Configure Secure Connect with Equinix
You can find background information on Secure Connect in PingOne Advanced Identity Cloud in Create private network connections with Secure Connect.
To configure Secure Connect with Equinix, you must complete the following tasks. Each task requires you to coordinate with Ping Identity support using a support case:
|
Task 1: Provide requirements for Equinix Interconnect service
In this task, you provide Ping Identity support with your requirements for the Equinix Interconnect service, including details of your network configuration and your Advanced Identity Cloud tenant environments.
-
Send Ping Identity support your requirements for an Interconnect service:
-
Click Create a case.
-
Follow the steps in the case submission wizard by selecting your account and contract and answering questions about your tenant environments.
-
On the Please answer the following questions to help us understand the issue you’re facing page, enter the following details, and then click Next:
Field Value What product family is experiencing the issue?
Select PingOne Advanced Identity Cloud
What specific product is experiencing the issue?
Select Configuration
What version of the product are you using?
Select NA
-
On the Tell us about the issue page, enter the following details, and then click Next:
Field Value Provide a descriptive title for your issue
Enter
Requirements for Equinix Interconnect service
Describe the issue below
Enter the following details:
-
A comma-separated list of FQDNs for your development, UAT[1], staging, and production tenant environments.
-
An ASN (Autonomous System Number) value for your private network router.
-
An MTU (Maximum Transmission Unit) value for the Interconnect connection.
-
Development environment information:
-
A CIDR block for the development environment.
-
IP addresses or domain names for testing the development environment.
-
-
UAT[1] environment information:
-
CIDR blocks for any UAT environments.
-
IP addresses or domain names for testing any UAT environments.
-
-
Staging environment information:
-
A CIDR block for the staging environment.
-
IP addresses or domain names for testing the staging environment.
-
-
Production environment information:
-
A CIDR block for the production environment.
-
IP addresses or domain names for testing the production environment.
-
-
Your use case for this implementation.
-
Your preferred date/time for enabling the Interconnect connection.
-
-
Click Submit.
-
Ping Identity support works with you in the support case to agree a suitable date and time window for the enablement process.
-
Wait until the start of the enablement process window (agreed in the previous step) before moving to the next task.
Task 2: Enable Equinix Interconnect service
In this task, you’ll work with Ping Identity support to enable the Equinix Interconnect service.
-
Create a support case to request Google Cloud pairing keys from Ping Identity support:
-
Click Create a case.
-
Follow the steps in the case submission wizard by selecting your account and contract and answering questions about your tenant environments.
-
On the Please answer the following questions to help us understand the issue you’re facing page, enter the following details, and then click Next:
Field Value What product family is experiencing the issue?
Select PingOne Advanced Identity Cloud
What specific product is experiencing the issue?
Select Configuration
What version of the product are you using?
Select NA
-
On the Tell us about the issue page, enter the following details, and then click Next:
Field Value Provide a descriptive title for your issue
Enter
Enable Equinix Interconnect service
Describe the issue below
Enter a comma-separated list of FQDNs for your development, UAT[2], staging, and production tenant environments.
-
Click Submit to create the support case.
-
Monitor the support case while Ping Identity support performs these actions:
-
Provides you with Google Cloud pairing keys for the appropriate region and availability zone.
-
Provides you with static IP addresses for all Secure Connect environments.
-
Works with you to agree on suitable dates and times for the provisioning process window.
-
-
Set up the Equinix Interconnect service in the Equinix Fabric portal:
-
Open the Equinix instructions for setting up Google Cloud Interconnect in your browser.
-
Follow the steps under the heading Create Connection in the Equinix Fabric Portal, using the Google Cloud pairing keys provided in step 2a.
-
-
Update the support case to let Ping Identity support know you’ve completed the instructions in step 3.
-
Monitor the support case while Ping Identity support performs these actions:
-
Activates a BGP configuration in GCP.
-
Provides you with pairing keys and BGP IP addresses for all tenant environments to support Secure Connect. The number of pairing keys is dependent on the level of availability you require.
-
-
In the Equinix portal, use the pairing keys to create direct connections to the BGP IP addresses, using the BGP ASN of 16550. Ping Identity accepts the connections.
-
Wait until the start of the provisioning process window (agreed in step 2c).
-
When the provisioning process window starts, monitor the support case while Ping Identity support performs these actions:
-
Establishes BGP sessions.
-
Validates the routes advertised by each party. The routes Ping Identity advertises with BGP are as follows:
-
The chosen CIDR block for the tenant environment.
-
35.199.192.0/19 (Google Cloud DNS)
-
-
Tests bidirectional network connectivity.
-
Provides nodes in each tenant environment that should respond to queries from the private network.
Ping Identity allows all traffic from the advertised subnets using BGP. You’re responsible for configuring your firewall in your private network to allow traffic from Advanced Identity Cloud. -
Task 3: (Optional) Configure support for services in your internal network
To support services in your internal network (for example, SMTP), Ping Identity can optionally perform the following actions:
-
Create DNS forwarding zones. For assistance with this, create a support case in the Ping Identity Support Portal.
-
Add your internal certificate or CA into the trust store of your tenant environments. For assistance with this, refer to Send Ping Identity a CA or TLS certificate.