--- title: "Private SSH Access" date: "2025-11-06T13:46:16+00:00" summary: "Enhance SSH security with private access, custom proxies, and flexible IP allowlisting for your Cloud Platform applications." image: type: "page" url: "/acquia-cloud-platform/private-ssh-access" id: "e4b6aae0-af92-4367-9960-c638ff0e815d" --- Table of contents will be added Enterprise Security Package --------------------------- In addition to the various base features that are available out-of-the box in Enterprise Security Package (ESP), you can use the following security-related paid features that are available in ESP. For more information about ESP, visit [Cloud Platform Product Guide](/node/57242#enterprise-security-package "Cloud Platform Product Guide"). * [Network Isolation](/acquia-cloud-platform/network-isolation "Network Isolation") ================================================================================= * [Private SSH Access](/acquia-cloud-platform/private-ssh-access "Private SSH Access") ==================================================================================== * [Private Egress Using VPN and VPC Peering](/acquia-cloud-platform/private-egress-using-vpn-and-vpc-peering "Private Egress Using VPN and VPC Peering") ====================================================================================================================================================== These features are built on the Cloud Next infrastructure unlike the legacy [Shield](https://docs.acquia.com/acquia-cloud-platform/add-ons/shield/overview) offering, which is built on Cloud Classic infrastructure. These features enable organizations to implement enhanced security controls and maintain strict compliance requirements for their digital experiences. You can get seamless network isolation, secure connectivity, and flexible access management capabilities in Cloud Next. Also, subscriber deployments in an isolated network environment are separated from other subscriber deployments at the network level. ========================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================== This set of features uses a modern, integrated approach that allows you to manage advanced network configurations and security controls for your Cloud Platform applications. Like [Shield](https://docs.acquia.com/acquia-cloud-platform/add-ons/shield/overview), it provides enterprise-grade networking capabilities that enable you to implement robust security measures and maintain strict compliance requirements. This solution addresses the demanding security requirements of organizations that operate in highly regulated environments. Key benefits ------------ **Advanced network isolation** * Dedicated network subnets for enhanced network segmentation and isolation of customer workloads * Additional network-level controls to complement the logical isolation already provided by Kubernetes on Cloud Next * Enhanced security controls for sensitive workload **Secure connectivity** * VPN and VPC Peering connectivity options to ensure sensitive traffic remains private * Private SSH ingress capabilities to have controlled SSH access to your applications * Private Egress capabilities to secure outbound connections through VPN or VPC Peering **Access management** * Self-service IP allowlisting for SSH access and selection of CIDRs for the purpose This feature is available only for Cloud Platform subscribers and not for Site Factory. * Dedicated SSH ingress endpoints **Private IP range with optional VPN connection** * Adds an optional Virtual Private Network (VPN) hosted by Cloud Platform to connect between Cloud Platform and your private network. The VPN connection ensures that you have secure bi-directional interaction between your websites and your internal IT systems such as CRM. To enable the VPN, you must first buy a subscription to Cloud Platform. If you change endpoints during the Subscription Term, you will incur added fees of $250 per hour of work. For Acquia to enable the VPN connection, you must meet the technical requirements described in the [Amazon VPC FAQs](http://aws.amazon.com/vpc/faqs/#C9). Note **Internal DNS** These features do not support resolution to your internal DNS servers. Although they provide access to your internal network through a VPN gateway, your network systems are only accessible through IP. Therefore, if you have a service or site in your internal network that changes IP addresses and resolves to an internal-only DNS, the system does not resolve the domain for that service or site. **Shared Services** Cloud Platform shared services are not hosted in your VPC. This includes, but is not limited to: * Git, which is your code repository * Acquia Search * CD and IDE environments * Any SaaS offerings Differences with legacy Shield ------------------------------ Feature Shield Security features in ESP Network Isolation Provides network isolation for production and non-production servers based on EC2 instances in separate VPCs. Provides network isolation for environments based on Kubernetes infrastructure, with isolated pods in subnet. VPN Support Supports VPN connectivity with IKEv1 and IKEv2. Maintains existing VPN connections and configurations. IP Allowlisting for SSH access Is available for Shield subscribers on Cloud Platform Enterprise and has a limit of 25 IP addresses or CIDR ranges. Preserves existing security configurations. Infrastructure Is based on the traditional Cloud Classic infrastructure. Is based on the modern Cloud Next infrastructure. Performance Supports standard performance. Supports enhanced performance and scalability. Migration Path \- Has seamless migration path to the Cloud Next infrastructure. Use cases --------- Use the security-related features in ESP to do the following: ============================================================= * Control how your applications are accessed. * Manage applications that are hosted in isolated networks within the Acquia infrastructure. * Establish secure connections between your network and Cloud Platform. * Configure private access patterns for both incoming SSH traffic and outgoing VPN or VPC Peering traffic. * Operate under strict compliance requirements. * Maintain private network connections to internal systems. * Maintain granular control over application access. * Implement network-level security controls. * Isolate sensitive applications and data. Quotas and constraints ---------------------- * A private network can have a minimum of 0 and a maximum of 100 environments. * All environments in the single private network must belong to the same region. * A private network can have a minimum of 0 and a maximum of 10 VPNs. * A private network can have a minimum of 0 and a maximum of 10 VPC peers. * For ACLs, access restriction can be applied to a maximum 25 IP addresses. * After the first connection of VPN and VPC Peer, additional connections will incur extra charges. Caution Acquia recommends that you exercise caution when you send high traffic to and from Acquia. Private SSH access ------------------ Private SSH Access enhances the security and control of SSH access to customer applications in the Acquia platform. With this feature, you can provision custom SSH proxies, manage and restrict SSH access according to your specific security requirements. Key features of private SSH access ---------------------------------- **SSH configurations**   Dedicated Public Access Private Access Allows customized IP allowlisting? Description Fully Public (Dedicated) Yes Yes Yes Yes * A dedicated public SSH access associated with the private network. * Accessible from both the public internet and private connections. * Separate from shared platform SSH access to ensure dedicated resources. Protected Yes Restricted or allowed ranges Yes Yes * Public SSH listener with Access Control List (ACL) capabilities. * Configurable access restrictions for both public and private addresses. Fully Private Yes No Yes Yes * SSH listener available only on the private network. * Accessible solely through VPN or VPC Peering connections, with no public internet access. * Provides the highest level of isolation. **Access control** * Defines allowed IP ranges to ensure only authorized access. * Manages access through VPN or VPC Peering connections, offering flexibility and control. Benefits of private SSH access ------------------------------ * **Security and compliance**: Aligns with security requirements that may prevent public SSH access. * **Controlled access**:  Offers the flexibility to disable public SSH access entirely or restrict it to meet your security policies. Use cases for private SSH access -------------------------------- * **Security-conscious organizations**:  Ideal for businesses with stringent security policies that require restricted SSH access. * **Compliance-driven deployments**:  Suitable for industries with regulatory requirements that mandate controlled access to application environments. * **Customizable network access**: Provides the ability to tailor SSH access based on specific organizational needs, whether through public or private means. Private SSH access allows you to gain enhanced control over SSH access to your applications. This ensures that security and compliance requirements are met and maintains the flexibility and benefits of the Cloud Platform. Private SSH access infographic ------------------------------ ![Diagram showing customer connections to an Acquia Kubernetes Cluster via VPN and ACL, with dedicated SSH proxy pods and SSH pods.](https://acquia.widen.net/content/214f7037-3c05-4d8c-a29a-d37e8fed8026/web/Shield_private-ssh-ingress.png?w=720&itok=uAroSgEj) Prerequisites for upgrading from Shield to ESP ---------------------------------------------- After Acquia upgrades your VPC to use the ESP features, Acquia gets a list of DNS resolver endpoint IPs. The SSH endpoint can be resolved through that or propagated to your peer VPC, if that is set up. In addition, Acquia generates the IP addresses for the SSH endpoint. As you need IP and host header, Acquia shares IP after SSH stack is ready on Cloud Next. Host header remains the same as the current one. You must upgrade the SSH endpoint after Acquia communicates the new endpoint. If this is not done, private SSH ingress feature does not work. Limiting SSH access ------------------- Through IP address allowlisting, you can restrict SSH access to the web infrastructure in your subscription. Note * Cloud Platform requires specific Acquia-operated IPs and CIDR ranges to remain accessible to all servers. You cannot modify or control them by using IP allowlisting. They do not count toward the IP allowlist limits. * Cloud Platform add-ons such as [Code Studio](https://docs.acquia.com/acquia-cloud-platform/add-ons/code-studio) or [Cloud IDE](https://docs.acquia.com/acquia-cloud-platform/add-ons/ide) depend on SSH access to your Cloud Platform application. Therefore, you must allowlist these products manually. To get the list of IP addresses to allowlist them, contact [Acquia Support](/service-offerings/support "Support"). * For more information about security settings in Cloud Platform, such as [password strength](https://docs.acquia.com/acquia-cloud-platform/access/password-strength), [two-factor verification](https://docs.acquia.com/acquia-cloud-platform/access/two-step-verification), or [allowlisting access to the Cloud Platform interface](/acquia-cloud-platform/securing-your-application-ip-address-allowlisting "Securing your application with IP address allowlisting"), visit [Managing security settings](https://docs.acquia.com/acquia-cloud-platform/access/security). To limit SSH access to your infrastructure for all applications in your subscription: 1. [Sign in to the Cloud Platform user interface](https://cloud.acquia.com/) with the _Owner_ or _Administrator_ role, and then select the application you want to work with. 2. In the menu to the left, click **Security**.  ![shield_adding-rule.png](https://acquia.widen.net/content/545e933e-630a-4178-99f7-4ef340f6d148/web/7910d_shield_adding-rule.png?w=720&itok=3AE8_q4O) 3. Click **Shield**. 4. Click **Add Rule**. ![shield_adding-rules.png](https://acquia.widen.net/content/8a1b8fa9-3b25-4f1d-a9d1-644818d4a7e7/web/60f55_shield_adding-rules.png?w=720&itok=LjIgYXwO) 5. In the **Rule Name** field, enter a name less than 90 characters in length. 6. In the **IP address(es) or range** section, select one of the following options: * **Enter manually**: Enter one or more addresses (such as `10.0.0.1`) in the text area. * **Import a CSV file**: Drag a text file containing one or more IP addresses (such as `10.0.0.1`) into the text area. Note You can separate several IP addresses by a space, comma, or line breaks. You can also use CIDR ranges, such as: `222.117.0.1/24`. 7. Click **Save**. The system refreshes the page and displays all IP addresses in the CIDR format. Using VPN --------- To use Cloud Platform with VPN: 1. Buy and deploy a [VPN device](#vpn-device). 2. Provide detailed information of your VPN device and [network](#network) to Acquia. Acquia provisions and configures a dedicated network for your applications. In addition, Acquia provides you with the Internet Protocol Security (IPSec)/ Internet Key Exchange information so that you can properly configure your VPN. Important The ESP features support Internet Key Exchange version 1 (IKEv1) and Internet Key Exchange version 2 (IKEv2). ### Network information In order for Acquia to be able to configure the security features in ESP, you must provide the following information: * Contact information for the members of your internal network team. This includes name, phone, and email. * VPN device details, including but not limited to: * VPN device type (vendor and model) * Gateway IP address of the subscriber VPN device * Confirm that your VPN device meets the [requirements](#vpn-device). * Network details, including but not limited to: * A network diagram showing the systems where Cloud Platform must connect. * Maintenance plan or schedule for your network services and hardware * CIDR IP blocks Note Cloud Platform requires a private, non-routable `/16` or `/20` private address space conforming with RFC 1597. Cloud Platform can use private, non-routable `/16` or `/20` CIDR blocks from the `10.0.0.0/8`, `172.16.0.0/12`, or `192.168.0.0/16` ranges. Blocks of this size provide resources for Acquia-controlled servers (such as Elastic Load Balancers) and other elastic scaling needs, and also provide expansion space for your application’s future needs. * Subnet allocations * A list of networks requiring traffic statically routed to them * (Optional) A name for the Acquia VPN. If you have various VPNs, providing a name to Acquia may be useful for later communication. For more information, contact your Acquia account manager. ### VPN device requirements To connect to Cloud Platform with VPN, your network must use a VPN (a secure Internet gateway) using IPsec. The [gateway devices](https://docs.aws.amazon.com/vpc/latest/adminguide/Introduction.html#DevicesTested) are compatible with Cloud Platform with VPN. Other devices may work, but Acquia does not support them. You must properly configure your network’s gateway to connect to Cloud Platform with VPN. After you provision your dedicated section, Acquia will provide you with configuration and VPN details. You will receive the Pre-Shared Key (PSK) information that is needed in order to properly configure your VPN. Use SSH to access information stored in a secure location. Cloud Platform uses Dead Peer Detection (DPD), exchanging UDP packets between VPN peers to ensure that both ends are available. If no traffic crosses the VPN tunnel in ten seconds, Cloud Platform sends a request. Three successive requests without a response will cause Cloud Platform to close the VPN tunnel. ### Initiating your VPN tunnel After Acquia provisions this feature for your infrastructure and provides connection information to you, it is your responsibility to configure your VPN device, establish the secure tunnel, and keep the network connection alive. You must also confirm that your secondary tunnel is configured properly in case your primary tunnel becomes unavailable. When properly configured, your gateway must fail over to the secondary tunnel in your tunnel pair, if needed. Using VPC Peering ----------------- If you are already utilizing AWS infrastructure and have existing AWS clusters that host your other applications, you can use a VPC Peer connection instead of a VPN connection. To use Cloud Platform with VPC Peering: 1. Provide detailed information of your AWS stack and network to Acquia. Acquia provisions and configures a dedicated section for your applications. In addition, Acquia enables the VPC Peer to properly configure your peer to Acquia. 2. Accept the peering request after it is enabled. ### Network information In order for Acquia to be able to configure the security features in ESP, you must provide the following information: * Contact information for the members of your internal network team. This includes name, phone, and email. * AWS stack details, including but not limited to: * The network CIDR range you want to peer with * Your AWS account ID * Your VPC ID * Additional network details, including but not limited to: * A network diagram showing the systems where Cloud Platform must connect. * Maintenance plan or schedule for your network services and hardware. Note * Like VPN, each additional VPC Peer connection incurs an additional setup fee. * The VPC must be in the same region as that of Acquia. * Acquia can peer with multiple VPCs provided they have their own allocated addresses and all the VPCs are in the same region.