Deployment and networking requirements

Learn about the deployment architecture based on certificates for HTTPS connections and the associated port, storage, VM and DNS requirements.

Deployment

With this deployment model, all connections to PEG remain within networks that you control.

Architecture


In this architecture, you must create and manage the certificates for HTTPS connections

Port requirements

The following table lists the port requirements for ingress and egress IP addresses.

Port Protocol Purpose Ingress private IP Ingress public IP Egress to public internet
22 TCP ssh connectivity for Admin
443 TCP

Ingress

Desktop sensor and business analyst connectivity over HTTPS (TLS 1.2)

Egress

PEG sends redacted data to Process Discovery.

Also used to pull down PEG installer, updates, and so on from our repositories

Sensor connects directly to Process Discovery cloud to get configuration information only. No collected data is sent directly from the sensor to the Process Discovery cloud.

80 TCP Used for redirection from http to HTTPS (443)

Data encryption

Data is encrypted when transmitted from PEG to the Cloud environment. The following are data encryption policy and practices in place to ensure data privacy and security:
  • Secure Transmission Protocol (STP): The PEG system employs HTTPS for all data transmissions to the cloud platform, ensuring the use of encryption in transit and safeguarding against data breaches.
  • Transport Layer Security (TLS) Encryption: Data transferred from PEG to the Cloud is encrypted using the TLS protocol, which is an industry standard for secure web communications.
  • Confidentiality and Integrity: The encryption provided by HTTPS preserves the confidentiality and integrity of the data sent from PEG, preventing unauthorized disclosure and alterations.
  • Authentication via Certificates: The Cloud platform's identity is authenticated using digital certificates as part of the HTTPS protocol, which helps prevent hacks and attacks, and unauthorized data access.
  • Robust Encryption Algorithms: HTTPS incorporates strong encryption algorithms, including Advanced Encryption Standard (AES) and Rivest–Shamir–Adleman (RSA), to create a secure channel for data exchange.

VM size requirements

The following VM sizes are supported for PEG installation:
  • Microsoft Azure: NC8as T4 v3
  • AWS: g4dn.4xlarge
  • Google Cloud Platform: N1-highmem-8 with 1 nvidia-tesla-t4 GPU

Note: Each PEG VM can handle 10 sensors per calendar week, with each sensor sending data for approximately eight hours each day for five days a week.

Storage requirements

Ensure that your OS or root disk has 2 TB of nearline SSD storage or more. Encrypt the disk using your platform's storage encryption mechanisms.

Note: The MiNIO and K-Lite marks and logo are trademarks or registered trademarks of MiNIO and K-Lite Codec Pack and are used for identification purposes only.

MiNIO serves as our in-house unstructured data storage that stores all images that are generated by the Process Discovery sensor:
  • Data Protection: MinIO supports erasure coding and bitrot protection to safeguard data against hardware failures and data corruption.
  • Security: MinIO provides robust security features such as encryption in transit (TLS) and at rest, identity and access management (IAM), support for bucket policies, and access control lists (ACLs).

In addition to storing unstructured data some text files such as the past list and block list are also stored in MiNIO. However, the images are accessed from the K-Lite url and never directly from MiNIO. The storage has a browser-based access which can be used in case of a debugging procedure or if an additional check is required for any original image that has been forwarded.

The following scenarios are supported:
  • A read only user which is used by K-Lite to read images and display them in the UI
  • A storage admin user that can be used for tasks requiring additional permissions

DNS requirements

You will provide PEG with an apex domain name that you want to use (for example, example.com). Based on that, PEG will inform you about the DNS sub domain records that you must create.