DocumentationRelease Notes
Log In
Documentation

Cloud network infrastructure

Suggest Edits

What is the Cloud network infrastructure?

The Cloud network infrastructure guide explains how BeyondTrust Secure Remote Access operates within the Secure Remote Access Cloud instance to ensure secure and efficient communication between application components. The application uses the Secure Remote Access Cloud as a central routing point, where all user and remote system sessions occur through the server components of the B Series Appliance.

How is it useful to my organization?

Understanding the network infrastructure helps your organization configure Secure Remote Access to align with corporate policies and regulations by leveraging advanced security features such as role-based access control, secure password enforcement, and comprehensive audit trails. It enables seamless remote control by establishing outbound connections from endpoint systems to the Secure Remote Access Cloud instance, facilitating secure and reliable operations even through firewalls. By understanding this infrastructure, your organization can enhance security and maintain compliance while ensuring smooth remote support operations.

Review BeyondTrust Appliance B Series network infrastructure

Each Secure Remote Access Cloud site comes with a subdomain of the BeyondTrust cloud DNS address, such as yoursite.beyondtrustcloud.com. If customers prefer to use their company web address with their own SSL certificate, they can use a Canonical Name (CNAME) record to point their default site address to the preferred address.

Since this site accesses the /login interface, a simple yet descriptive name is the best practice. For example, a company named Smithson might use access.smithson.com for their CNAME record.

Review sample firewall rules for cloud deployments

Below are example firewall rules for use with Secure Remote Access Cloud, including port numbers, descriptions, and required rules.

Firewall rules
Internal network to the Secure Remote Access Cloud instance
TCP Port 80 (optional) Used to host the portal page without the user having to type HTTPS. The traffic can be automatically redirected to port 443.
TCP Port 443 (required) Used for all session traffic.
Secure Remote Access Cloud Instance to the Internal Network
TCP Port 25, 465, or 587 (optional) Allows the B Series Appliance to send admin mail alerts. The port is set in SMTP configuration.
TCP Port 443 (optional) B Series Appliance to web services (e.g., HP Service Manager, BMC Remedy) for outbound events.

Use BeyondTrust Atlas in the cloud

Similar to BeyondTrust Atlas Technology, Atlas in the Cloud is intended for large enterprise customers performing more concurrent sessions than can be effectively or efficiently handled by a single existing B Series Appliance model. This allows an organization to be effectively dispersed over different geographical locations and to access endpoints globally.

Creating a clustered Secure Remote Access environment introduces new terminology: the primary and traffic node concept. The primary node serves as the main point of configuration for the site and also serves as the session initiation point of presence for the entire Secure Remote Access site.

All configuration of the site is handled on the primary node. Even though a cluster consists of multiple B Series Appliances, the /login administrative interface resides on the primary node and propagates most configuration settings to the traffic nodes automatically.

ℹ️

Note

Atlas in the Cloud deployment is handled by BeyondTrust instead of the client.

To access Atlas in the Cloud go to /login > Management > Cluster. From here you can view:

  • Current Status: Confirms the role of the site instance from which you accessed the page.
  • Primary Node(s): Displays a list of the primary nodes available.
  • Traffic Nodes: You can view traffic nodes, but you cannot add, edit, or delete them. You also cannot turn traffic nodes on or off. Traffic nodes use (customerID)-region.beyondtrustcloud.com for routing, which is controlled by the B Series Appliance, not the customer. Customers only control the primary node name/URL.
  • Maximum Client Fallback to Primary: Allows the number of clients set to fall back to using the primary for traffic control if necessary.

While most of this page is read-only, you are able to perform a cluster data sync by clicking the Sync Now button. This ensures that the traffic nodes all have the same configuration.

ℹ️

Note

For more information, please see the Atlas cluster user guide.

Hosting locations and disaster recovery

BeyondTrust and your customer data

All customer data is confined to a dedicated instance of BeyondTrust allocated to their organization. The data resides in a siloed BeyondTrust instance and is not shared between customers.

Customers can choose their instance deployment location based on their geographic location and preference. Atlas in the Cloud customers may also choose the deployment locations for each of their traffic node instances.

Amazon Web Services Regions

From a hosting perspective within AWS, Remote Support Cloud and Privileged Remote Access Cloud (collectively SRA Cloud) can be deployed to the AWS regions listed on the BeyondTrust Cloud Region Availability page.

AWS regions and availability zones

Each AWS region has multiple, isolated locations known as Availability Zones to provide customers with data redundancy within the cloud and to support disaster recovery functions. An Availability Zone (AZ) is one or more discrete data centers with redundant power, networking, and connectivity in an AWS Region. AZs give customers the ability to operate production applications and databases that are more highly available, fault tolerant, and scalable than would be possible from a single data center. All AZs in an AWS Region are interconnected with high-bandwidth, low-latency networking, over fully redundant, dedicated metro fiber providing high-throughput, low-latency networking between AZs. All traffic between AZs is encrypted. The network performance is sufficient to accomplish synchronous replication between AZs. AZs are physically separated by a meaningful distance, many kilometers, from any other AZ, although all are within 100 km (60 miles) of each other.

ℹ️

Note

For more information, see Amazon’s Global Infrastructure and Regions and Zones.

Data redundancy within AWS

SRA Cloud uses AWS EC2 Data Lifecycle Manager to take snapshots of all customer EBS Volumes and replicates those snapshots to all AZs within the instance’s AWS Region. Snapshots are taken every 4 hours and retained for 24 hours. A daily snapshot for each instance is retained for 72 hours.

In the event of a disaster, BeyondTrust Cloud Operations can restore services into a different AZ from one of the replicated snapshots.

ℹ️

Note

For more information, see Amazon’s EC2 Data Lifecycle Manager.

BeyondTrust disaster recovery testing & procedures

Formal Business Continuity (BC) and Disaster Recovery (DR) plans have been implemented for the corporate and cloud environment as well as other defined categories related to personnel shortages and environmental disasters. This plan is aligned to ISO 22301, certified, and audited under ISO 27001 and SOC 2 Type II, reviewed by management, tested annually, and approved by BeyondTrust's GRC Committee.

Scenarios have been developed to ensure that our teams have considered various threats and situations when attempting to restore services within the cloud. Such scenarios include the team creating a single tenant instance and intentionally rendering the service inoperable. This allows for various methodologies to be tested, such as redeploying an instance and/or implementing the last known good backup within the service. All DR testing performed by BeyondTrust is conducted through virtualization to avoid impacting our customer's daily operations and the service.

It is important to note that BeyondTrust cloud operations only carries out the DR functionality in the event of a true failure. Our organization does not perform DR procedures to recover data from accidental customer deletions or errors.

ℹ️

Note

For more information regarding Amazon's DR capabilities and testing, see Amazon’s Compliance Program.

Recovery time, recovery point objectives, and cloud uptime

BeyondTrust's Security Requirements states in Section 12.1.2 of Business Continuity Management that our organization is required to update and test the BCP annually at a minimum and is also required to mitigate significant changes to information security risk. With that, recovery time and recovery point objectives are situation specific and will vary depending on the nature of the incident.

The Cloud Service Guide states in Section 4. Availability Service Level, subsection (4) that BeyondTrust's availability SLA for the service shall be 99.9% during a calendar month. From an historical standpoint (Q1 2022 to present), BeyondTrust has exceeded this SLA uptime averaging (99.997%) but is unable to commit to anything higher to due to these values reflecting the contractual commitments between BeyondTrust and AWS.

Updated 5 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.