Acquia Cloud Shield

Available only to Acquia Cloud Enterprise subscribers.

Using Acquia Cloud Shield, your Acquia Cloud Enterprise applications run in a dedicated, logically isolated section of Acquia Cloud, adding more network level security and capabilities to the stack. Acquia Cloud Shield is available as an additional service to Acquia Cloud Enterprise subscriptions.

Benefits of using Acquia Cloud Shield

Acquia Cloud Shield gives you the benefits of Acquia Cloud platform-as-a-service, combined with extra security benefits, and capabilities that include IP address whitelisting for subscribers who need to restrict access to the servers in their subscription. Acquia Cloud Shield provides a higher degree of isolation for your Acquia Cloud instances in the cloud. With Acquia Cloud Shield, your Acquia Cloud instances exist in a dedicated, logically isolated section that is not shared with any other users.

Optionally, you can use Acquia Cloud Shield with a VPN, which provides a secure bidirectional connection between your Acquia Cloud Enterprise applications, and your internal IT systems. In this case, instances within the dedicated cloud section can be accessed only by other instances within the same dedicated cloud section, or else over a secure internet gateway (VPN).

Note for Acquia Search users

Your search installation can be accessed from your Acquia Cloud Shield applications, but the Acquia Search servers will not be located in your Acquia Cloud Shield dedicated section. Therefore, your search index will not be covered by Acquia Cloud Shield.

Acquia Cloud Shield uses Dead Peer Detection, exchanging UDP packets between VPN peers to ensure that both ends are are available. If no traffic crosses the VPN tunnel in ten seconds, a request is sent. If three successive requests are sent without a response, Acquia Cloud Shield will close the VPN tunnel.

Getting started with Acquia Cloud Shield

To use Acquia Cloud Shield, simply purchase Acquia Cloud Shield with your Acquia Cloud Enterprise subscription. Acquia then provisions your servers within your dedicated cloud section.

Getting started with Acquia Cloud Shield with VPN

To use Acquia Cloud Shield with VPN, you must have an Acquia Cloud Enterprise subscription, and must have purchased Acquia Cloud Shield. The following are the main steps in setting up Acquia Cloud Shield with VPN:

  1. You purchase and deploy a VPN device.
  2. You provide Acquia with detailed information about your VPN device, and your network.
  3. Acquia provisions and configures a dedicated cloud section for your applications.
  4. Acquia provides you with the IPSec (Internet Protocol Security) / IKE (Internet Key Exchange) information you need to properly configure your VPN.

Network information you provide to Acquia

For Acquia to configure Acquia Cloud Shield with VPN, you will need to provide Acquia with the following information:

  • Contact information (such as name, phone, and email) for the members of your internal network team.

  • VPN device details:

    • VPN device type (vendor and model)
    • The Gateway IP address of the customer VPN device

    Confirm that your VPN device meets the requirements.

  • Network details, including the following:

    • A network diagram, showing which systems Acquia Cloud Shield will connect to:
    • Maintenance plan or schedule for these services
    • CIDR IP blocks
    • Subnet allocations
    • A list of networks that need traffic statically routed to them
  • A private, non-routable /16 or /20 private address space for Acquia Cloud Shield.

  • (Optional) A name for the Acquia VPN. If you have multiple VPNs, providing a name to Acquia may be useful for later communication.

Contact your Acquia account manager for more information.

VPN device requirements

To connect to Acquia Cloud Shield with VPN, your network must use a VPN (a secure Internet gateway) that uses IPsec. Your VPN device must be capable of each of the following:

  • Establish IKE Security Associations using pre-shared keys
  • Establish IPsec Security Associations in Tunnel mode
  • Use the AES 128-bit encryption function
  • Use the SHA-1 hashing function
  • Use Diffie-Hellman Perfect Forward Secrecy in “Group 2” mode
  • Perform packet fragmentation prior to encryption

The following gateway devices are compatible with Acquia Cloud Shield with VPN; other devices may work, but are not supported by Acquia:

  • Cisco ASA 5500 Series version 8.2 or greater software
  • Cisco ISR running Cisco IOS 12.4 or greater software
  • Dell SonicWALL Next Generation Firewalls (TZ, NSA, SuperMassive Series) running SonicOS5.8 or greater
  • Juniper J-Series Service Router running JunOS 9.5 or greater software
  • Juniper SRX-Series Services Gateway running JunOS 9.5 or greater software
  • Juniper SSG running ScreenOS 6.1, or 6.2 or greater software
  • Juniper ISG running ScreenOS 6.1, or 6.2 or greater software
  • Microsoft Windows Server 2008 R2 or greater software
  • Yamaha RTX1200 router

Your network’s gateway must be properly configured to connect to Acquia Cloud Shield with VPN. After your dedicated cloud section is provisioned, Acquia will provide you with the IPSec/IKE information you need to properly configure your VPN.

Changes to IP addresses

If you have an existing application hosted on Acquia Cloud Enterprise, and you move it to Acquia Cloud Shield with VPN, your IP address will change. This includes any elastic IP addresses (EIPs). IP addresses cannot be moved into or out of a VPC.

As a result, when you set up your application in Acquia Cloud Shield with VPN, you need to point the DNS records of your application to the new IP address within the VPC. For more information, see Pointing DNS records to your public IP addresses.

Contact supportStill need assistance? Contact Acquia Support

Acquia: Think Ahead

53 State Street, 10th Floor
Boston, MA 02109
United States
Phone: 888-922-7842

Map: Google Maps
View other locations