- Getting started
- Best practices
- Tenant
- About the Tenant Context
- Searching for Resources in a Tenant
- Managing Robots
- Connecting Robots to Orchestrator
- Storing Robot Credentials in CyberArk
- Storing Unattended Robot Passwords in Azure Key Vault (read only)
- Storing Unattended Robot Credentials in HashiCorp Vault (read only)
- Storing Unattended Robot Credentials in AWS Secrets Manager (read only)
- Deleting Disconnected and Unresponsive Unattended Sessions
- Robot Authentication
- Robot Authentication With Client Credentials
- Configuring automation capabilities
- Solutions
- Audit
- Settings
- Cloud robots
- Configuring VPN for cloud robots
- Live streaming and remote control
- Folders Context
- Automations
- Processes
- Jobs
- Apps
- Triggers
- Logs
- Monitoring
- Queues
- Assets
- Storage Buckets
- Test Suite - Orchestrator
- Resource Catalog Service
- Integrations
- Troubleshooting
Orchestrator User Guide
Configuring VPN for cloud robots
You can create a VPN gateway for a tenant so that your VM cloud robots or serverless cloud robots can access your on-premises resources that are behind a firewall.
To set up the VPN gateway, you must meet the following requirements:
- Have the knowledge or assistance from your network administrator or someone who has a good understanding of VPN and networking concepts.
- Be an organization administrator in Automation Cloud™.
- Have an Orchestrator role that includes the Machines - Edit permission.
- Each tenant for which you want to create a VPN gateway must have at least 5000 robot units allocated to it.
-
Information from your network administrator:
-
A list of reserved IP address ranges located in your on-premises network configuration, in CIDR notation. As part of configuration, you need to specify the IP address range prefixes that we will route to your on-premises location.
Important:The subnets of your on-premises network must not overlap with the virtual network subnets to which you want to connect.
- Use compatible VPN devices and have the ability and know-how to configure them, as described in About VPN devices for connections - Azure VPN Gateway. For details on the default connection parameters, read the Default policies for Azure.
-
Your VPN device must use externally-facing, public IPv4 addresses.
- A pre-shared key (PSK) for each VPN device.
Note:
The pre-shared key should consist of a maximum 128 printable ASCII characters.
Do not use space, hyphen-
, or tilde~
characters. - You must enter a single IP range, in CIDR notation, with a mask of
/25
.
-
This schema shows how the VPN connection is established between your local network and the networks of your cloud robot VMs.
-
In your local network, set up the IP range (1) for the VPN Gateway. This represents the IP range of your on-prem network.
-
In your local network, provide the IP ranges of the ACR-VM pools (6, 7) to allow their traffic into the network.
-
Set up the IP range of the VPN gateway (4), which represent the underlying resources used to host the VPN Gateway in the cloud. The
/25
is the mandatory suffix for the gateway. This tells your local network that the VPN gateway may require up to 128 IP addresses to operate. -
A public IP is created for the gateway (5), which your local network must target in order to initiate a connection.
-
Your local network connects to the VPN gateway through a site-to-site tunnel (3), and, at this point, the VPN gateway targets the public IP of your local network (2), and your local network targets the public IP of the gateway (5). Your on-premise resources are available in the VPN Gateway and any connected ACR-VM can access them.
-
The ACR-VM pools have separate networks. To connect an ACR-VM pool to the VPN gateway, set up an IP range for that pool (6, 7).
Important:It is important that the IP range of the pools you want to configure (6, 7) do not overlap with any other IP ranges in your entire network space (including your local network (1) and any resources used by the UiPath® VPN Gateway (4)).
To create a VPN gateway for a tenant:
The panel closes and the VPN gateway status is Provisioning. Deploying the gateway can take up to 45 minutes to complete.
When complete, the status Deployed is displayed on the card of the gateway.
The Vnet for a cloud robot template is created when each template is created.
Cloud robots - VM: In Orchestrator, create one or more Cloud robot - VM pools, following the instructions in Creating the cloud robot pool . During setup, make sure to select the Connect VPN Gateway option.
For each pool, you can monitor the VPN status from the Machines > Manage Cloud Robot - VM page.
Existing Cloud robot - VM pools cannot connect to the VPN gateway. You must create new ones.
Additionally, for pools that were set up to connect to the tenant's VPN gateway, you have the option to edit the pool and switch off the Enable VPN Integration toggle to disconnect the pool. Once disconnected, you cannot reconnect the pool to the VPN gateway.
Cloud robots - serverless: In Orchestrator, edit or create Cloud robot - Serverless templates, following the instructions in Automation Cloud™ robots - Serverless . During setup, make sure to configure options on the VPN Setup page.
To configure the VPN gateway to connect to a VPN device:
The panel closes and the new connection is displayed on the Connections page.
The connection is ready to use when the Connection status column displays Connected.
To add more connections, on the Connections page, click Create connection above the table, on the right.
Your network administrator can now:
For a list of supported VPN devices and for RouteBased configuration instructions, see About VPN devices for connections - Azure VPN Gateway in the Microsoft documentation.
The VPN gateway for a tenant is automatically created in the same region as the region of the tenant and you cannot change the region.
Switching to a different region
If a VPN gateway already exists and you chose to move your tenant to a different region, you can either:
- continue to use the gateway in the old region or
- delete the existing VPN gateway and create a new one, which is created in the current region of the tenant.
If you disable a tenant that has a VPN gateway, you have a 60-day grace period before you lose access to your VPN device. After 60 days, your VPN gateway is permanently deleted from your tenants.
If you re-enable the tenant within 60 days, your VPN gateway is not deleted and available for use.