Information for: DEVELOPERS   PARTNERS

Acquia Cloud Shield

Available only to Acquia Cloud Enterprise and Acquia Cloud Site Factory subscribers.

Using Acquia Cloud Shield, your applications run in a dedicated, logically- isolated section of the Acquia Cloud platform, adding more network-level security and capabilities to the stack.

Benefits of using Acquia Cloud Shield

Acquia Cloud Shield gives you the benefits of Acquia Cloud platform-as-a-service, combined with extra security benefits and capabilities including IP address whitelisting for subscribers who must restrict access to the servers in their subscription. Acquia Cloud Shield provides a greater degree of isolation for your Acquia Cloud instances. With Acquia Cloud Shield, your Acquia Cloud instances exist in a dedicated, logically-isolated section not shared with any other users.

Optionally, you can use Acquia Cloud Shield with a VPN, which provides a secure bidirectional connection between your Acquia Cloud Enterprise applications and your internal systems.

Note for Acquia Search users

You can access your search installation from your Acquia Cloud Shield applications, but the Acquia Search servers are located outside of your Acquia Cloud Shield dedicated section, so Acquia Cloud Shield does not cover your search index.

Getting started with Acquia Cloud Shield

To use Acquia Cloud Shield, ensure you buy Acquia Cloud Shield with your Acquia Cloud Enterprise or Acquia Cloud Site Factory subscription. Acquia then provisions your servers within your dedicated section.

Getting started with Acquia Cloud Shield with VPN

To use Acquia Cloud Shield with VPN, you must both buy the Acquia Cloud Shield one-time setup and have either an Acquia Cloud Enterprise or Acquia Cloud Site Factory subscription. The following list describes the main steps to complete when configuring Acquia Cloud Shield with VPN:

  1. You buy and deploy a VPN device.
  2. You provide Acquia with detailed information about your VPN device, and your network.
  3. Acquia provisions and configures a dedicated section for your applications.
  4. Acquia provides you with the Internet Protocol Security (IPSec)/ Internet Key Exchange information to properly configure your VPN.


Acquia Cloud Shield only supports Internet Key Exchange version 1 (IKEv1).

Network information you provide to Acquia

For Acquia to configure Acquia Cloud Shield with VPN, you must provide Acquia with the following information:

  • Contact information (such as name, phone, and email) for the members of your internal network team.

  • VPN device details:

    • VPN device type (vendor and model)
    • The Gateway IP address of the customer VPN device

    Confirm your VPN device meets the requirements.

  • Network details, including the following:

    • A network diagram, showing which systems Acquia Cloud Shield will connect to:

    • Maintenance plan or schedule for your network services and hardware

    • CIDR IP blocks


      Acquia Cloud Shield requires a private, non-routable /16 or /20 private address space conforming with RFC 1597. Acquia Cloud Shield can use private, non-routable /16 or /20 CIDR blocks from the,, or ranges. Blocks of this size provide resources for Acquia-controlled servers (such as Elastic Load Balancers) and other elastic scaling needs, and also provide expansion space for your application’s future needs.

    • Subnet allocations

    • A list of networks that need traffic statically routed to them

  • (Optional) A name for the Acquia VPN. If you have multiple VPNs, providing a name to Acquia may be useful for later communication.

Contact your Acquia Account Manager for more information.

VPN device requirements

To connect to Acquia Cloud Shield with VPN, your network must use a VPN (a secure Internet gateway) using IPsec. Your VPN device must be capable of each of the following:

  • Establish IKEv1 Security Associations using pre-shared keys
  • Establish IPsec Security Associations in Tunnel mode
  • Use the AES 128-bit encryption function
  • Use the SHA-1 hashing function
  • Use Diffie-Hellman Perfect Forward Secrecy in “Group 2” mode
  • Perform packet fragmentation before encryption

The following gateway devices are compatible with Acquia Cloud Shield with VPN; other devices may work, but Acquia does not support them:

  • Cisco ASA 5500 Series version 8.2 or greater software
  • Cisco ISR running Cisco IOS 12.4 or greater software
  • Dell SonicWALL Next Generation Firewalls (TZ, NSA, SuperMassive Series) running SonicOS5.8 or greater
  • Juniper J-Series Service Router running JunOS 9.5 or greater software
  • Juniper SRX-Series Services Gateway running JunOS 9.5 or greater software
  • Juniper SSG running ScreenOS 6.1, or 6.2 or greater software
  • Juniper ISG running ScreenOS 6.1, or 6.2 or greater software
  • Microsoft Windows Server 2008 R2 or greater software
  • Yamaha RTX1200 router

You must properly configure your network’s gateway to connect to Acquia Cloud Shield with VPN. After provisioning your dedicated section, Acquia will provide you with the configuration and VPN details containing the Pre-Shared Key (PSK) information you need to properly configure your VPN. The information will be stored in a secure location you will access using SSH.

Acquia Cloud Shield uses Dead Peer Detection (DPD), exchanging UDP packets between VPN peers to ensure both ends are available. If no traffic crosses the VPN tunnel in ten seconds, Acquia Cloud Shield sends a request. Three successive requests without a response will cause Acquia Cloud Shield to close the VPN tunnel.

Initiating your Acquia Shield tunnel

After Acquia provisions Acquia Cloud Shield and provides connection information to you, it is your responsibility to configure your VPN device, establish the secure tunnel, and keep the network connection alive.

You must also confirm your secondary tunnel is configured properly in case your primary tunnel becomes unavailable. When properly configured, your gateway should fail over to the secondary tunnel in your Acquia Cloud Shield tunnel pair, if needed.

Changing your IP addresses

Moving an existing application hosted on Acquia Cloud Enterprise or Acquia Cloud Site Factory to Acquia Cloud Shield with VPN will change your IP address, including any elastic IP addresses (EIPs). IP addresses cannot be moved into or out of a VPC.

As a result, when you configure your application in Acquia Cloud Shield with VPN, you must point the DNS records of your application to the new IP address in the VPC. For more information, see Pointing DNS records to your public IP addresses.