PingOne Advanced Services

Network options

As you begin your journey with PingOne Advanced Services, it’s important to understand the differences between the different network options available. Work with your Ping Identity partners to determine which option is right for you:

  • Internet only: The simplest model deployed, with all connectivity into and out of PingOne Advanced Services done over the internet. Ideal for situations where your solutions do not require connections to on-premise systems that are not accessible through the internet. When using this deployment model, you can use other Ping Identity products, such as PingOne and its associated gateways, to access on-premise systems.

    See Internet-only network for additional information.

  • Simple network: This option provides connectivity between your on-premise systems, AWS, and third-party cloud environments using HTTPS and LDAPS protocols. Kerberos and RADIUS are not currently supported.

    There are two different options:

    • The Simple VPN option, which requires you to provide IP addresses).

    • The AWS PrivateLink option, which does not require this information and can be used if you have your own AWS instances that you can connect to.

      See Simple network for additional information.

  • Advanced network: With this option, all connectivity options and protocols can be used to integrate your network with your PingOne Advanced Services tenant. Since this is a fully routable deployment, it has a larger IP requirement than the Simple network option.

    See Advanced network for additional information.

With this platform, request headers are passed from the client to the AWS Network Load Balancer and through the ingress controller unchanged, but the X-Forwarded-For and X-Real-IP headers have the client IP address added to the header value.

Choosing the right model

If you’re unsure of which option might be right for you, answer the following questions:

  • Do you need to access systems within your network over a private connection using TCP protocols, such as HTTP, HTTPS, LDAP and LDAPs?

    Both the Simple and Advanced network models offer this type of connection.

  • Do you need Kerberos or Radius Authentication?

    The Advanced network model is the only model that supports Kerberos, RADIUS, and other UDPs.

  • Are you planning to use PingAccess hosted in PingOne Advanced Services to proxy application traffic back to the application within your network?

    The Advanced network model, using AWS DirectConnect and transit gateway peering, is an ideal solution for this situation. Although the Simple network model might work, the Site-to-Site VPN is limited to 1.25 GBs, which might not be enough bandwidth. AWS PrivateLink could also be used, but has a limit on the number of services that can be used, and requires teams to coordinate when new applications are added.

  • Do you need a redundant connectivity setup?

    A simple VPN allows for only 1 VPN connection (2 if split between production and non-production environments). For redundant connections, Advanced networking is ideal because it allows you to have as many connections as you need.

If you select one of these network models and find that it doesn’t meet your needs, you can migrate to a different model. Potential migration options are:

  • From the Internet only model to the Simple network model

  • From the Simple network model to the Internet only model

  • From the Advanced network model to the Internet only model

  • From the Advanced network model to the Simple network model