acquia infrastructure.
• Establish secure connections between your network and Cloud Platform.
• Configure private access patterns for both incoming SSH traffic and outgoing VPN or VPC Peering traffic.
• Operate under strict compliance requirements.
• Maintain private network connections to internal systems.
• Maintain granular control over application access.
• Implement network-level security controls.
• Isolate sensitive applications and data.

Quotas and constraints

• A private network can have a minimum of 0 and a maximum of 100 environments.
• All environments in the single private network must belong to the same region.
• A private network can have a minimum of 0 and a maximum of 10 VPNs.
• A private network can have a minimum of 0 and a maximum of 10 VPC peers.
• For ACLs, access restriction can be applied to a maximum 25 IP addresses.
• After the first connection of VPN and VPC Peer, additional connections will incur extra charges.

Caution

Acquia recommends that you exercise caution when you send high traffic to and from Acquia.

Network isolation

Network isolation refers to a configuration where applications operate on a dedicated pool of nodes in a Kubernetes cluster. These nodes are situated in a specific set of subnets to ensure that the applications have their own isolated environment. This setup provides an additional layer of isolation beyond the standard capabilities of Kubernetes to ensure that the application does not share memory, compute, or disk resources with applications that belong to other customers.

If your application requires stringent isolation levels, this approach offers a comparable solution while preserving the inherent benefits of the Kubernetes platform as Cloud Next is built on it.

Key features of network isolation

• Dedicated resource Pools: 
  Applications are allocated exclusive resources to ensure that they do not compete with other applications for memory, CPU, or storage. Each application is completely separated from others to ensure that performance and security are not compromised by neighboring applications.
  
  However, if your private network has multiple applications and if you want to have dedicated resources for each of such applications, you must have multiple private networks.
• Enhanced security: 
  By isolating applications at the network level, the risk of unauthorized access or data breaches at node level is significantly reduced. Applications are shielded from potential vulnerabilities that could arise from shared environments. This isolation minimizes the risk of cross-application attacks and data leaks.
• Compliance assurance: 
  This setup helps meet strict security and compliance requirements, which are often mandated by industry regulations. Network isolation provides a controlled and secure environment to help organizations meet these requirements.
• Preservation of Cloud Next advantages: 
  Despite the added isolation, the benefits of Kubernetes, such as scalability, flexibility, and efficient resource management, are maintained.

Use cases for of network isolation

• Applications requiring strict resource isolation:
  Ideal for applications that demand high levels of security and performance, where resource sharing could lead to potential risks or inefficiencies.
• Compliance-driven deployments: 
  Suitable for industries such as finance, healthcare, and government, where regulatory compliance is critical, and data protection is paramount.
• Security-sensitive Implementations: 
  Suitable for applications that handle sensitive data or perform critical operations, where any compromise could have significant consequences.

Network isolation allows organizations to achieve a balance between enhanced security and the operational efficiencies provided by Cloud Next, which makes it an attractive option for businesses with high security and compliance needs.

Network isolation infographic