VPN connection for Enterprise Insights VPC

Atlassian offers a virtual private network (VPN) connection option for Jira Align Enterprise Insights virtual private cloud (VPC) environments. This offering is only available for instances that have VPC offerings for both Jira Align and Enterprise Insights (EI).

On this page:

• What is the VPN connection to Enterprise Insights?
• Connection diagram for VPN
• Connectivity requirements
• The set up process

What is the VPN connection to Enterprise Insights?

The VPN connection option for Enterprise Insights VPC is a private route-based VPN connection between your Enterprise Insights instance and your corporate network. This connection is enabled by using a public cloud provider such as Google Cloud Platform (GCP) or Amazon Web Services (AWS).

Note that policy-based and hardware-based VPN connections are not supported.

The VPN connection is an option for environments who are unable to use IP allow listing to control access to Enterprise Insights. It’s also an alternative to using Azure private links, for environments that don’t have access to an Microsoft Azure presence.

Standard vs. VPN connection options

Connection diagram for VPN

Connectivity requirements

To successfully set up a connection to your Enterprise Insights instance using VPN, you’ll need the right people, network configuration, and security considerations. Below is a summary of what’s required. For more details, see the Enterprise Insights VPN Connectivity Questionnaire.

Advanced network point of contact

The most important part of successfully enabling the VPN connection is providing a point of contact from your network administration team. Because this implementation is highly technical and adaptable to unique environments, our services and engineering staff must work closely with someone in your organization. An ideal point of contact will have in-depth knowledge of your network and infrastructure.

Cloud VPN gateway and IP addresses

You’ll need to set up an HA VPN gateway within your network, in order to provide the endpoints that will connect to Enterprise Insights, hosted on Microsoft Azure. You can set this up with public cloud providers such as Google Cloud or Amazon Web Services. Only route-based VPN connections are supported. For more information and examples, see Google’s documentation: Create HA VPN connections between Google Cloud and Azure

IP addresses will be needed to connect through the VPN gateway. We’ll ask you to provide public and private endpoints.

Shared secret

To authenticate between Enterprise Insights and your VPN gateway, you’ll need to generate a shared secret key, also known as a pre-shared key (PSK). This shared secret must be 32 characters, and sent securely from your network point of contact to our support team.

You can use a generator such as the one provided by Google to create the shared secret: Generate a strong pre-shared key

Tools such as Yopass and One-Time Secret can be used to encrypt and provide the shared secret.

Security measures

Security is an important consideration before setting up the VPN connection. Once the connection is established, a two-way tunnel exists between the VPC hosting Jira Align Enterprise Insights and your network. A malicious actor who gains access to the tunnel could potentially compromise your entire network. Ensure that your network is protected from the gateway and endpoints used to connect to Enterprise Insights.

The set up process

To set up a VPN connection for Enterprise Insights, perform the following steps:

1. Ensure you have purchased the virtual private cloud (VPC) option for both Jira Align and Enterprise Insights. If you have not yet purchased VPC, contact your Enterprise Advocate or Atlassian partner.
2. Notify your Solutions Engineer or Atlassian partner that you’d like to set up a VPN connection for EI. Designate a networking point of contact from your team, and include their info in the request.
3. Work with your network team to ensure the following is available:
   1. TCP port 1433 on your corporate network is open to your VPN gateway.
   2. Select an RFC-1918/26 subnet CIDR private IP address range, which will be used for the Azure Virtual Network that EI is hosted on. This will contain the IP address of the SQL server you’re accessing EI on, so it must be in a range that is routable from your network.
   3. Select two Autonomous System Numberers (ASN), one for each side of the VPN connection. These must be between the ranges of either 64512-65534 or 4200000000-4294967294.
   4. Select a set of four Border Gateway Protocol (BGP) addresses for the VPN tunnels, two for each side of the connection. The addresses must be between 169.254.21.0 and 169.254.22.255.
   5. Select two public IPv4 addresses on your Google Public Cloud or Amazon Web Services VPN gateway, one for each VPN tunnel.
   6. Create a 32 character shared secret that each VPN tunnel will use to authenticate. This will be shared with our support team later.
4. Complete the Enterprise Insights VPN Connectivity Questionnaire and provide it to your Solutions Engineer or Atlassian partner. This form is required by our support team to successfully provision and configure your EI instance, and ensure that the VPN connection is working.
5. Once you’ve confirmed that the network requirements in step 3 are ready, and returned the completed connectivity questionnaire to your Solutions Engineer or partner, a support ticket is created.
6. Through the support ticket, we’ll ask you to provide the shared secret key using a shared secret provider. You can use a provider like Yopass or One-Time Secret to encrypt and forward the shared secret.
7. Our support team works with your Solutions Engineer or partner to facilitate the configuration and set up of the connection.
8. We send you an update through the support ticket, providing you with the EI server name, the Microsoft Azure public IP addresses and VPN gateway, and authentication info.
   1. If you use Azure AD Authentication, you will receive an email for the redemption of Azure guest tenant authentication. For more information, review Microsoft’s article on allowing guest access.
   2. If you use SQL Server authentication, we will provide you with a username and temporary password for each user you’ve requested access for.
9. The private IP address of the Azure SQL server will also be provided. This is the private endpoint IP in the Azure Virtual Network that hosts EI. You will need to create a custom DNS A record within your VPC, overriding the public name of the SQL server. This is so clients are able to resolve the private IP.
   1. Note that with the increased popularity of remote work, it’s possible to have segregated VPNs or corporate networks that allow some traffic off the network, and some traffic on. This could result in a user attempting to access Enterprise Insights from a home IP address if the traffic is not routed correctly. Ensure your network team is ready to provide details on routing if there are challenges with the initial connection.
10. You test the connection to EI from your corporate network. We recommend using SQL Server Management Studio (SMSS) or Azure Data Studio to test this connection while logged into your corporate network.
    1. If you use SQL Server authentication, you can change your temporary password through the SQL code editor after a successful connection test.
11. Once your connection test is successful, the support ticket is closed, and you’re ready to use your data visualization tools with Enterprise Insights!