There are two ways to access private university resources from Pantheon: the U-M Pantheon Secure Tunnel and Pantheon’s Secure Integration feature. ITS recommends using the U-M Pantheon Secure Tunnel and advises against using Pantheon’s Secure Integration. For more details about Pantheon’s Secure Integration, see the list at the bottom of this page.
U-M Pantheon Secure Tunnel Overview
The Secure Tunnel is a standard VPN tunnel between Pantheon and university networks.
Here are the key points:
- Optional feature: The Secure Tunnel must be enabled for each website that needs to use it.
- Unidirectional, limited tunnel: The tunnel only handles traffic from your website to specifically configured university systems not accessible from the public internet. Traffic to other university systems is still sent over the public internet. The tunnel also does not handle any traffic originating from the university that is sent to Pantheon websites; that traffic is sent over the public internet and through Pantheon’s CDN and other infrastructure.
- Site-Wide Availability: Enabling the Secure Tunnel for a Pantheon site makes it available for all environments within that site.
- Controlled Access: For security purposes, the U-M Pantheon Secure Tunnel only allows traffic specifically allow-listed for your website. This means a website configured to use the Secure Tunnel can only access U-M network resources that you requested.
- Cost: ITS is currently covering all costs for the Secure Tunnel.
Requesting Secure Tunnel for your website
To establish a secure tunnel from your Pantheon website to campus resources not accessible via the public internet, follow these steps. Please be aware that Pantheon may take 3-4 weeks to configure your website to use the university’s VPN tunnel.
Preliminary Requirements
- Verify Your Pantheon rate plan: Your website must be on a paid Pantheon plan. Pantheon will not enable the secure tunnel for websites on the Sandbox plan.
- Recommendation: ITS recommends moving your website to Pantheon’s Basic plan while setting up the secure tunnel. Complete any necessary configurations before publishing your website. You can change to a different plan after setup if needed. Using the Basic plan during setup may save money.
- Recommendation: ITS recommends moving your website to Pantheon’s Basic plan while setting up the secure tunnel. Complete any necessary configurations before publishing your website. You can change to a different plan after setup if needed. Using the Basic plan during setup may save money.
- Gather the connection information for the private U-M system your websites needs to connect to. You will need to know the destination IP address(es), the port(s), and the protocol (TCP or UDP). You may need to contact the team that manages the system you need to connect to, if that system is not yours.
Submit Your Request
Send an Email Request: Email [email protected] with the following information:
- Pantheon Site Name
- Site ID (hex string)
- Tunnel Connection Information:
- Port:
- Protocol:
- Destination IP:
Once you have submitted your request, Pantheon may take 3-4 weeks to configure your website to use the university’s VPN tunnel. You can proceed with the next step below while you are waiting for Pantheon to fulfill the request.
Network Configuration
This step can be done while you are waiting for Pantheon to configure your website to use the Secure Tunnel.
Configure Access: Ensure the non-publicly-accessible U-M systems your website uses will accept connections from the secure tunnel IP address ranges. Choose one of the following options:
- Option 1: Allow connections from the 10.238.24.0/24 network range for the applicable protocol and port (note: this range may change in the future).
- Option 2: Allow connections from all university networks (including RFC 1918 private IP address ranges) for the applicable protocol and port. See the Network Addresses page on the ITS website.
Note: If a system is run by another group at the university, you may need to contact them to adjust their firewall and other access controls.
Post-Configuration
Verify and Configure Software: Once Pantheon has configured the secure tunnel, your website can reach the requested IP address/port/protocol combinations via the U-M/Pantheon VPN. Ensure your website has the necessary software installed and configured correctly. If your website does not already have the required software, you will need to install it.
Pre-installed Software
The software for the following services comes pre-installed and configured by default on all Pantheon websites:
- MySQL and MariaDB: Pantheon provides MySQL/MariaDB client libraries and PHP extensions that work with the database version your website uses. If your website needs to access a U-M MySQL/MariaDB database that is not compatible with the database your website uses, first look to see if you can upgrade either your website’s database and/or the U-M database you’re connecting to
- Oracle: Pantheon provides Oracle Instant Client version 21.12. The Enterprise Data Warehouse and MPathways databases are currently compatible with this client
- Denodo
- ODBC: Should work, but it has not been tested.
- HTTPS Services: Any service accessible over HTTPS (REST, SOAP, XMLRPC) that does not require additional software installation.
Additional Services
Other services may work if they do not require additional software beyond what Pantheon provides. It may be possible to install the necessary software if:
- The software is pure PHP (no external binaries beyond what is available on Pantheon).
- The software installs successfully via Composer.
- The software has x86_64 binaries that can be installed in an arbitrary folder and work correctly under Rocky Linux 8 / CentOS 8 without additional dependencies.
Limitations
Pantheon will not:
- Install additional RPMs.
- Modify Nginx, PHP, or PHP-FPM configurations for any customer.
- Provide support for any software that uses the secure tunnel.
Support
If you encounter problems with the secure tunnel or software using it, or if you have any questions or requests, please contact [email protected] for assistance.
Pantheon Secure Integration vs. Secure Tunnel
Pantheon Secure Integration is available to all Pantheon customers, but it is not suitable for most U-M needs. While it is included under U-M contract and Pantheon has encouraged U-M to use it multiple times, there are several reasons to avoid it for U-M websites:
- Code Modification: It requires modifications to your website's PHP code.
- Complex Implementation: You must implement it multiple times if you need to access multiple services.
- Limited Portability: It is a proprietary solution, which means it cannot be used if you move to another web hosting vendor.
- API Requirement: It generally (but not always) requires you to create, set up, and maintain a special API on U-M's network. Your website would then need to make HTTP REST calls to this API, which would access your MiDatabase instance (or other system) using the appropriate database driver and return the query results to your website.
Secure Tunnel is designed specifically for the university’s business needs and is included as part of our contract with Pantheon. Key features and advantages include:
- Actual VPN Tunnel: It provides a true VPN tunnel between Pantheon and the University.
- No Code Changes: Your website's PHP code does not need to be modified.
- No Special API Needed: Your website works the same way on Pantheon as it does on university networks.
- Industry Standard: It is a standard solution that will work with most web hosting vendors that support enterprise-level hosting.
- Unified Solution: It is not related to Secure Integration in any way.
Support and Documentation: Pantheon neither documents nor supports the Secure Tunnel directly. For all secure tunnel requests and support, contact [email protected].
Important Note: If you try to open a support ticket with Pantheon regarding the Secure Tunnel, they may confuse it with Secure Integration, leading to a frustrating experience for both parties. This is because U-M is one of only a few Pantheon customers that have a Secure Tunnel, and it is not a documented or supported Pantheon feature.