With Automation Service or Studio Collaboration Services (SCS) you can integrate your business processes with any system or application offering a public endpoint.
If your systems or applications do not offer a public endpoint, you can establish a VPN to allow access to them while ensuring that data is encrypted in transit.
About the VPN
The VPN is intended for integration purposes. When processes need to reach systems, servers, services, or databases that are not exposed via the internet, the VPN is a secure way to access those systems.
You can use VPN for application integration, whenever your processes in Automation Service connect to any of these:
•A web service (SOAP, RESTful) which is set up inside of network and does not offer a public endpoint.
•An Active Directory server (e.g, for use of LDAP authentication in Bizagi or the LDAP users synchronization module).
•A SQL Server database which is set up inside your network and does not offer a public endpoint.
•An SMTP server which is set up inside your network and does not offer a public endpoint.
•Other corporate services, ESBs, or assets, which are set up inside your network and do not offer public endpoints.
The VPN does NOT route all the traffic for all the cloud-based services. It is only intended for the web apps that need to see (reach) external systems located on-premises. Other outbound traffic to cloud-ready systems, like Azure AD, are not routed through the VPN.
User access for Customer Portal, Modeler, AI and BI is not included in the VPN.
Because the VPN is intended for integration purposes, it should NOT be considered as an additional security measure to restrict access to your automation environments.
If needed, you can request, through a support ticket, to enable an IP address White List. So only IP addresses in the list can access any of your Bizagi cloud-based portals.
To establish a VPN between your premises and Automation Service or Studio Collaboration Service, you need to purchase the VPN service offering.
This service includes:
Bizagi provides a configuration guide for your IT department to follow.
The guide is specific to your VPN device.
•Connectivity tests for the initial setup, to validate that traffic flows adequately through the VPN.
The One-way traffic configuration of the VPN establishes an accessible channel for application integration, whenever integration requirements involve systems which use ports different than HTTPS (such as TCP).
This VPN configuration is employed for integrations driven by Bizagi in one direction whenever Bizagi needs to call-out systems on the customer’s corporate infrastructure. This means that the VPN is not used for end user access or any other incoming requests. End user access is routed through the public internet.
VPN technical requirements
To use a VPN, standard technical requirements apply.
You need a supported VPN device located on-premises, with a Public IP address (IPv4) assigned to it, with capabilities to be configured using the IPsec protocol.
The Public IP address must be strictly IP version 4 and must not be located behind a NAT.
These are the requirements concerning VPN setup on your end. On the Bizagi side there will be a matching VPN configuration, provided by the Bizagi subscription.
Bizagi uses the VPN configuration supported by Azure, as its IaaS.
Therefore, supported VPN devices are those listed at https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices.
Make sure that the VPN device your organization will employ for this purpose is supported and on the above list.
Setting up a VPN requires support from your IT department.
You need an expert on your side to configure, monitor and manage VPN aspects that depend on your corporate network's configuration.
It is also important to assess any potential performance impact when using a VPN, especially for online requests (non-scheduled jobs), so you can determine if inherent factors to the communication from the cloud to your premises will significantly affect your applications' usability.
A VPN establishes a connection between two endpoints as if they were physically wired, in terms of visibility, but not in terms of performance.
Some of the inherent factors affecting VPN communication, which are beyond the control of Automation Service, are: higher latency in data transmission, fluctuations, interference and congestion affecting the speed of the channel, and the quality of the networks used during transmission.
To configure a VPN, it is necessary to establish the customer and Bizagi's range of IPs that will be allowed within the connection in order to define the entry and exit permissions.
The first step to establish a VPN is to contact your Bizagi sales representative to purchase the service.
You must provide specific details such as your Public IP address and the specific VPN device you use so you can receive specific instructions regarding what to do next on your side.
Consider the answers to these typical questions:
1.What is a VPN?
A virtual private network (VPN) is a technology that extends a private network across a public network, providing a tunnel over the communication channel while encrypting transmitted data.
In this specific case, it means securely extending your corporate network to Automation Service, over the internet.
Transmitted data refers to the data exchanged between Automation Service and your corporate network for application integration requirements.
2.What is a VPN tunnel?
While a VPN is a network, the pathways used by data to pass through in such network are known as tunnels. Tunnels are created through different type of tunneling protocols. Settings such as speed and encryption complexity vary depending on the protocol. These tunnels are encrypted connections and you may have several of these tunnels inside a VPN. Consider the number of connections for a VPN, since these tunnels are limited, as well as the bandwidth offered for the VPN as a whole.
There are different types of connections. A site to site connections (as the one we use) uses a connection over IPsec/IKE (IKEv1 or IKEv2) VPN tunnel.
3.What are the technical specs of the VPN to configure?
The following specifications are employed by the VPN:
•A Site-to-site VPN.
•Internet Protocol Security (IPsec) with an Internet Key Exchange (IKE) implementation.
•IKE version: 1 / 2 (IKEv1, IKEv2).
•Pre-shared key authentication method.
•For phase #1, IPsec parameter, settings include:
oSupport for AES256 and AES128 encryption algorithms and SHA1 and SHA256 hashing algorithms used for authentication.
oUse of DH group 2.
oA Key lifetime (in seconds) of 56600.
•For phase #2 regarding IPsec parameters, settings include:
oSetting support for AES256 and AES128 encryption algorithm, and SHA1 and SHA256 hashing algorithms used for authentication.
oA Key lifetime (in seconds) of 7200.
oUse a Maximum Segment Size of 1350 (TCP MSS clamp).
4.How long will it take to configure a VPN?
How long it takes to set up a VPN depends mostly on your IT administration and governance procedures.
A VPN requires that certain configurations are carried out at each of the two endpoints (one of these being under the control of you and your IT team).
Configuration of the VPN's endpoint directly in Automation Service will not take more than one business day, provided that you provide the details we need for the configuration.
5.Does the use of a VPN provide additional security to end users?
Access is routed through the public internet via HTTPS, which already takes charge of encrypting data in transit. Inbound connections pass through the security layer, which is a robust security measurement for your Automation environments. However, the VPN is not intended to restrict access to your environments. You can request a white list configuration, so IP addresses can be included in the list as the only ones permitted to access any of the Bizagi cloud-based portals and give additional security.
6.Does the use of a VPN allow me to target Automation Service or Studio Collaboration (or any of its underlying assets) from an on-premises system?
No, similarly to the above question, a VPN allows Automation Service or SCS to target your on-premises systems.
7.Does the use of a VPN entail an additional cost?
Yes, if you choose to use a VPN because your systems do not offer secure public endpoint for integration purposes, you need to purchase the VPN offering so you can exclusively connect to your appointed subscription resources as provisioned by Automation Service or SCS.
For details regarding the cost of the VPN offering contact your Bizagi sales representative.
8.Which aspects should I look after when using a VPN?
In case that your IT department needs to perform any change in your infrastructure and servers location, network, VPN device or one that affects an operational VPN, please notify us directly at email@example.com.
8.What is the VPN support and SLA?
The SLA offered for the VPN is 99.9% of availability. The SLA and uptime excludes downtime resulting directly or indirectly from any issue arising at your network's VPN endpoint, or from any changes done by you at your network's VPN endpoint without previous notice.
9.If I use a VPN, do I get a dedicated channel for my data to travel through the network?
No, even if you purchase a VPN or not, all the data is sent through public HTTPS. However, the VPN brings an additional degree of security by providing a secure tunnel over the communication channel.