Network guide

PingOne Advanced Services provides you with your own virtual private cloud (VPC) network that you define. This virtual network can connect to any data source and closely resembles the network you operate in your data centers, but in a scalable, secure, cloud environment with data and resource isolation.

This guide describes each of the network options available for PingOne Advanced Services and the regions and deployment models available. Review this information to become familiar with your options, and work with your Ping Identity team members to select the options that are right for you.

Learn more:

With this platform, request headers are passed from the client to the AWS Network Load Balancer and through the ingress controller unchanged, but the X-Forwarded-For and X-Real-IP headers have the client IP address added to the header value.

Items not supported

Although PingOne Advanced Services is hosted in AWS, it doesn’t have all the features and functionality available with AWS. Much of the network is automated, so PingOne Advanced Services only support items and settings that its automation supports.

The PingOne Advanced Services customer hub can only be connected to a single network. The platform does not allow for a production/non-production split.

Nor does it support:

Authenticated BGP for AWS Site-to-Site VPN tunnels.
Split DNS Forwarders to on-premise DNS servers (production or non-production, or by environment).
Private endpoint cross-region redundancy.

Private endpoints cannot be accessed within the cluster due to a NAT loopback limitation with the AWS Network Load Balancer (NLB). For example, PingFederate should not connect to the PingDirectory private ingress, but rather the PingDirectory internal cluster name.