Network connectivity with Cloud Platform
Guidewire provides standard options to establish reliable and efficient data transmission between your self-managed infrastructure and Guidewire Cloud on Amazon Web Services (AWS).
Data transmission
You connect your data center to Guidewire Cloud over the public Internet. To improve performance and reliability, you can use AWS networking services, such as AWS Direct Connect, to create high-throughput network connections from your data center to AWS.
The primary data transmission needs between your environment and Guidewire Cloud are:
-
Migration of your self-managed database to Guidewire Cloud.
-
Ongoing connections between Guidewire Cloud and your self-managed or third-party systems.
Connections to Cloud Platform
Once your applications run in Guidewire Cloud, you might need connections between those applications and external systems. This is typically for the following uses:
-
Inbound communication
External users or systems connect to a Guidewire Cloud service by accessing its user interface or by calling its APIs. For example, users connect to the InsuranceSuite web user interface. If you have an external portal or an integration with Salesforce, those systems can call the APIs exposed by Guidewire Cloud services.
-
Outbound communication
Guidewire Cloud applications connect to external systems. For example, an application might connect to LexisNexis, a credit scoring service, or to one of your self-managed services such as a unique ID generator.
All network communication from Guidewire Cloud Platform (GWCP) to external services uses the public internet over TLS/TCP. Communication primarily uses HTTPS, but can also use email and messaging protocols.
Security mechanisms for connections
GWCP provides several mechanisms to help secure your connections:
-
All connections to Guidewire Cloud are restricted to approved and allowlisted IP addresses.
-
Connections to Guidewire Cloud application user interfaces and APIs use HTTPS over TLS.
-
API connections can optionally use mTLS.
Reverse proxy
Guidewire doesn't recommend setting up a reverse proxy for connecting to Guidewire Cloud Platform. If your network architecture requires one, you must configure a transparent reverse proxy and verify the following attributes:
-
Target FQDN
The client must use the official Guidewire fully qualified domain name (FQDN), and traffic must be routed through the proxy.
-
Server Name Indication (SNI) headers
Configure the proxy to send the correct SNI headers to support a successful TLS handshake and correct routing.
-
Host headers
Preserve the original Host headers and pass them unchanged through the reverse proxy to the GWCP endpoint.
PrivateLink connections
To keep your data secure and reduce latency, you can set up private access to your applications so you don't expose them to the public Internet. You can connect your applications and Guidewire Cloud over AWS PrivateLink, using private IP addresses. AWS PrivateLink provides connections between AWS Virtual Private Clouds (VPCs). GWCP supports AWS PrivateLink for inbound and outbound connections. For details, see PrivateLink.
InsuranceSuite database migration to Guidewire Cloud
To migrate a self-managed InsuranceSuite database to Guidewire Cloud, you must safely transfer your database backup to the cloud environment. For an overview of the migration process, see Transmit Encrypted Files to S3 Bucket.
Access production data
GWCP provides two options for accessing production InsuranceSuite application data:
- Real-time database queries
- Database snapshot
Real-time database queries
You can query your production InsuranceSuite application data from GWCP in real time. Accessing live application data can support reporting, data warehousing, or downstream integrations that rely on current production data.
Real-time data access is an add-on option for GWCP. To enable this feature, contact Guidewire.
You can run SQL queries against the production database using your own SQL tools. These queries might return personally identifiable information (PII) that isn't masked. Make sure that you handle any PII securely and follow your organization's data protection policies.
Set up real-time data access
For performance and security, real-time data queries use an AWS PrivateLink network connection. For details on configuring PrivateLink, see PrivateLink.
After your network is set up, Guidewire provides a PrivateLink endpoint for the database. Use this endpoint in your SQL tools to run real-time queries against your production data.