Create private network connections with Secure Connect

You can use ForgeRock Secure Connect to provide dedicated, direct, and secure communication between your Identity Cloud network and your private network, such as an on-premises data center or IaaS provider. Secure Connect bypasses the public internet, improving latency, throughput, and security.

Secure Connect is only available in development, UAT^[1], staging, and production environments; it is not available in a sandbox^[2] environment.

Identity Cloud limited availability feature

Secure Connect is a limited availability feature. Contact your ForgeRock representative if you are interested.

Use cases

The following are examples of how you might use Secure Connect:

Call an API endpoint in your private network from a journey script or journey authentication node in Identity Cloud.
Send Identity Cloud emails from an internal MX/SMTP server not exposed to the public internet.
Resolve an internal DNS name using a private DNS server; for example, an internal DNS name using the .company domain extension.
Access PII/classified data which cannot be sent over public internet.

Supported services

ForgeRock supports the following services using Secure Connect:

DNS for internal domain names (53/udp)
HTTP outbound (Identity Cloud → private network service) (80/tcp & 8080/tcp)
HTTPS outbound (Identity Cloud → private network service) (443/tcp)
HTTPS inbound (private network service → Identity Cloud) (443/tcp)
SMTP outbound (Identity Cloud → private network service) (25/tcp)
SMTPS outbound (Identity Cloud → private network service) (587/tcp)

This list represents the use cases ForgeRock explicitly tests against; however, you may test and use additional services to support your own private network use cases.

Configure DNS

To support Secure Connect, configure your company’s DNS to avoid collisions. Collisions can occur when the same IP address is allocated to resources inside different private networks and one or both private networks advertise the address publicly. This can cause traffic destined for one network to be incorrectly routed to the other network.

To avoid collisions, separate your company’s DNS configuration into public and private zones. The private zone can advertise resources reachable using public and private addresses, but the public zone should only advertise resources reachable using public addresses and should not advertise private addresses.

For more information, refer to RFC 1918.

FAQs

Can I still access Identity Cloud API endpoints over the public internet?

Yes, Identity Cloud API endpoints are still available over the public internet; however, Secure Connect also exposes the same API endpoints privately to let you communicate between your private network and Identity Cloud:

Communicate inbound by calling API endpoints in your Identity Cloud tenant environments from your private network.
Communicate outbound by calling API endpoints in your private network from your Identity Cloud tenant environments.

Can I still access the Identity Cloud admin UI over the public internet?

Yes, the Identity Cloud admin UI is still available over the public internet and cannot be made private.

How do I communicate securely with my tenant environments?

When you provision Secure Connect, you provide ForgeRock with CIDR ranges for each tenant environment. ForgeRock uses your CIDR ranges to create an internal endpoint for each Identity Cloud tenant environment. You then create private DNS records for these Identity Cloud endpoints and then create a self-managed SSL certificate.

How do I communicate securely to my private network?

For services like SMTP, ForgeRock can add your CA certificate into the trust store of your tenant environments. For assistance with this, refer to Send ForgeRock a CA or TLS certificate.

Can I connect Google Cloud to another cloud provider? For example, AWS?

Yes, you can connect Google Cloud to another cloud provider. In the example of AWS, you separately implement AWS Direct Connect, then set up virtual routing in your private network between Google Cloud and AWS. For more information, refer to Partner Interconnect with multi-cloud enabled partners.

Google Cloud Interconnect

Secure Connect uses Google Cloud Interconnect to implement private network connections between your Identity Cloud tenant environments and your private network:

The Partner Interconnect option is supported for one service provider (Equinix Fabric).
The Dedicated Interconnect option is not supported.

To implement this, ForgeRock creates VLAN attachments that are associated with a cloud router in your Identity Cloud network. The cloud router creates a BGP session for the VLAN attachments and your corresponding private network router. The cloud router receives the routes your private network router advertises. These routes are added as custom dynamic routes in your Identity Cloud network. The cloud router also advertises routes for your tenant environments, using CIDR blocks you specify during provisioning.

Availability

You can configure Google Cloud Interconnect to support three-nines availability or four-nines availability. The following table summarizes the different approaches:

Availability	Guidance	Requirements
Three-nines (99.9%)	Recommended only for non-critical applications where downtime can be tolerated.	At least two Interconnect connections. The connections must be located in the same metropolitan area, but in different edge availability domains (metropolitan availability zones).
Four-nines (99.99%)	Recommended for most production applications.	At least four Interconnect connections, two connections in one metropolitan area and two connections in another. Interconnect connections that are in the same metropolitan area must be placed in different edge availability domains (metropolitan availability zones).

Availability

Guidance

Requirements

Three-nines (99.9%)

Recommended only for non-critical applications where downtime can be tolerated.

At least two Interconnect connections. The connections must be located in the same metropolitan area, but in different edge availability domains (metropolitan availability zones).

Four-nines (99.99%)

Recommended for most production applications.

At least four Interconnect connections, two connections in one metropolitan area and two connections in another. Interconnect connections that are in the same metropolitan area must be placed in different edge availability domains (metropolitan availability zones).

Partner Interconnect service providers

Equinix Fabric

Secure Connect uses the Partner Interconnect service for Equinix Fabric to provide private network connections between your Identity Cloud tenant environments and an Equinix private network.

To set up Partner Interconnect and Equinix in Identity Cloud, refer to Configure Secure Connect with Equinix.

1. A UAT environment is an add-on capability.

2. A sandbox environment is an add-on capability.