If your organization has purchased Creative Cloud with managed services plans, Adobe sets up a dedicated instance at a data center that is located closest to your physical location.

All managed services, including storage, run inside an Amazon Virtual Private Cloud (VPC) that can be isolated within a customer defined virtual private network (VPN) dedicated to a single enterprise customer. The Amazon VPC may be configured to run inside your organization's corporate network, so each machine in the Amazon VPC is assigned a private IP address. In this configuration, the Amazon VPC is connected to the network using an IPsec tunnel, so HTTPS requests may be sent from the network to the Amazon VPC via the secured tunnel, rather than the Internet.

For more information, see Creative Cloud for enterprise security overview.

Establish a hardware VPN connection

Amazon Virtual Private Cloud (VPC) provides multiple network connectivity options depending on your network design and requirements. You can choose to use the Internet or an Amazon Web Services (AWS) Direct Connect connection as your backbone network. Terminate your connection either into AWS or into user-managed network endpoints. With AWS, you can specify how network routing will be delivered between Amazon VPC and your networks, leveraging either AWS or user-managed network equipment and routes. You can only use AWS that has been provided by Adobe. This article focuses on the Hardware VPN connectivity option.

You can create a hardware-based IPsec VPN connection, over the Internet, between your remote network and your Amazon VPC.

Advantages of a hardware-based IPSec VPN connection:

  • AWS-managed endpoints include multi-data center redundancy and automated failover.
  • You can reuse existing VPN equipment and processes.
  • You can reuse existing Internet connections
  • Static routes or dynamic Border Gateway Protocol (BGP) peering and routing policies are supported.

The Amazon virtual private gateway (VGW) represents two distinct VPN endpoints, physically located in separate data centers, to increase the availability of your VPN connection.

Limitations that you may need to consider:

  • Network latency, variability, and availability depend on Internet conditions.
  • Customer-managed endpoint is responsible for implementing redundancy and failover (if required).
  • Customer device must support single-hop BGP (when leveraging BGP for dynamic routing).

You have the option of dynamic as well as static routing. Dynamic routing leverages BGP peering to exchange routing information between AWS and the remote endpoints. Both IPSec and BGP connections must terminate on the same user gateway device when using BGP.

Components of the VPN connection

  • Virtual Private Gateway: A virtual private gateway that is the VPN concentrator on the Amazon side of the connection.
  • Customer Gateway: A customer gateway that is a physical device or software application on your side of the connection. Your customer gateway must initiate the tunnels and not the virtual private gateway. To prevent the tunnel from going down, you can use a network monitoring tool to generate keepalive pings.

VPN routing options

The make and model of your VPN devices define your selection of type of routing. For a list of static and dynamic routing devices that have been tested with Amazon VPC, see the Amazon Virtual Private Cloud FAQs.

With BGP devices, you need not specify static routes because the device advertises its routes to the virtual private gateway. For devices that don’t support BGP, select static routing and enter the routes (IP prefixes) for your network. Only IP prefixes known to the virtual private gateway receive traffic from your VPC.

VPN tunnel configuring options

One virtual private gateway, one customer gateway, two VPN tunnels

Use a VPN connection to connect your network to a VPC. Every VPN connection has two tunnels with a unique virtual private gateway public IP address, for each tunnel. Ensure that you configure both tunnels for redundancy. When one tunnel is unavailable, network traffic is automatically routed to the available tunnel for that specific connection.

Hardware VPN

One virtual private gateway, two customer gateways, two VPN tunnels from each customer gateway

Every VPN connection has two tunnels to ensure connectivity in situations when one of the tunnels is unavailable. For better protection against loss of connectivity, you can set up a second VPN connection to your VPC by using a second customer gateway. With redundant VPN connections and customer gateways, it’s easier to run maintenance operations on one customer gateway while traffic flows over the second customer gateway's VPN connection.

The customer gateway IP address for the second VPN connection must be publicly accessible and cannot be the same as the one for your first VPN connection.

For details on requirements for a VPN connection, see What you need for a VPN connection.

Redundant hardware VPN connections

VPN parameters

The following parameters are dictated by AWS and cannot be changed.  Every tunnel will need to adhere to these parameters.

Phase I Proposal

AES-128-SHA1

OR

AES-256-SHA2

Phase I Lifetime (sec)

28800

Diffe-Hellman Group

Phase I: 2, 14-18, 22, 23, and 24

Phase II: 1, 2, 5, 14-18, 22, 23, and 24

PFS (Yes/No)

Yes

Mode (Main/Aggressive)

Main

Phase II Proposal

AES-128-SHA1

OR

AES-256-SHA2

Phase II Lifetime (sec)

3600

Encapsulation

ESP

Firewall rules

Provide a list of ACL rules to specify both ingress and egress traffic traversing the VPN tunnel. Be sure to list all rules in both directions:

Source IP: All customer corporate internal IP addresses
Destination: Customer Creative Cloud for enterprise with managed services instance
Protocol: HTTPS
Port: 443

Information you need to provide to Adobe

  • Desired subnet (preferably /27 or above)
  • Customer Gateway (VPN device) IP address
  • Routing option (Dynamic or Static)
    • If Dynamic, specify BGP ASN (see [1] for more details)
    • If Static, specific Encryption Domain (routes back to the customer network)
  • VPN Device Manufacturer (see [2] for list of VPN manufacturers and devices)
  • VPN Device Model; for example, ASA5850
  • VPN Device Firmware Version; for example, IOS 12.x

[1] With BGP devices, you don't need to specify static routes because the device advertises its routes to the virtual private gateway. For devices that don't support BGP, select static routing and enter the routes (IP prefixes) for your network. Only IP prefixes known to the virtual private gateway receive traffic from your VPC.

[2] http://aws.amazon.com/vpc/faqs/#C9

Licencia na používanie tohto diela sa poskytuje v súlade s podmienkami licencie Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Na príspevky v sociálnych sieťach Twitter™ a Facebook sa nevzťahujú podmienky licencií Creative Commons.

Právne upozornenia   |   Zásady ochrany osobných údajov online