Enterprise Security Package

In addition to the various base features that are available out-of-the box in Enterprise Security Package (ESP), you can use the following security-related paid features that are available in ESP. For more information about ESP, visit Cloud Platform Product Guide.

• Network Isolation

• Private SSH Access

• Private Egress Using VPN and VPC Peering

These features are built on the Cloud Next infrastructure unlike the legacy Shield offering, which is built on Cloud Classic infrastructure. These features enable organizations to implement enhanced security controls and maintain strict compliance requirements for their digital experiences. You can get seamless network isolation, secure connectivity, and flexible access management capabilities in Cloud Next. Also, subscriber deployments in an isolated network environment are separated from other subscriber deployments at the network level.

This set of features uses a modern, integrated approach that allows you to manage advanced network configurations and security controls for your Cloud Platform applications. Like Shield, it provides enterprise-grade networking capabilities that enable you to implement robust security measures and maintain strict compliance requirements. This solution addresses the demanding security requirements of organizations that operate in highly regulated environments.

Key benefits

Advanced network isolation

• Dedicated network subnets for enhanced network segmentation and isolation of customer workloads
• Additional network-level controls to complement the logical isolation already provided by Kubernetes on Cloud Next
• Enhanced security controls for sensitive workload

Secure connectivity

• VPN and VPC Peering connectivity options to ensure sensitive traffic remains private
• Private SSH ingress capabilities to have controlled SSH access to your applications
• Private egress capabilities to secure outbound connections through VPN or VPC Peering

Access management

• Self-service IP allowlisting for SSH access and selection of CIDRs for the purpose
  This feature is available only for Cloud Platform subscribers and not for Site Factory.
• Dedicated SSH ingress endpoints

Private IP range with optional VPN connection

• Adds an optional Virtual Private Network (VPN) hosted by Cloud Platform to connect between Cloud Platform and your private network. The VPN connection ensures that you have secure bi-directional interaction between your websites and your internal IT systems such as CRM.
  
  To enable the VPN, you must first buy a subscription to Cloud Platform. If you change endpoints during the Subscription Term, you will incur added fees of $250 per hour of work. For Acquia to enable the VPN connection, you must meet the technical requirements described in the Amazon VPC FAQs.

Differences with legacy Shield

Use cases

Use the security-related features in ESP to do the following:

• Control how your applications are accessed.
• Manage applications that are hosted in isolated networks within the Acquia infrastructure.
• Establish secure connections between your network and Cloud Platform.
• Configure private access patterns for both incoming SSH traffic and outgoing VPN or VPC Peering traffic.
• Operate under strict compliance requirements.
• Maintain private network connections to internal systems.
• Maintain granular control over application access.
• Implement network-level security controls.
• Isolate sensitive applications and data.

Quotas and constraints

• A private network can have a minimum of 0 and a maximum of 100 environments.
• All environments in the single private network must belong to the same region.
• A private network can have a minimum of 0 and a maximum of 10 VPNs.
• A private network can have a minimum of 0 and a maximum of 10 VPC peers.
• For ACLs, access restriction can be applied to a maximum 25 IP addresses.
• After the first connection of VPN and VPC Peer, additional connections will incur extra charges.

Private outward connections or private egress facilitates secure outbound connections from customer applications to internal systems. This feature ensures that outbound traffic is securely managed. This allows applications to communicate with backend systems such as APIs and other internal resources.

Key features of private egress through VPN or VPC Peering

• Secure VPN or VPC Peering connectivity:
  • Establishes a secure tunnel between Cloud Platform and the customer's network.
  • Ensures encrypted communication for secure data transfer.
  • Provides access to internal resources that are not publicly accessible.
• Bi-directional communication:
  • Supports two-way communication, which allows applications to send and receive data securely.
• Access to internal systems:
  • Facilitates connections to internal systems such as CRM and APIs.
  • Supports access to resources between Cloud Platform and your internal network.
• Connection types:
  • VPN:
    • Creates a secure tunnel for encrypted communication.
    • Allows access to internal resources through a private network.
  • VPC Peering:
    • Establishes a direct connection to the customer's AWS VPC.
    • Enables private network routing and access to AWS resources.

Benefits of private egress through VPN or VPC Peering

• Security: 
  Provides a secure method for applications to connect to backend systems to ensure that sensitive data is protected during transmission.
• Isolation: 
  Allows for the isolation of outbound traffic to ensure that it remains within a secure and private network.
• Flexibility: 
  Offers multiple connection options like VPN and VPC Peering to suit different customer needs and infrastructure setups.

Use cases for private egress through VPN or VPC Peering

• Secure backend connections: 
  Ideal for customers who need to connect to backend systems that are not publicly accessible, such as databases or APIs behind a firewall.
• Ecommerce transactions: 
  Suitable for applications that require secure communication with external services, such as payment gateways.
• Internal resource access: 
  Enables secure access to internal systems to support business operations that rely on private data and resources.

Through a private outbound connection, you can ensure that your outbound traffic is securely managed and isolated, which provides peace of mind and compliance with security standards.

Private egress infographic

Using VPN

To use Cloud Platform with VPN:

1. Buy and deploy a VPN device.
2. Provide detailed information of your VPN device and network to Acquia.

Acquia provisions and configures a dedicated network for your applications. In addition, Acquia provides you with the Internet Protocol Security (IPSec)/ Internet Key Exchange information so that you can properly configure your VPN.

Network information

In order for Acquia to be able to configure the security features in ESP, you must provide the following information:

• Contact information for the members of your internal network team. This includes name, phone, and email.
• VPN device details, including but not limited to:
  • VPN device type (vendor and model)
  • Gateway IP address of the subscriber VPN device
• Confirm that your VPN device meets the requirements.
• Network details, including but not limited to:
  • A network diagram showing the systems where Cloud Platform must connect.
• Maintenance plan or schedule for your network services and hardware
• CIDR IP blocks

VPN device requirements

To connect to Cloud Platform with VPN, your network must use a VPN (a secure Internet gateway) using IPsec. The gateway devices are compatible with Cloud Platform with VPN. Other devices may work, but Acquia does not support them.

You must properly configure your network’s gateway to connect to Cloud Platform with VPN. After you provision your dedicated section, Acquia will provide you with configuration and VPN details. You will receive the Pre-Shared Key (PSK) information that is needed in order to properly configure your VPN. Use SSH to access information stored in a secure location.

Cloud Platform uses Dead Peer Detection (DPD), exchanging UDP packets between VPN peers to ensure that both ends are available. If no traffic crosses the VPN tunnel in ten seconds, Cloud Platform sends a request. Three successive requests without a response will cause Cloud Platform to close the VPN tunnel.

Initiating your VPN tunnel

After Acquia provisions this feature for your infrastructure and provides connection information to you, it is your responsibility to configure your VPN device, establish the secure tunnel, and keep the network connection alive.

You must also confirm that your secondary tunnel is configured properly in case your primary tunnel becomes unavailable. When properly configured, your gateway must fail over to the secondary tunnel in your tunnel pair, if needed.

Using VPC Peering

If you are already utilizing AWS infrastructure and have existing AWS clusters that host your other applications, you can use a VPC Peer connection instead of a VPN connection.

To use Cloud Platform with VPC Peering:

1. Provide detailed information of your AWS stack and network to Acquia.
   Acquia provisions and configures a dedicated section for your applications. In addition, Acquia enables the VPC Peer to properly configure your peer to Acquia.
2. Accept the peering request after it is enabled.

Network information

In order for Acquia to be able to configure the security features in ESP, you must provide the following information:

• Contact information for the members of your internal network team. This includes name, phone, and email.
• AWS stack details, including but not limited to:
  • The network CIDR range you want to peer with
  • Your AWS account ID
  • Your VPC ID
• Additional network details, including but not limited to:
  • A network diagram showing the systems where Cloud Platform must connect.
  • Maintenance plan or schedule for your network services and hardware.

Private Egress Using VPN and VPC Peering

Key benefits

Advanced network isolation

• Dedicated network subnets for enhanced network segmentation and isolation of customer workloads
• Additional network-level controls to complement the logical isolation already provided by Kubernetes on Cloud Next
• Enhanced security controls for sensitive workload

Secure connectivity

• VPN and VPC Peering connectivity options to ensure sensitive traffic remains private
• Private SSH ingress capabilities to have controlled SSH access to your applications
• Private egress capabilities to secure outbound connections through VPN or VPC Peering

Access management

• Self-service IP allowlisting for SSH access and selection of CIDRs for the purpose
  This feature is available only for Cloud Platform subscribers and not for Site Factory.
• Dedicated SSH ingress endpoints

Private IP range with optional VPN connection

• Adds an optional Virtual Private Network (VPN) hosted by Cloud Platform to connect between Cloud Platform and your private network. The VPN connection ensures that you have secure bi-directional interaction between your websites and your internal IT systems such as CRM.
  
  To enable the VPN, you must first buy a subscription to Cloud Platform. If you change endpoints during the Subscription Term, you will incur added fees of $250 per hour of work. For Acquia to enable the VPN connection, you must meet the technical requirements described in the Amazon VPC FAQs.

Differences with legacy Shield

Use cases

Use the security-related features in ESP to do the following:

• Control how your applications are accessed.
• Manage applications that are hosted in isolated networks within the Acquia infrastructure.
• Establish secure connections between your network and Cloud Platform.
• Configure private access patterns for both incoming SSH traffic and outgoing VPN or VPC Peering traffic.
• Operate under strict compliance requirements.
• Maintain private network connections to internal systems.
• Maintain granular control over application access.
• Implement network-level security controls.
• Isolate sensitive applications and data.

Quotas and constraints

• A private network can have a minimum of 0 and a maximum of 100 environments.
• All environments in the single private network must belong to the same region.
• A private network can have a minimum of 0 and a maximum of 10 VPNs.
• A private network can have a minimum of 0 and a maximum of 10 VPC peers.
• For ACLs, access restriction can be applied to a maximum 25 IP addresses.
• After the first connection of VPN and VPC Peer, additional connections will incur extra charges.

Private outward connections or private egress facilitates secure outbound connections from customer applications to internal systems. This feature ensures that outbound traffic is securely managed. This allows applications to communicate with backend systems such as APIs and other internal resources.

Key features of private egress through VPN or VPC Peering

• Secure VPN or VPC Peering connectivity:
  • Establishes a secure tunnel between Cloud Platform and the customer's network.
  • Ensures encrypted communication for secure data transfer.
  • Provides access to internal resources that are not publicly accessible.
• Bi-directional communication:
  • Supports two-way communication, which allows applications to send and receive data securely.
• Access to internal systems:
  • Facilitates connections to internal systems such as CRM and APIs.
  • Supports access to resources between Cloud Platform and your internal network.
• Connection types:
  • VPN:
    • Creates a secure tunnel for encrypted communication.
    • Allows access to internal resources through a private network.
  • VPC Peering:
    • Establishes a direct connection to the customer's AWS VPC.
    • Enables private network routing and access to AWS resources.

Benefits of private egress through VPN or VPC Peering

• Security: 
  Provides a secure method for applications to connect to backend systems to ensure that sensitive data is protected during transmission.
• Isolation: 
  Allows for the isolation of outbound traffic to ensure that it remains within a secure and private network.
• Flexibility: 
  Offers multiple connection options like VPN and VPC Peering to suit different customer needs and infrastructure setups.

Use cases for private egress through VPN or VPC Peering

• Secure backend connections: 
  Ideal for customers who need to connect to backend systems that are not publicly accessible, such as databases or APIs behind a firewall.
• Ecommerce transactions: 
  Suitable for applications that require secure communication with external services, such as payment gateways.
• Internal resource access: 
  Enables secure access to internal systems to support business operations that rely on private data and resources.

Through a private outbound connection, you can ensure that your outbound traffic is securely managed and isolated, which provides peace of mind and compliance with security standards.

Private egress infographic

Using VPN

To use Cloud Platform with VPN:

1. Buy and deploy a VPN device.
2. Provide detailed information of your VPN device and network to Acquia.

Acquia provisions and configures a dedicated network for your applications. In addition, Acquia provides you with the Internet Protocol Security (IPSec)/ Internet Key Exchange information so that you can properly configure your VPN.

Network information

In order for Acquia to be able to configure the security features in ESP, you must provide the following information:

• Contact information for the members of your internal network team. This includes name, phone, and email.
• VPN device details, including but not limited to:
  • VPN device type (vendor and model)
  • Gateway IP address of the subscriber VPN device
• Confirm that your VPN device meets the requirements.
• Network details, including but not limited to:
  • A network diagram showing the systems where Cloud Platform must connect.
• Maintenance plan or schedule for your network services and hardware
• CIDR IP blocks

VPN device requirements

To connect to Cloud Platform with VPN, your network must use a VPN (a secure Internet gateway) using IPsec. The gateway devices are compatible with Cloud Platform with VPN. Other devices may work, but Acquia does not support them.

You must properly configure your network’s gateway to connect to Cloud Platform with VPN. After you provision your dedicated section, Acquia will provide you with configuration and VPN details. You will receive the Pre-Shared Key (PSK) information that is needed in order to properly configure your VPN. Use SSH to access information stored in a secure location.

Cloud Platform uses Dead Peer Detection (DPD), exchanging UDP packets between VPN peers to ensure that both ends are available. If no traffic crosses the VPN tunnel in ten seconds, Cloud Platform sends a request. Three successive requests without a response will cause Cloud Platform to close the VPN tunnel.

Initiating your VPN tunnel

After Acquia provisions this feature for your infrastructure and provides connection information to you, it is your responsibility to configure your VPN device, establish the secure tunnel, and keep the network connection alive.

You must also confirm that your secondary tunnel is configured properly in case your primary tunnel becomes unavailable. When properly configured, your gateway must fail over to the secondary tunnel in your tunnel pair, if needed.

Using VPC Peering

If you are already utilizing AWS infrastructure and have existing AWS clusters that host your other applications, you can use a VPC Peer connection instead of a VPN connection.

To use Cloud Platform with VPC Peering:

1. Provide detailed information of your AWS stack and network to Acquia.
   Acquia provisions and configures a dedicated section for your applications. In addition, Acquia enables the VPC Peer to properly configure your peer to Acquia.
2. Accept the peering request after it is enabled.

Network information

In order for Acquia to be able to configure the security features in ESP, you must provide the following information:

• Contact information for the members of your internal network team. This includes name, phone, and email.
• AWS stack details, including but not limited to:
  • The network CIDR range you want to peer with
  • Your AWS account ID
  • Your VPC ID
• Additional network details, including but not limited to:
  • A network diagram showing the systems where Cloud Platform must connect.
  • Maintenance plan or schedule for your network services and hardware.