Skip to main content

Network connectivity with Cloud Platform

Guidewire provides standard options to establish reliable and efficient data transmission between your self-managed infrastructure and Guidewire Cloud on Amazon Web Services (AWS).

Data transmission

You connect your data center to Guidewire Cloud over the public Internet. To improve performance and reliability, you can use AWS networking services, such as AWS Direct Connect, to create high-throughput network connections from your data center to AWS.

The primary data transmission needs between your environment and Guidewire Cloud are:

  • Migration of your self-managed database to Guidewire Cloud.

  • Ongoing connections between Guidewire Cloud and your self-managed or third-party systems.

Connections to Cloud Platform

Once your applications run in Guidewire Cloud, you might need connections between those applications and external systems. This is typically for the following uses:

  • Inbound communication

    External users or systems connect to a Guidewire Cloud service by accessing its user interface or by calling its APIs. For example, users connect to the InsuranceSuite web user interface. If you have an external portal or an integration with Salesforce, those systems can call the APIs exposed by Guidewire Cloud services.

  • Outbound communication

    Guidewire Cloud applications connect to external systems. For example, an application might connect to LexisNexis, a credit scoring service, or to one of your self-managed services such as a unique ID generator.

All network communication from Guidewire Cloud Platform (GWCP) to external services uses the public internet over TLS/TCP. Communication primarily uses HTTPS, but can also use email and messaging protocols.

Security mechanisms for connections

GWCP provides several mechanisms to help secure your connections:

  • All connections to Guidewire Cloud are restricted to approved and allowlisted IP addresses.

  • Connections to Guidewire Cloud application user interfaces and APIs use HTTPS over TLS.

  • API connections can optionally use mTLS.

Reverse proxy

Guidewire doesn't recommend setting up a reverse proxy for connecting to Guidewire Cloud Platform. If your network architecture requires one, you must configure a transparent reverse proxy and verify the following attributes:

  • Target FQDN

    The client must use the official Guidewire fully qualified domain name (FQDN), and traffic must be routed through the proxy.

  • Server Name Indication (SNI) headers

    Configure the proxy to send the correct SNI headers to support a successful TLS handshake and correct routing.

  • Host headers

    Preserve the original Host headers and pass them unchanged through the reverse proxy to the GWCP endpoint.

To keep your data secure and reduce latency, you can set up private access to your applications so you don't expose them to the public Internet. You can connect your applications and Guidewire Cloud over AWS PrivateLink, using private IP addresses. AWS PrivateLink provides connections between AWS Virtual Private Clouds (VPCs). GWCP supports AWS PrivateLink for inbound and outbound connections. For details, see PrivateLink.

Database migration to Guidewire Cloud

As part of your migration from self-managed products to Guidewire Cloud, you must perform a one-time migration of your data.

To migrate your self-managed database to Guidewire Cloud, transfer a database backup to your dedicated Guidewire S3 bucket on AWS. Guidewire provides this secured S3 bucket for your transfer. Although you can make this transfer over a standard Internet connection, Guidewire recommends using Direct Connect with a public virtual interface (VIF) for large transfers such as database backups.

Direct Connect, integrated with the GWCP S3 public VIF, provides a fast and consistent connection that you can use to transmit data from your data center to the public IP of the S3 bucket. When your database transfer is complete, work with your Guidewire Professional Services partner to restore the backup directly to a Guidewire Cloud database. A private connection such as VPN isn't supported for this data transfer.

Set up AWS Direct Connect

To set up AWS and Direct Connect, your organization must work directly with a vendor from the Amazon provider network. You might already have an existing relationship with one of these providers. To find a preferred AWS partner in your area, use the AWS Direct Connect Partners page.

Direct Connect is available with several capacity options: 1G, 10G, and 100G. For transmitting your self-managed database to Guidewire Cloud, you must use a connection of 10G or greater. This capacity provides a throughput of roughly 1 TB per hour, which is required to minimize downtime during the upgrade deployment.

Large databases and phased transfers

For larger databases where the transmission time would exceed the allocated time, you might need to perform the database transfer in multiple phases. After the initial transmission of the full database backup, you must also transfer any subsequent database changes.

The mechanism for transferring these differences depends on the database technology that you use:

  • For Microsoft SQL Server, perform a differential backup and then transfer it through Direct Connect to the Guidewire S3 bucket.

  • For Oracle, Guidewire establishes a temporary VPN (or AWS PrivateLink) connection between a Guidewire-owned AWS Virtual Private Cloud (VPC) and your data center. Guidewire then uses the AWS Data Migration Service (DMS) to connect to your database through JDBC and stream the database changes to the Guidewire S3 bucket.

Access production data

GWCP provides two options for accessing production InsuranceSuite application data:

  • Real-time database queries
  • Database snapshot

Real-time database queries

You can query your production InsuranceSuite application data from GWCP in real time. Accessing live application data can support reporting, data warehousing, or downstream integrations that rely on current production data.

Note:

Real-time data access is an add-on option for GWCP. To enable this feature, contact Guidewire.

You can run SQL queries against the production database using your own SQL tools. These queries might return personally identifiable information (PII) that isn't masked. Make sure that you handle any PII securely and follow your organization's data protection policies.

Set up real-time data access

For performance and security, real-time data queries use an AWS PrivateLink network connection. For details on configuring PrivateLink, see PrivateLink.

After your network is set up, Guidewire provides a PrivateLink endpoint for the database. Use this endpoint in your SQL tools to run real-time queries against your production data.