In addition to the various base features that are available out-of-the box in Enterprise Security Package (ESP), you can use the following security-related paid features that are available in ESP. For more information about ESP, visit Cloud Platform Product Guide.
These features are built on the Cloud Next infrastructure unlike the legacy Shield offering, which is built on Cloud Classic infrastructure. These features enable organizations to implement enhanced security controls and maintain strict compliance requirements for their digital experiences. You can get seamless network isolation, secure connectivity, and flexible access management capabilities in Cloud Next. Also, subscriber deployments in an isolated network environment are separated from other subscriber deployments at the network level.
This set of features uses a modern, integrated approach that allows you to manage advanced network configurations and security controls for your Cloud Platform applications. Like Shield, it provides enterprise-grade networking capabilities that enable you to implement robust security measures and maintain strict compliance requirements. This solution addresses the demanding security requirements of organizations that operate in highly regulated environments.
Key benefits
Advanced network isolation
Dedicated network subnets for enhanced network segmentation and isolation of customer workloads
Additional network-level controls to complement the logical isolation already provided by Kubernetes on Cloud Next
Enhanced security controls for sensitive workload
Secure connectivity
VPN and VPC Peering connectivity options to ensure sensitive traffic remains private
Private SSH ingress capabilities to have controlled SSH access to your applications
Private egress capabilities to secure outbound connections through VPN or VPC Peering
Access management
Self-service IP allowlisting for SSH access and selection of CIDRs for the purpose This feature is available only for Cloud Platform subscribers and not for Site Factory.
Dedicated SSH ingress endpoints
Private IP range with optional VPN connection
Adds an optional Virtual Private Network (VPN) hosted by Cloud Platform to connect between Cloud Platform and your private network. The VPN connection ensures that you have secure bi-directional interaction between your websites and your internal IT systems such as CRM.
To enable the VPN, you must first buy a subscription to Cloud Platform. If you change endpoints during the Subscription Term, you will incur added fees of $250 per hour of work. For Acquia to enable the VPN connection, you must meet the technical requirements described in the Amazon VPC FAQs.
Note
Internal DNS
These features do not support resolution to your internal DNS servers. Although they provide access to your internal network through a VPN gateway, your network systems are only accessible through IP. Therefore, if you have a service or site in your internal network that changes IP addresses and resolves to an internal-only DNS, the system does not resolve the domain for that service or site.
Shared Services
Cloud Platform shared services are not hosted in your VPC. This includes, but is not limited to:
Git, which is your code repository
Acquia Search
CD and IDE environments
Any SaaS offerings
Differences with legacy Shield
Feature
Shield
Security features in ESP
Network Isolation
Provides network isolation for production and non-production servers based on EC2 instances in separate VPCs.
Provides network isolation for environments based on Kubernetes infrastructure, with isolated pods in subnet.
VPN Support
Supports VPN connectivity with IKEv1 and IKEv2.
Maintains existing VPN connections and configurations.
IP Allowlisting for SSH access
Is available for Shield subscribers on Cloud Platform Enterprise and has a limit of 25 IP addresses or CIDR ranges.
Preserves existing security configurations.
Infrastructure
Is based on the traditional Cloud Classic infrastructure.
Is based on the modern Cloud Next infrastructure.
Performance
Supports standard performance.
Supports enhanced performance and scalability.
Migration Path
-
Has seamless migration path to the Cloud Next infrastructure.
Use cases
Use the security-related features in ESP to do the following:
Control how your applications are accessed.
Manage applications that are hosted in isolated networks within the Acquia infrastructure.
Establish secure connections between your network and Cloud Platform.
Configure private access patterns for both incoming SSH traffic and outgoing VPN or VPC Peering traffic.
Operate under strict compliance requirements.
Maintain private network connections to internal systems.
Maintain granular control over application access.
Implement network-level security controls.
Isolate sensitive applications and data.
Quotas and constraints
A private network can have a minimum of 0 and a maximum of 100 environments.
All environments in the single private network must belong to the same region.
A private network can have a minimum of 0 and a maximum of 10 VPNs.
A private network can have a minimum of 0 and a maximum of 10 VPC peers.
For ACLs, access restriction can be applied to a maximum 25 IP addresses.
After the first connection of VPN and VPC Peer, additional connections will incur extra charges.
Caution
Acquia recommends that you exercise caution when you send high traffic to and from Acquia.
Private egress through VPN or VPC Peering
Private outward connections or private egress facilitates secure outbound connections from customer applications to internal systems. This feature ensures that outbound traffic is securely managed. This allows applications to communicate with backend systems such as APIs and other internal resources.
Key features of private egress through VPN or VPC Peering
Secure VPN or VPC Peering connectivity:
Establishes a secure tunnel between Cloud Platform and the customer's network.
Ensures encrypted communication for secure data transfer.
Provides access to internal resources that are not publicly accessible.
Bi-directional communication:
Supports two-way communication, which allows applications to send and receive data securely.
Access to internal systems:
Facilitates connections to internal systems such as CRM and APIs.
Supports access to resources between Cloud Platform and your internal network.
Connection types:
VPN:
Creates a secure tunnel for encrypted communication.
Allows access to internal resources through a private network.
VPC Peering:
Establishes a direct connection to the customer's AWS VPC.
Enables private network routing and access to AWS resources.
Benefits of private egress through VPN or VPC Peering
Security: Provides a secure method for applications to connect to backend systems to ensure that sensitive data is protected during transmission.
Isolation: Allows for the isolation of outbound traffic to ensure that it remains within a secure and private network.
Flexibility: Offers multiple connection options like VPN and VPC Peering to suit different customer needs and infrastructure setups.
Use cases for private egress through VPN or VPC Peering
Secure backend connections: Ideal for customers who need to connect to backend systems that are not publicly accessible, such as databases or APIs behind a firewall.
Ecommerce transactions: Suitable for applications that require secure communication with external services, such as payment gateways.
Internal resource access: Enables secure access to internal systems to support business operations that rely on private data and resources.
Through a private outbound connection, you can ensure that your outbound traffic is securely managed and isolated, which provides peace of mind and compliance with security standards.
Provide detailed information of your VPN device and network to Acquia.
Acquia provisions and configures a dedicated network for your applications. In addition, Acquia provides you with the Internet Protocol Security (IPSec)/ Internet Key Exchange information so that you can properly configure your VPN.
Important
The ESP features support Internet Key Exchange version 1 (IKEv1) and Internet Key Exchange version 2 (IKEv2).
Network information
In order for Acquia to be able to configure the security features in ESP, you must provide the following information:
Contact information for the members of your internal network team. This includes name, phone, and email.
VPN device details, including but not limited to:
VPN device type (vendor and model)
Gateway IP address of the subscriber VPN device
Confirm that your VPN device meets the requirements.
Network details, including but not limited to:
A network diagram showing the systems where Cloud Platform must connect.
Maintenance plan or schedule for your network services and hardware
CIDR IP blocks
Note
Cloud Platform requires a private, non-routable /16 or /20 private address space conforming with RFC 1597. Cloud Platform can use private, non-routable /16 or /20 CIDR blocks from the 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 ranges. Blocks of this size provide resources for Acquia-controlled servers (such as Elastic Load Balancers) and other elastic scaling needs, and also provide expansion space for your application’s future needs.
Subnet allocations
A list of networks requiring traffic statically routed to them
(Optional) A name for the Acquia VPN. If you have various VPNs, providing a name to Acquia may be useful for later communication.
For more information, contact your Acquia account manager.
VPN device requirements
To connect to Cloud Platform with VPN, your network must use a VPN (a secure Internet gateway) using IPsec. The gateway devices are compatible with Cloud Platform with VPN. Other devices may work, but Acquia does not support them.
You must properly configure your network’s gateway to connect to Cloud Platform with VPN. After you provision your dedicated section, Acquia will provide you with configuration and VPN details. You will receive the Pre-Shared Key (PSK) information that is needed in order to properly configure your VPN. Use SSH to access information stored in a secure location.
Cloud Platform uses Dead Peer Detection (DPD), exchanging UDP packets between VPN peers to ensure that both ends are available. If no traffic crosses the VPN tunnel in ten seconds, Cloud Platform sends a request. Three successive requests without a response will cause Cloud Platform to close the VPN tunnel.
Initiating your VPN tunnel
After Acquia provisions this feature for your infrastructure and provides connection information to you, it is your responsibility to configure your VPN device, establish the secure tunnel, and keep the network connection alive.
You must also confirm that your secondary tunnel is configured properly in case your primary tunnel becomes unavailable. When properly configured, your gateway must fail over to the secondary tunnel in your tunnel pair, if needed.
Using VPC Peering
If you are already utilizing AWS infrastructure and have existing AWS clusters that host your other applications, you can use a VPC Peer connection instead of a VPN connection.
To use Cloud Platform with VPC Peering:
Provide detailed information of your AWS stack and network to Acquia. Acquia provisions and configures a dedicated section for your applications. In addition, Acquia enables the VPC Peer to properly configure your peer to Acquia.
Accept the peering request after it is enabled.
Network information
In order for Acquia to be able to configure the security features in ESP, you must provide the following information:
Contact information for the members of your internal network team. This includes name, phone, and email.
AWS stack details, including but not limited to:
The network CIDR range you want to peer with
Your AWS account ID
Your VPC ID
Additional network details, including but not limited to:
A network diagram showing the systems where Cloud Platform must connect.
Maintenance plan or schedule for your network services and hardware.
Note
Like VPN, each additional VPC Peer connection incurs an additional setup fee.
The VPC must be in the same region as that of Acquia.
Acquia can peer with multiple VPCs provided they have their own allocated addresses and all the VPCs are in the same region.
Private Egress Using VPN and VPC Peering
Enterprise Security Package
In addition to the various base features that are available out-of-the box in Enterprise Security Package (ESP), you can use the following security-related paid features that are available in ESP. For more information about ESP, visit Cloud Platform Product Guide.
These features are built on the Cloud Next infrastructure unlike the legacy Shield offering, which is built on Cloud Classic infrastructure. These features enable organizations to implement enhanced security controls and maintain strict compliance requirements for their digital experiences. You can get seamless network isolation, secure connectivity, and flexible access management capabilities in Cloud Next. Also, subscriber deployments in an isolated network environment are separated from other subscriber deployments at the network level.
This set of features uses a modern, integrated approach that allows you to manage advanced network configurations and security controls for your Cloud Platform applications. Like Shield, it provides enterprise-grade networking capabilities that enable you to implement robust security measures and maintain strict compliance requirements. This solution addresses the demanding security requirements of organizations that operate in highly regulated environments.
Key benefits
Advanced network isolation
Dedicated network subnets for enhanced network segmentation and isolation of customer workloads
Additional network-level controls to complement the logical isolation already provided by Kubernetes on Cloud Next
Enhanced security controls for sensitive workload
Secure connectivity
VPN and VPC Peering connectivity options to ensure sensitive traffic remains private
Private SSH ingress capabilities to have controlled SSH access to your applications
Private egress capabilities to secure outbound connections through VPN or VPC Peering
Access management
Self-service IP allowlisting for SSH access and selection of CIDRs for the purpose This feature is available only for Cloud Platform subscribers and not for Site Factory.
Dedicated SSH ingress endpoints
Private IP range with optional VPN connection
Adds an optional Virtual Private Network (VPN) hosted by Cloud Platform to connect between Cloud Platform and your private network. The VPN connection ensures that you have secure bi-directional interaction between your websites and your internal IT systems such as CRM.
To enable the VPN, you must first buy a subscription to Cloud Platform. If you change endpoints during the Subscription Term, you will incur added fees of $250 per hour of work. For Acquia to enable the VPN connection, you must meet the technical requirements described in the Amazon VPC FAQs.
Note
Internal DNS
These features do not support resolution to your internal DNS servers. Although they provide access to your internal network through a VPN gateway, your network systems are only accessible through IP. Therefore, if you have a service or site in your internal network that changes IP addresses and resolves to an internal-only DNS, the system does not resolve the domain for that service or site.
Shared Services
Cloud Platform shared services are not hosted in your VPC. This includes, but is not limited to:
Git, which is your code repository
Acquia Search
CD and IDE environments
Any SaaS offerings
Differences with legacy Shield
Feature
Shield
Security features in ESP
Network Isolation
Provides network isolation for production and non-production servers based on EC2 instances in separate VPCs.
Provides network isolation for environments based on Kubernetes infrastructure, with isolated pods in subnet.
VPN Support
Supports VPN connectivity with IKEv1 and IKEv2.
Maintains existing VPN connections and configurations.
IP Allowlisting for SSH access
Is available for Shield subscribers on Cloud Platform Enterprise and has a limit of 25 IP addresses or CIDR ranges.
Preserves existing security configurations.
Infrastructure
Is based on the traditional Cloud Classic infrastructure.
Is based on the modern Cloud Next infrastructure.
Performance
Supports standard performance.
Supports enhanced performance and scalability.
Migration Path
-
Has seamless migration path to the Cloud Next infrastructure.
Use cases
Use the security-related features in ESP to do the following:
Control how your applications are accessed.
Manage applications that are hosted in isolated networks within the Acquia infrastructure.
Establish secure connections between your network and Cloud Platform.
Configure private access patterns for both incoming SSH traffic and outgoing VPN or VPC Peering traffic.
Operate under strict compliance requirements.
Maintain private network connections to internal systems.
Maintain granular control over application access.
Implement network-level security controls.
Isolate sensitive applications and data.
Quotas and constraints
A private network can have a minimum of 0 and a maximum of 100 environments.
All environments in the single private network must belong to the same region.
A private network can have a minimum of 0 and a maximum of 10 VPNs.
A private network can have a minimum of 0 and a maximum of 10 VPC peers.
For ACLs, access restriction can be applied to a maximum 25 IP addresses.
After the first connection of VPN and VPC Peer, additional connections will incur extra charges.
Caution
Acquia recommends that you exercise caution when you send high traffic to and from Acquia.
Private egress through VPN or VPC Peering
Private outward connections or private egress facilitates secure outbound connections from customer applications to internal systems. This feature ensures that outbound traffic is securely managed. This allows applications to communicate with backend systems such as APIs and other internal resources.
Key features of private egress through VPN or VPC Peering
Secure VPN or VPC Peering connectivity:
Establishes a secure tunnel between Cloud Platform and the customer's network.
Ensures encrypted communication for secure data transfer.
Provides access to internal resources that are not publicly accessible.
Bi-directional communication:
Supports two-way communication, which allows applications to send and receive data securely.
Access to internal systems:
Facilitates connections to internal systems such as CRM and APIs.
Supports access to resources between Cloud Platform and your internal network.
Connection types:
VPN:
Creates a secure tunnel for encrypted communication.
Allows access to internal resources through a private network.
VPC Peering:
Establishes a direct connection to the customer's AWS VPC.
Enables private network routing and access to AWS resources.
Benefits of private egress through VPN or VPC Peering
Security: Provides a secure method for applications to connect to backend systems to ensure that sensitive data is protected during transmission.
Isolation: Allows for the isolation of outbound traffic to ensure that it remains within a secure and private network.
Flexibility: Offers multiple connection options like VPN and VPC Peering to suit different customer needs and infrastructure setups.
Use cases for private egress through VPN or VPC Peering
Secure backend connections: Ideal for customers who need to connect to backend systems that are not publicly accessible, such as databases or APIs behind a firewall.
Ecommerce transactions: Suitable for applications that require secure communication with external services, such as payment gateways.
Internal resource access: Enables secure access to internal systems to support business operations that rely on private data and resources.
Through a private outbound connection, you can ensure that your outbound traffic is securely managed and isolated, which provides peace of mind and compliance with security standards.
Provide detailed information of your VPN device and network to Acquia.
Acquia provisions and configures a dedicated network for your applications. In addition, Acquia provides you with the Internet Protocol Security (IPSec)/ Internet Key Exchange information so that you can properly configure your VPN.
Important
The ESP features support Internet Key Exchange version 1 (IKEv1) and Internet Key Exchange version 2 (IKEv2).
Network information
In order for Acquia to be able to configure the security features in ESP, you must provide the following information:
Contact information for the members of your internal network team. This includes name, phone, and email.
VPN device details, including but not limited to:
VPN device type (vendor and model)
Gateway IP address of the subscriber VPN device
Confirm that your VPN device meets the requirements.
Network details, including but not limited to:
A network diagram showing the systems where Cloud Platform must connect.
Maintenance plan or schedule for your network services and hardware
CIDR IP blocks
Note
Cloud Platform requires a private, non-routable /16 or /20 private address space conforming with RFC 1597. Cloud Platform can use private, non-routable /16 or /20 CIDR blocks from the 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 ranges. Blocks of this size provide resources for Acquia-controlled servers (such as Elastic Load Balancers) and other elastic scaling needs, and also provide expansion space for your application’s future needs.
Subnet allocations
A list of networks requiring traffic statically routed to them
(Optional) A name for the Acquia VPN. If you have various VPNs, providing a name to Acquia may be useful for later communication.
For more information, contact your Acquia account manager.
VPN device requirements
To connect to Cloud Platform with VPN, your network must use a VPN (a secure Internet gateway) using IPsec. The gateway devices are compatible with Cloud Platform with VPN. Other devices may work, but Acquia does not support them.
You must properly configure your network’s gateway to connect to Cloud Platform with VPN. After you provision your dedicated section, Acquia will provide you with configuration and VPN details. You will receive the Pre-Shared Key (PSK) information that is needed in order to properly configure your VPN. Use SSH to access information stored in a secure location.
Cloud Platform uses Dead Peer Detection (DPD), exchanging UDP packets between VPN peers to ensure that both ends are available. If no traffic crosses the VPN tunnel in ten seconds, Cloud Platform sends a request. Three successive requests without a response will cause Cloud Platform to close the VPN tunnel.
Initiating your VPN tunnel
After Acquia provisions this feature for your infrastructure and provides connection information to you, it is your responsibility to configure your VPN device, establish the secure tunnel, and keep the network connection alive.
You must also confirm that your secondary tunnel is configured properly in case your primary tunnel becomes unavailable. When properly configured, your gateway must fail over to the secondary tunnel in your tunnel pair, if needed.
Using VPC Peering
If you are already utilizing AWS infrastructure and have existing AWS clusters that host your other applications, you can use a VPC Peer connection instead of a VPN connection.
To use Cloud Platform with VPC Peering:
Provide detailed information of your AWS stack and network to Acquia. Acquia provisions and configures a dedicated section for your applications. In addition, Acquia enables the VPC Peer to properly configure your peer to Acquia.
Accept the peering request after it is enabled.
Network information
In order for Acquia to be able to configure the security features in ESP, you must provide the following information:
Contact information for the members of your internal network team. This includes name, phone, and email.
AWS stack details, including but not limited to:
The network CIDR range you want to peer with
Your AWS account ID
Your VPC ID
Additional network details, including but not limited to:
A network diagram showing the systems where Cloud Platform must connect.
Maintenance plan or schedule for your network services and hardware.
Note
Like VPN, each additional VPC Peer connection incurs an additional setup fee.
The VPC must be in the same region as that of Acquia.
Acquia can peer with multiple VPCs provided they have their own allocated addresses and all the VPCs are in the same region.
Did not find what you were looking for?
If this content did not answer your questions, try searching or contacting our support team for further assistance.
Did not find what you were looking for?
If this content did not answer your questions, try searching or contacting our support team for further assistance.
Cloud Platform