Information for: DEVELOPERS   PARTNERS

Shield

Available strictly for Cloud Platform and Site Factory subscribers with dedicated load balancers and current-generation hardware.

Acquia Shield (formerly Acquia Cloud Shield) provides isolated networks for Cloud Platform applications. Subscriber deployments in an isolated network environment are separated from other subscriber deployments at the network level.

Benefits of using Acquia Shield

Acquia Shield combines the benefits of Cloud Platform-as-a-service with extra security benefits and capabilities, giving you a greater degree of isolation for your Cloud Platform instances.

Acquia Shield includes the following product features:

  • Acquia Shield access management: Provides self-service IP whitelisting for occasions when you must manage SSH access to the environments in your subscription. This feature is available only for Cloud Platform subscribers and not for Site Factory.

  • Private IP range with optional VPN connection: Adds an optional Virtual Private Network (VPN) hosted by Cloud Platform to connect between Cloud Platform and your private network. The VPN connection ensures you have secure bi-directional interaction between your websites and your internal IT systems (such as a CRM). Packaged in the price of Acquia Shield is the VPN configured to connect Cloud Platform with one subscriber-defined gateway device point. Added virtual private cloud (VPC) peering connections are available for a fee.

    To enable the VPN, you must first buy a subscription to Cloud Platform.

    If you change endpoints during the Subscription Term, you will incur added fees of $250 per hour of work. For Acquia to enable the VPN connection, you must meet the technical requirements described in the Amazon VPC FAQs.

  • AWS VPC Peering Connection: Enables a VPC peering connection between your Acquia Shield VPC and another AWS VPC. You can enable added VPC peering connections for a fee.

Note for Acquia Search users

Although you can access search from your Acquia Shield applications, the Acquia Search servers are located outside of your Acquia Shield dedicated section. Acquia Shield doesn’t protect your search index, because of the Acquia Search servers’ location.

Getting started with Acquia Shield

To use Acquia Shield, ensure you buy Acquia Shield with your Cloud Platform or Site Factory subscription. Acquia then provisions your servers within your dedicated network.

Getting started with Acquia Shield with VPN

To use Acquia Shield with VPN, you must buy Acquia Shield with VPN and have either a Cloud Platform or Site Factory subscription. The following list describes the main steps to complete when configuring Acquia Shield with VPN:

  1. You buy and deploy a VPN device.
  2. You provide Acquia with detailed information about your VPN device, and your network.
  3. Acquia provisions and configures a dedicated section for your applications.
  4. Acquia provides you with the Internet Protocol Security (IPSec)/ Internet Key Exchange information to properly configure your VPN.

Important

Acquia Shield only supports Internet Key Exchange version 1 (IKEv1).

Learn more by visiting the Acquia Academy (sign-in required) for the video Establishing a VPN connection.

For additional help, see the following articles:

Network information you provide to Acquia

For Acquia to configure Acquia Shield, you must provide Acquia with the following information:

  • Contact information (such as name, phone, and email) for the members of your internal network team.

  • VPN device details:

    • VPN device type (vendor and model)
    • The Gateway IP address of the subscriber VPN device

    Confirm your VPN device meets the requirements.

  • Network details, including the following:

    • A network diagram, showing which systems Acquia Shield will connect to

    • Maintenance plan or schedule for your network services and hardware

    • CIDR IP blocks

      Note

      Acquia Shield requires a private, non-routable /16 or /20 private address space conforming with RFC 1597. Acquia Shield can use private, non-routable /16 or /20 CIDR blocks from the 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 ranges. Blocks of this size provide resources for Acquia-controlled servers (such as Elastic Load Balancers) and other elastic scaling needs, and also provide expansion space for your application’s future needs.

    • Subnet allocations

    • A list of networks requiring traffic statically routed to them

  • (Optional) A name for the Acquia VPN. If you have various VPNs, providing a name to Acquia may be useful for later communication.

Contact your Acquia Account Manager for more information.

VPN device requirements

To connect to Acquia Shield with VPN, your network must use a VPN (a secure Internet gateway) using IPsec. Your VPN device must handle each of the following:

  • Establish IKEv1 Security Associations using pre-shared keys
  • Establish IPsec Security Associations in Tunnel mode
  • Use the AES 128-bit encryption function
  • Use the SHA-1 hashing function
  • Use Diffie-Hellman Perfect Forward Secrecy in “Group 2” mode
  • Perform packet fragmentation before encryption

The gateway devices listed here are compatible with Acquia Shield with VPN. Other devices may work, but Acquia doesn’t support them.

You must properly configure your network’s gateway to connect to Acquia Shield with VPN. After provisioning your dedicated section, Acquia will provide you with the configuration and VPN details containing the Pre-Shared Key (PSK) information you must use to properly configure your VPN. Using SSH, you will access the information stored in a secure location.

Acquia Shield uses Dead Peer Detection (DPD), exchanging UDP packets between VPN peers to ensure both ends are available. If no traffic crosses the VPN tunnel in ten seconds, Acquia Shield sends a request. Three successive requests without a response will cause Acquia Shield to close the VPN tunnel.

Initiating your Acquia Shield tunnel

After Acquia provisions Acquia Shield and provides connection information to you, it’s your responsibility to configure your VPN device, establish the secure tunnel, and keep the network connection alive.

You must also confirm your secondary tunnel is configured properly in case your primary tunnel becomes unavailable. When properly configured, your gateway must fail over to the secondary tunnel in your Acquia Shield tunnel pair, if needed.

Changing your IP addresses

Moving an existing application hosted by Cloud Platform or Site Factory to Acquia Shield with VPN will change your IP address, including any elastic IP addresses (EIPs). You can’t move IP addresses into or out of a VPC.

As a result, when you configure your application in Acquia Shield with VPN, you must point the DNS records of your application to the new IP address in the VPC. For more information, see Configuring DNS records for your application.