Integration using a VPN

<< Click to Display Table of Contents >>

Navigation:  » No topics above this level«

Integration using a VPN

Overview

With Automation Service you can integrate your business processes with any system or application offering a public endpoint.

If your systems or applications do not offer a public endpoint, you can establish a VPN to allow access to them while ensuring that data is encrypted in transit.

 

 

Architecture_users2vpnNewN

 

 

Service description

To establish a VPN between your premises and Automation Service, you need to purchase the Automation Service' VPN service offering.

This service includes:

Initial setup.

Bizagi provides a configuration guide for your IT department to follow.

The guide is specific to your VPN device.

Connectivity tests for the initial setup, to validate that traffic flows adequately through the VPN.

Technical support.

 

You can use VPN will be employed for application integration, whenever your processes in Automation Service connect to any of these:

A web service (SOAP, RESTful) which is set up inside of network and does not offer a public endpoint.

An Active Directory server (e.g, for use of LDAP authentication in Bizagi or the LDAP users synchronization module).

A SQL Server database which is set up inside your network and does not offer a public endpoint.

An SMTP server which is set up inside your network and does not offer a public endpoint.

Other corporate services, ESBs, or assets, which are set up inside your network and do not offer public endpoints.

 

VPN technical requirements

To use a VPN, standard technical requirements apply.

You  need a supported VPN device located on-premises, with a Public IP address (IPv4) assigned to it, with capabilities to be configured using the IPsec protocol.

The Public IP address must be strictly IP version 4 and must not be located behind a NAT.

These are the requirements concerning VPN setup on your end. On the Automation Service' side there will be a matching VPN configuration, provided by the Automation Service subscription.

 

Bizagi uses the VPN configuration supported by Azure, as its IaaS.

Therefore, supported VPN devices are those listed at https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices.

Make sure that the VPN device your organization will employ for this purpose is supported and on the above list.

 

Other requirements

Setting up a VPN requires support from your IT department.

You need an expert on your side in order to configure, monitor and manage VPN aspects that depend on your corporate network's configuration.

 

It is also important to assess any potential performance impact when using a VPN, especially for online requests (non-scheduled jobs), so you can determine if inherent factors to the communication from the cloud to your premises will significantly affect your applications' usability.

A VPN establishes a connection between two endpoints as if they were physically wired, in terms of visibility, but not in terms of performance.

Some of the inherent factors affecting VPN communication, which are beyond the control of Automation Service, are: higher latency in data transmission, fluctuations, interference and congestion affecting the speed of the channel, and the quality of the networks used during transmission.

 

Next steps

The first step to establish a VPN is to contact your Bizagi sales representative  to purchase the service.

You must  provide specific details such as your Public IP address and the specific VPN device you use so you can receive specific instructions regarding what to do next on your side.

 

FAQs

Consider the answers to these typical questions:

 

1.What is a VPN?

A virtual private network (VPN) is a technology that extends a private network across a public network, providing a tunnel over the communication channel while encrypting transmitted data.

In this specific case, it means securely extending your corporate network to Automation Service, over the internet.

Transmitted data refers to the data exchanged between Automation Service and your corporate network for application integration requirements.

 

2.What are the technical specs of the VPN to configure?

The following specifications are employed by the Automation Service VPN:

A Site-to-site VPN.

Internet Protocol Security (IPsec) with an Internet Key Exchange (IKE) implementation.

IKE version: 1 / 2 (IKEv1, IKEv2).

Pre-shared key authentication method.

For phase #1, IPsec parameter, settings include:

oSupport for AES256 and AES128 encryption algorithms and SHA1 and SHA256 hashing algorithms used for authentication.

oUse of DH group 2.

oA Key lifetime (in seconds) of 56600.

For phase #2 regarding IPsec parameters, settings include:

oSetting support for AES256 and AES128 encryption algorithm, and SHA1 and SHA256 hashing algorithms used for authentication.

oA Key lifetime (in seconds) of 7200.

oUse a Maximum Segment Size of 1350 (TCP MSS clamp).

 

3.How long will it take to configure a VPN?

How long it takes to set up a VPN depends mostly on your IT administration and governance procedures.

A VPN requires that certain configurations are carried out at each of the two endpoints (one of these being under the control of you and your IT team).

Configuration of the VPN's endpoint directly in Automation Service will not take more than one business day, provided that you provide the details we need for the configuration.

 

4.Does the use of a VPN provide additional security to end users?

No, a VPN is not for end user activities like browsing.

End user access is routed through the public internet via HTTPS, which already takes charge of encrypting data in transit.

The main purpose of a VPN in Automation Service is to establish an accessible channel for application integration through protocols such as HTTPS when public endpoints are not available.

 

5.Does the use of a VPN allow me to target Automation Service (or any of its underlying assets) from an on-premises system?

No, similarly to the above question, a VPN allows Automation Service to target your on-premises systems.

Not vice-versa.

 

6.Does the use of a VPN entail an additional cost?

Yes, if you choose to use a VPN because your systems do not offer secure public endpoint for integration purposes, you need to purchase the VPN offering of Automation Service so you can exclusively connect to your appointed subscription resources as provisioned by Automation Service.

For details regarding the cost of the VPN offering contact your Bizagi sales representative.