Integration using a VPN

<< Click to Display Table of Contents >>

Navigation:  » No topics above this level«

Integration using a VPN


With Bizagi PaaS you may integrate your business processes with any system or application offering a public endpoint.

In cases where your systems or applications do not offer a public endpoint, then you may choose to establish a VPN in order to allow access to them while ensuring that data is encrypted in transit.




Service description

To establish a VPN between your premises and Bizagi PaaS, you will need to purchase Bizagi PaaS' VPN service offering.

This service includes:

Initial setup.

Regarding configuration on your side for the initial setup, a configuration guide will be provided for your IT department to follow.

This configuration guide is specific to your VPN device.

Connectivity tests for the initial setup, which validate that traffic is flowing adequately through the VPN.

Technical support.


A VPN will be employed for application integration, whenever you will have your processes in Bizagi PaaS connect to any of these:

A web service (SOAP, RESTful) which is set up inside of your network and does not offer a public endpoint.

An Active Directory server (e.g, for use of LDAP authentication in Bizagi or the LDAP users synchronization module).

A SQL Server database (which is set up inside of your network and does not offer a public endpoint).

An SMTP server which is set up inside of your network and does not offer a public endpoint.

Other corporate services, ESBs, or assets in general, which are set up inside of your network and do not offer public endpoints.


VPN technical requirements

In order to use a VPN, standard technical requirements apply.

You will need a supported VPN device located on-premises, with a Public IP address (IPv4) assigned to it, with capabilities to be configured using the IPsec protocol.

The Public IP address must be strictly IP version 4 and it must not be located behind a NAT.

These are the requirements concerning VPN setup on your end; recall that on Bizagi PaaS' side there will be a matching VPN configuration as well, provided by the Bizagi PaaS subscription.


Bizagi makes use of the VPN configuration supported by Azure, as its IaaS.

Therefore, supported VPN devices are those listed at

Please make sue that the VPN device your organization will employ for this purpose is supported and part of the above list.


Other requirements

Setting up a VPN requires support from your IT department.

You will need an expert on your side in order to configure, monitor and manage VPN aspects that depend on your corporate network's configuration.


In addition to this, it is important that you assess any potential performance impact when using a VPN, especially for online requests (non-scheduled jobs), so that you can determine if inherent factors to the communication from the cloud to your premises will significantly affect your applications' usability.

Note that a VPN establishes a connection between two endpoints as if these were physically wired, in terms of visibility, but not in terms of performance.

Some of the inherent factors to such communication, which are beyond Bizagi PaaS' control, are: a higher latency in data transmission, fluctuations, interference and congestion affecting the speed of the channel, or the quality of the networks used during transmission, among others.


Next steps

The first step to establish a VPN is by contacting your Bizagi sales representative in order to purchase the service.

You are required to provide specific details such as your Public IP address and the specific VPN device you use, so that you can receive specific instructions regarding what to do next on your side.



Consider the below frequently asked questions:


1.What is a VPN?

A Virtual private network (VPN) is a technology used to extend a private network across a public network, so that it provides a tunnel over the communication channel while encrypting transmitted data.

In this specific case, it means extending your corporate network to Bizagi PaaS, over the internet.

Transmitted data refers to the data exchanged between Bizagi PaaS and your corporate network for application integration requirements.


2.What are the technical specs of the VPN to configure?

The following specifications are employed by the Bizagi PaaS VPN:

A Site-to-site VPN.

Internet Protocol Security (IPsec) with an Internet Key Exchange (IKE) implementation.

IKE version: 1 / 2 (IKEv1, IKEv2).

Pre-shared key authentication method.

For phase #1 regarding IPsec parameters, settings include:

oSupport for AES256 and AES128 encryption algorithm, and SHA1 and SHA256 hashing algorithms used for authentication.

oUse of DH group 2.

oA Key lifetime (in seconds) of 56600.

For phase #2 regarding IPsec parameters, settings include:

oSetting support for AES256 and AES128 encryption algorithm, and SHA1 and SHA256 hashing algorithms used for authentication.

oA Key lifetime (in seconds) of 7200.

oUse a Maximum Segment Size of 1350 (TCP MSS clamp).


3.How long will it take to configure a VPN?

How long it takes to set up a VPN will depend mostly on your IT administration and governance procedures.

This is so because a VPN by definition, entails that certain configuration is carried out at each of the two endpoints (one of these being in charge by you as a customer).

Regarding the configuration of the VPN's endpoint directly in Bizagi PaaS (the part which is not done by you), note that it will not take more than one business day, provided that the customer has provided details needed as input).


4.Does the use of a VPN provide additional security to end users?

No, a VPN is not employed when browsing (not for end user access).

End user access is routed through the public internet via HTTPS, which already takes charge of encrypting data in transit.

Recall that the main purpose of a VPN in Bizagi PaaS is to establish an accessible channel for application integration whenever these do not offer public endpoints through protocols such as HTTPS.


5.Does the use of a VPN entail an additional cost?

Yes, in case you do choose to use a VPN because your systems do not offer a secure public endpoint for integration purposes, then you will need to purchase the VPN offering of Bizagi PaaS (to exclusively connect to your appointed subscription resources as provisioned by Bizagi PaaS).

For details regarding the cost of the VPN offering, please contact your appointed Bizagi sales representative.