Items you might need to consider regarding setup depend on the network model you're investigating.
VPN setup requirements
To set up a VPN network, you can provide your own VPN inside tunnel CIDRS, or we will pick from the applicable range. A size /30 CIDR block is required from the 169.254.0.0/16 range (x2), but not in these reserved ranges:
- 169.254.0.0/30
- 169.254.1.0/30
- 169.254.2.0/30
- 169.254.3.0/30
- 169.254.4.0/30
- 169.254.5.0/30
- 169.254.169.252/30
If you're considering the Simple VPN network, you will need to provide a /24 CIDR block from your RFC1918 IP space for the VPN landing zone. All of the private PingOne Advanced Services private endpoints that you connect to will be within the specified IP range in your AWS account.
The VPN should be on the list of VPNs that AWS supports. You'll also need to share:
- The outer IP address
- The VPN vendor
- The VPN model and series
- The software version
Learn more in Tunnel options for your Site-to-Site VPN connection in the AWS Site-to-Site VPN User Guide.
This type of network supports BGP or static routing.
- If BGP routing is used, you'll need to share the ASN values that should be used for BGP setup. We also ask that you share your routes. PingOne Advanced Services is designed in the hub-and-spoke model, which does not allow routes to propagate to the VPCs behind the Transit Gateway.
- If static routing is used, we ask that you share the list of routes. Ideally, provide this information as subnets, and when possible, combine into larger subnets.
AWS will generate a VPN configuration sample document that includes the preshared key and public IP addresses to connect to. This document will be sent to your network team using an encrypted email so the VPN setup can be completed.
AWS PrivateLink requirements
To set up an AWS PrivateLink network, we ask that you share:
- Your AWS Account ID
- A list of the services you want to consume:
- LDAPS
- DataSync
- APIs (PingFederate, PingAccess, and PingDirectory)
- The environment that you want to be connected
If you will expose AWS PrivateLink services to us, we'll also need:
- The AWS account that the connection is coming from
- The PingOne Advanced Services environment that you want to connect to
- The hostname of the services that you want to be connected to
Direct Connect (DX) requirements
There are two different ways to set up a DX network:
- You can provide us with:
- DX VIF IDs
- VIP environment mapping information, which explains which gateways are associated with which VIFs and the associated PingOne Advanced Services customer environment VPCs (dev|test|stage|prod|customer-hub)
- You can have PingOne Advanced Services initiate contact
with Direct Connect and provide:
- The PingOne Advanced Services AWS region
- The PingOne Advanced Services customer hub AWS account ID
Then, we ask that you share the Direct Connect VIFs with us, which will be associated with a Direct Connect Gateway attached to the PingOne Advanced Services environment VPCs.
Transit Gateway (TGW) peering requirements
To set up a TGW peering network, we ask that you share:
- The AWS region
- The AWS Account ID of the AWS account hosting your transit gateway
- The AWS Transit Gateway ID
Static routing will return to the transit gateway listed.
TGW peering is initiated from the PingOne Advanced Services platform. To create the connection, the peering will be initiated and you'll need to accept the transit gateway peering request.
Transit Gateway (TGW) RAM share requirements
You initiate the TGW RAM share from your transit gateway infrastructure. Configure that gateway using:
- The PingOne Advanced Services AWS region
- The PingOne Advanced Services AWS account IDs
Then, configure RAM share using:
- Your Transit Gateway IDs
- A document that maps transit gateway to PingOne Advanced Services and explains which networks will be connected to which environments
Static routing will return to the transit gateway listed.