Advanced network

Because of its fully routable nature, the IP requirements will be greater for the Advanced network model than a Simple VPN model. Each VPC deployed in PingOne Advanced Services will require a /22 network CIDR assigned to it from your RFC1918 IP space. The exact number of IPs you will need will vary and depend on the types of environments you have.

Keep in mind that Ping Identity is not just deploying servers into AWS. Each VPN is a self-contained full data center with all the components that go along with it.

Environments required for all deployments:

Optional environments:

Learn more in Environments.

If you need a secondary customer hub environment, a secondary staging environment is required if a child region is also being deployed, but a secondary production environment is not. The same is true if you need a tertiary customer hub environment. A tertiary staging environment is required if a child region is also being deployed, but a tertiary production environment is not.

These environments are required because they’re needed to handle increases in AWS services and the number of endpoints used, and to provide the elasticity needed to autoscale the environment to meet traffic demands. You can specify which /22 network CIDR goes to each environment, or leave it up to your implementation partners to make these decisions when they build the environments.

Learn more in Data storage considerations.

The Direct Connect (DX) network option uses DX to connect to you or to a global mesh network. Your network traffic remains on the AWS global network and never touches the public internet.

Unlike other network options that can have many different vendors involved, you purchase your connection directly from DX. AWS also maintains a list of AWS Direct Connect Delivery Partners, who can help you establish your connections.

This option is best if:

Learn more in AWS Direct Connect in the Amazon documentation.

Learn more about items you might need to consider regarding set up in Setup considerations.

If you have your own AWS presence but need a connection method that can support Kerberos and Radius protocols, which PrivateLink cannot, the Transit Gateway (TGW) network might be the right option for you.

There are two different types of TGW networks:

Learn more about items you might need to consider regarding setup in Setup considerations.

Learn more about items you might need to consider regarding setup in Setup considerations.

VPNs are typically used in advanced network situations where you need to connect to an on-premise infrastructure, and a large amount of bandwidth is not required. Although you can make the same type of connection with a Direct Connect (DC) network, which offers more bandwidth, the cost of the connection is separate from PingOne Advanced Services.

You can also set up as many VPN connections as you need. Border Gateway Protocol (BGP) and static routing are both supported. If BGP is used, we’ll ask that you share your routes. PingOne Advanced Services is designed in the hub-and-spoke model, which does not allow routes to propagate to the VPCs behind the Transit Gateway.

This option is best if you:

This network model uses the AWS VPN service, which is a route-based solution. For details regarding this connection:

If a gateway device terminating the VPN tunnels uses policy-based routing:

This limitation requires that each PingOne Advanced Services region uses IP space that does not overlap and can be summarized into a single supernet to allow for a single SA per region VPN.

Learn more about VPN networks in Your customer gateway device in the AWS Site-to-Site VPN User Guide.

Learn more about items you might need to consider regarding setup in Setup considerations.

Public and private endpoints for the Advanced network model are listed here.