In addition to the various base features that are available out-of-the box in Enterprise Security Package (ESP), you can use the following security-related paid features that are available in ESP. For more information about ESP, visit Cloud Platform Product Guide.
These features are built on the Cloud Next infrastructure unlike the legacy Shield offering, which is built on Cloud Classic infrastructure. These features enable organizations to implement enhanced security controls and maintain strict compliance requirements for their digital experiences. You can get seamless network isolation, secure connectivity, and flexible access management capabilities in Cloud Next. Also, subscriber deployments in an isolated network environment are separated from other subscriber deployments at the network level.
This set of features uses a modern, integrated approach that allows you to manage advanced network configurations and security controls for your Cloud Platform applications. Like Shield, it provides enterprise-grade networking capabilities that enable you to implement robust security measures and maintain strict compliance requirements. This solution addresses the demanding security requirements of organizations that operate in highly regulated environments.
Key benefits
Advanced network isolation
Dedicated network subnets for enhanced network segmentation and isolation of customer workloads
Additional network-level controls to complement the logical isolation already provided by Kubernetes on Cloud Next
Enhanced security controls for sensitive workload
Secure connectivity
VPN and VPC Peering connectivity options to ensure sensitive traffic remains private
Private SSH ingress capabilities to have controlled SSH access to your applications
Private Egress capabilities to secure outbound connections through VPN or VPC Peering
Access management
Self-service IP allowlisting for SSH access and selection of CIDRs for the purpose This feature is available only for Cloud Platform subscribers and not for Site Factory.
Dedicated SSH ingress endpoints
Private IP range with optional VPN connection
Adds an optional Virtual Private Network (VPN) hosted by Cloud Platform to connect between Cloud Platform and your private network. The VPN connection ensures that you have secure bi-directional interaction between your websites and your internal IT systems such as CRM.
To enable the VPN, you must first buy a subscription to Cloud Platform. If you change endpoints during the Subscription Term, you will incur added fees of $250 per hour of work. For Acquia to enable the VPN connection, you must meet the technical requirements described in the Amazon VPC FAQs.
Note
Internal DNS
These features do not support resolution to your internal DNS servers. Although they provide access to your internal network through a VPN gateway, your network systems are only accessible through IP. Therefore, if you have a service or site in your internal network that changes IP addresses and resolves to an internal-only DNS, the system does not resolve the domain for that service or site.
Shared Services
Cloud Platform shared services are not hosted in your VPC. This includes, but is not limited to:
Git, which is your code repository
Acquia Search
CD and IDE environments
Any SaaS offerings
Differences with legacy Shield
Feature
Shield
Security features in ESP
Network Isolation
Provides network isolation for production and non-production servers based on EC2 instances in separate VPCs.
Provides network isolation for environments based on Kubernetes infrastructure, with isolated pods in subnet.
VPN Support
Supports VPN connectivity with IKEv1 and IKEv2.
Maintains existing VPN connections and configurations.
IP Allowlisting for SSH access
Is available for Shield subscribers on Cloud Platform Enterprise and has a limit of 25 IP addresses or CIDR ranges.
Preserves existing security configurations.
Infrastructure
Is based on the traditional Cloud Classic infrastructure.
Is based on the modern Cloud Next infrastructure.
Performance
Supports standard performance.
Supports enhanced performance and scalability.
Migration Path
-
Has seamless migration path to the Cloud Next infrastructure.
Use cases
Use the security-related features in ESP to do the following:
Control how your applications are accessed.
Manage applications that are hosted in isolated networks within the Acquia infrastructure.
Establish secure connections between your network and Cloud Platform.
Configure private access patterns for both incoming SSH traffic and outgoing VPN or VPC Peering traffic.
Operate under strict compliance requirements.
Maintain private network connections to internal systems.
Maintain granular control over application access.
Implement network-level security controls.
Isolate sensitive applications and data.
Quotas and constraints
A private network can have a minimum of 0 and a maximum of 100 environments.
All environments in the single private network must belong to the same region.
A private network can have a minimum of 0 and a maximum of 10 VPNs.
A private network can have a minimum of 0 and a maximum of 10 VPC peers.
For ACLs, access restriction can be applied to a maximum 25 IP addresses.
After the first connection of VPN and VPC Peer, additional connections will incur extra charges.
Caution
Acquia recommends that you exercise caution when you send high traffic to and from Acquia.
Private SSH access
Private SSH Access enhances the security and control of SSH access to customer applications in the Acquia platform. With this feature, you can provision custom SSH proxies, manage and restrict SSH access according to your specific security requirements.
Key features of private SSH access
SSH configurations
Dedicated
Public Access
Private Access
Allows customized IP allowlisting?
Description
Fully Public (Dedicated)
Yes
Yes
Yes
Yes
A dedicated public SSH access associated with the private network.
Accessible from both the public internet and private connections.
Separate from shared platform SSH access to ensure dedicated resources.
Protected
Yes
Restricted or allowed ranges
Yes
Yes
Public SSH listener with Access Control List (ACL) capabilities.
Configurable access restrictions for both public and private addresses.
Fully Private
Yes
No
Yes
Yes
SSH listener available only on the private network.
Accessible solely through VPN or VPC Peering connections, with no public internet access.
Provides the highest level of isolation.
Access control
Defines allowed IP ranges to ensure only authorized access.
Manages access through VPN or VPC Peering connections, offering flexibility and control.
Benefits of private SSH access
Security and compliance: Aligns with security requirements that may prevent public SSH access.
Controlled access: Offers the flexibility to disable public SSH access entirely or restrict it to meet your security policies.
Use cases for private SSH access
Security-conscious organizations: Ideal for businesses with stringent security policies that require restricted SSH access.
Compliance-driven deployments: Suitable for industries with regulatory requirements that mandate controlled access to application environments.
Customizable network access: Provides the ability to tailor SSH access based on specific organizational needs, whether through public or private means.
Private SSH access allows you to gain enhanced control over SSH access to your applications. This ensures that security and compliance requirements are met and maintains the flexibility and benefits of the Cloud Platform.
Private SSH access infographic
Prerequisites for upgrading from Shield to ESP
After Acquia upgrades your VPC to use the ESP features, Acquia gets a list of DNS resolver endpoint IPs. The SSH endpoint can be resolved through that or propagated to your peer VPC, if that is set up. In addition, Acquia generates the IP addresses for the SSH endpoint. As you need IP and host header, Acquia shares IP after SSH stack is ready on Cloud Next. Host header remains the same as the current one. You must upgrade the SSH endpoint after Acquia communicates the new endpoint. If this is not done, private SSH ingress feature does not work.
Limiting SSH access
Through IP address allowlisting, you can restrict SSH access to the web infrastructure in your subscription.
Note
Cloud Platform requires specific Acquia-operated IPs and CIDR ranges to remain accessible to all servers. You cannot modify or control them by using IP allowlisting. They do not count toward the IP allowlist limits.
Cloud Platform add-ons such as Code Studio or Cloud IDE depend on SSH access to your Cloud Platform application. Therefore, you must allowlist these products manually. To get the list of IP addresses to allowlist them, contact Acquia Support.
Provide detailed information of your VPN device and network to Acquia.
Acquia provisions and configures a dedicated network for your applications. In addition, Acquia provides you with the Internet Protocol Security (IPSec)/ Internet Key Exchange information so that you can properly configure your VPN.
Important
The ESP features support Internet Key Exchange version 1 (IKEv1) and Internet Key Exchange version 2 (IKEv2).
Network information
In order for Acquia to be able to configure the security features in ESP, you must provide the following information:
Contact information for the members of your internal network team. This includes name, phone, and email.
VPN device details, including but not limited to:
VPN device type (vendor and model)
Gateway IP address of the subscriber VPN device
Confirm that your VPN device meets the requirements.
Network details, including but not limited to:
A network diagram showing the systems where Cloud Platform must connect.
Maintenance plan or schedule for your network services and hardware
CIDR IP blocks
Note
Cloud Platform requires a private, non-routable /16 or /20 private address space conforming with RFC 1597. Cloud Platform can use private, non-routable /16 or /20 CIDR blocks from the 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 ranges. Blocks of this size provide resources for Acquia-controlled servers (such as Elastic Load Balancers) and other elastic scaling needs, and also provide expansion space for your application’s future needs.
Subnet allocations
A list of networks requiring traffic statically routed to them
(Optional) A name for the Acquia VPN. If you have various VPNs, providing a name to Acquia may be useful for later communication.
For more information, contact your Acquia account manager.
VPN device requirements
To connect to Cloud Platform with VPN, your network must use a VPN (a secure Internet gateway) using IPsec. The gateway devices are compatible with Cloud Platform with VPN. Other devices may work, but Acquia does not support them.
You must properly configure your network’s gateway to connect to Cloud Platform with VPN. After you provision your dedicated section, Acquia will provide you with configuration and VPN details. You will receive the Pre-Shared Key (PSK) information that is needed in order to properly configure your VPN. Use SSH to access information stored in a secure location.
Cloud Platform uses Dead Peer Detection (DPD), exchanging UDP packets between VPN peers to ensure that both ends are available. If no traffic crosses the VPN tunnel in ten seconds, Cloud Platform sends a request. Three successive requests without a response will cause Cloud Platform to close the VPN tunnel.
Initiating your VPN tunnel
After Acquia provisions this feature for your infrastructure and provides connection information to you, it is your responsibility to configure your VPN device, establish the secure tunnel, and keep the network connection alive.
You must also confirm that your secondary tunnel is configured properly in case your primary tunnel becomes unavailable. When properly configured, your gateway must fail over to the secondary tunnel in your tunnel pair, if needed.
Using VPC Peering
If you are already utilizing AWS infrastructure and have existing AWS clusters that host your other applications, you can use a VPC Peer connection instead of a VPN connection.
To use Cloud Platform with VPC Peering:
Provide detailed information of your AWS stack and network to Acquia. Acquia provisions and configures a dedicated section for your applications. In addition, Acquia enables the VPC Peer to properly configure your peer to Acquia.
Accept the peering request after it is enabled.
Network information
In order for Acquia to be able to configure the security features in ESP, you must provide the following information:
Contact information for the members of your internal network team. This includes name, phone, and email.
AWS stack details, including but not limited to:
The network CIDR range you want to peer with
Your AWS account ID
Your VPC ID
Additional network details, including but not limited to:
A network diagram showing the systems where Cloud Platform must connect.
Maintenance plan or schedule for your network services and hardware.
Note
Like VPN, each additional VPC Peer connection incurs an additional setup fee.
The VPC must be in the same region as that of Acquia.
Acquia can peer with multiple VPCs provided they have their own allocated addresses and all the VPCs are in the same region.
Private SSH Access
Enterprise Security Package
In addition to the various base features that are available out-of-the box in Enterprise Security Package (ESP), you can use the following security-related paid features that are available in ESP. For more information about ESP, visit Cloud Platform Product Guide.
These features are built on the Cloud Next infrastructure unlike the legacy Shield offering, which is built on Cloud Classic infrastructure. These features enable organizations to implement enhanced security controls and maintain strict compliance requirements for their digital experiences. You can get seamless network isolation, secure connectivity, and flexible access management capabilities in Cloud Next. Also, subscriber deployments in an isolated network environment are separated from other subscriber deployments at the network level.
This set of features uses a modern, integrated approach that allows you to manage advanced network configurations and security controls for your Cloud Platform applications. Like Shield, it provides enterprise-grade networking capabilities that enable you to implement robust security measures and maintain strict compliance requirements. This solution addresses the demanding security requirements of organizations that operate in highly regulated environments.
Key benefits
Advanced network isolation
Dedicated network subnets for enhanced network segmentation and isolation of customer workloads
Additional network-level controls to complement the logical isolation already provided by Kubernetes on Cloud Next
Enhanced security controls for sensitive workload
Secure connectivity
VPN and VPC Peering connectivity options to ensure sensitive traffic remains private
Private SSH ingress capabilities to have controlled SSH access to your applications
Private Egress capabilities to secure outbound connections through VPN or VPC Peering
Access management
Self-service IP allowlisting for SSH access and selection of CIDRs for the purpose This feature is available only for Cloud Platform subscribers and not for Site Factory.
Dedicated SSH ingress endpoints
Private IP range with optional VPN connection
Adds an optional Virtual Private Network (VPN) hosted by Cloud Platform to connect between Cloud Platform and your private network. The VPN connection ensures that you have secure bi-directional interaction between your websites and your internal IT systems such as CRM.
To enable the VPN, you must first buy a subscription to Cloud Platform. If you change endpoints during the Subscription Term, you will incur added fees of $250 per hour of work. For Acquia to enable the VPN connection, you must meet the technical requirements described in the Amazon VPC FAQs.
Note
Internal DNS
These features do not support resolution to your internal DNS servers. Although they provide access to your internal network through a VPN gateway, your network systems are only accessible through IP. Therefore, if you have a service or site in your internal network that changes IP addresses and resolves to an internal-only DNS, the system does not resolve the domain for that service or site.
Shared Services
Cloud Platform shared services are not hosted in your VPC. This includes, but is not limited to:
Git, which is your code repository
Acquia Search
CD and IDE environments
Any SaaS offerings
Differences with legacy Shield
Feature
Shield
Security features in ESP
Network Isolation
Provides network isolation for production and non-production servers based on EC2 instances in separate VPCs.
Provides network isolation for environments based on Kubernetes infrastructure, with isolated pods in subnet.
VPN Support
Supports VPN connectivity with IKEv1 and IKEv2.
Maintains existing VPN connections and configurations.
IP Allowlisting for SSH access
Is available for Shield subscribers on Cloud Platform Enterprise and has a limit of 25 IP addresses or CIDR ranges.
Preserves existing security configurations.
Infrastructure
Is based on the traditional Cloud Classic infrastructure.
Is based on the modern Cloud Next infrastructure.
Performance
Supports standard performance.
Supports enhanced performance and scalability.
Migration Path
-
Has seamless migration path to the Cloud Next infrastructure.
Use cases
Use the security-related features in ESP to do the following:
Control how your applications are accessed.
Manage applications that are hosted in isolated networks within the Acquia infrastructure.
Establish secure connections between your network and Cloud Platform.
Configure private access patterns for both incoming SSH traffic and outgoing VPN or VPC Peering traffic.
Operate under strict compliance requirements.
Maintain private network connections to internal systems.
Maintain granular control over application access.
Implement network-level security controls.
Isolate sensitive applications and data.
Quotas and constraints
A private network can have a minimum of 0 and a maximum of 100 environments.
All environments in the single private network must belong to the same region.
A private network can have a minimum of 0 and a maximum of 10 VPNs.
A private network can have a minimum of 0 and a maximum of 10 VPC peers.
For ACLs, access restriction can be applied to a maximum 25 IP addresses.
After the first connection of VPN and VPC Peer, additional connections will incur extra charges.
Caution
Acquia recommends that you exercise caution when you send high traffic to and from Acquia.
Private SSH access
Private SSH Access enhances the security and control of SSH access to customer applications in the Acquia platform. With this feature, you can provision custom SSH proxies, manage and restrict SSH access according to your specific security requirements.
Key features of private SSH access
SSH configurations
Dedicated
Public Access
Private Access
Allows customized IP allowlisting?
Description
Fully Public (Dedicated)
Yes
Yes
Yes
Yes
A dedicated public SSH access associated with the private network.
Accessible from both the public internet and private connections.
Separate from shared platform SSH access to ensure dedicated resources.
Protected
Yes
Restricted or allowed ranges
Yes
Yes
Public SSH listener with Access Control List (ACL) capabilities.
Configurable access restrictions for both public and private addresses.
Fully Private
Yes
No
Yes
Yes
SSH listener available only on the private network.
Accessible solely through VPN or VPC Peering connections, with no public internet access.
Provides the highest level of isolation.
Access control
Defines allowed IP ranges to ensure only authorized access.
Manages access through VPN or VPC Peering connections, offering flexibility and control.
Benefits of private SSH access
Security and compliance: Aligns with security requirements that may prevent public SSH access.
Controlled access: Offers the flexibility to disable public SSH access entirely or restrict it to meet your security policies.
Use cases for private SSH access
Security-conscious organizations: Ideal for businesses with stringent security policies that require restricted SSH access.
Compliance-driven deployments: Suitable for industries with regulatory requirements that mandate controlled access to application environments.
Customizable network access: Provides the ability to tailor SSH access based on specific organizational needs, whether through public or private means.
Private SSH access allows you to gain enhanced control over SSH access to your applications. This ensures that security and compliance requirements are met and maintains the flexibility and benefits of the Cloud Platform.
Private SSH access infographic
Prerequisites for upgrading from Shield to ESP
After Acquia upgrades your VPC to use the ESP features, Acquia gets a list of DNS resolver endpoint IPs. The SSH endpoint can be resolved through that or propagated to your peer VPC, if that is set up. In addition, Acquia generates the IP addresses for the SSH endpoint. As you need IP and host header, Acquia shares IP after SSH stack is ready on Cloud Next. Host header remains the same as the current one. You must upgrade the SSH endpoint after Acquia communicates the new endpoint. If this is not done, private SSH ingress feature does not work.
Limiting SSH access
Through IP address allowlisting, you can restrict SSH access to the web infrastructure in your subscription.
Note
Cloud Platform requires specific Acquia-operated IPs and CIDR ranges to remain accessible to all servers. You cannot modify or control them by using IP allowlisting. They do not count toward the IP allowlist limits.
Cloud Platform add-ons such as Code Studio or Cloud IDE depend on SSH access to your Cloud Platform application. Therefore, you must allowlist these products manually. To get the list of IP addresses to allowlist them, contact Acquia Support.
Provide detailed information of your VPN device and network to Acquia.
Acquia provisions and configures a dedicated network for your applications. In addition, Acquia provides you with the Internet Protocol Security (IPSec)/ Internet Key Exchange information so that you can properly configure your VPN.
Important
The ESP features support Internet Key Exchange version 1 (IKEv1) and Internet Key Exchange version 2 (IKEv2).
Network information
In order for Acquia to be able to configure the security features in ESP, you must provide the following information:
Contact information for the members of your internal network team. This includes name, phone, and email.
VPN device details, including but not limited to:
VPN device type (vendor and model)
Gateway IP address of the subscriber VPN device
Confirm that your VPN device meets the requirements.
Network details, including but not limited to:
A network diagram showing the systems where Cloud Platform must connect.
Maintenance plan or schedule for your network services and hardware
CIDR IP blocks
Note
Cloud Platform requires a private, non-routable /16 or /20 private address space conforming with RFC 1597. Cloud Platform can use private, non-routable /16 or /20 CIDR blocks from the 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 ranges. Blocks of this size provide resources for Acquia-controlled servers (such as Elastic Load Balancers) and other elastic scaling needs, and also provide expansion space for your application’s future needs.
Subnet allocations
A list of networks requiring traffic statically routed to them
(Optional) A name for the Acquia VPN. If you have various VPNs, providing a name to Acquia may be useful for later communication.
For more information, contact your Acquia account manager.
VPN device requirements
To connect to Cloud Platform with VPN, your network must use a VPN (a secure Internet gateway) using IPsec. The gateway devices are compatible with Cloud Platform with VPN. Other devices may work, but Acquia does not support them.
You must properly configure your network’s gateway to connect to Cloud Platform with VPN. After you provision your dedicated section, Acquia will provide you with configuration and VPN details. You will receive the Pre-Shared Key (PSK) information that is needed in order to properly configure your VPN. Use SSH to access information stored in a secure location.
Cloud Platform uses Dead Peer Detection (DPD), exchanging UDP packets between VPN peers to ensure that both ends are available. If no traffic crosses the VPN tunnel in ten seconds, Cloud Platform sends a request. Three successive requests without a response will cause Cloud Platform to close the VPN tunnel.
Initiating your VPN tunnel
After Acquia provisions this feature for your infrastructure and provides connection information to you, it is your responsibility to configure your VPN device, establish the secure tunnel, and keep the network connection alive.
You must also confirm that your secondary tunnel is configured properly in case your primary tunnel becomes unavailable. When properly configured, your gateway must fail over to the secondary tunnel in your tunnel pair, if needed.
Using VPC Peering
If you are already utilizing AWS infrastructure and have existing AWS clusters that host your other applications, you can use a VPC Peer connection instead of a VPN connection.
To use Cloud Platform with VPC Peering:
Provide detailed information of your AWS stack and network to Acquia. Acquia provisions and configures a dedicated section for your applications. In addition, Acquia enables the VPC Peer to properly configure your peer to Acquia.
Accept the peering request after it is enabled.
Network information
In order for Acquia to be able to configure the security features in ESP, you must provide the following information:
Contact information for the members of your internal network team. This includes name, phone, and email.
AWS stack details, including but not limited to:
The network CIDR range you want to peer with
Your AWS account ID
Your VPC ID
Additional network details, including but not limited to:
A network diagram showing the systems where Cloud Platform must connect.
Maintenance plan or schedule for your network services and hardware.
Note
Like VPN, each additional VPC Peer connection incurs an additional setup fee.
The VPC must be in the same region as that of Acquia.
Acquia can peer with multiple VPCs provided they have their own allocated addresses and all the VPCs are in the same region.
Did not find what you were looking for?
If this content did not answer your questions, try searching or contacting our support team for further assistance.
Cloud Platform