ServiceNow Firewall network architecture

Go to solution
vladimircheresh
Kilo Contributor

‎01-23-2018 06:58 AM

Hello,

Can someone elaborate on the following network diagram below that seems to be the standard for SNOW customers, in particular the pair of firewalls on the left-hand side (ServiceNow datacenter).

Are those firewalls owned and managed by ServiceNow in their datacenters? My impression is that there is no firewalls filtering inbound/outbound traffic from/to ServiceNow side but only can be within customer network font of any customer servers (right-hand side).

Normally users/MID can reach any ServiceNow Instance via HTTPS without any firewall configuration on SNOW side and it's open network by default. Am I correct?

find_real_file.png

Preview file
93 KB
0 Helpfuls
  • 5,507 Views
1 ACCEPTED SOLUTION

Go to solution
bernyalvarado
Mega Sage
In response to vladimircheresh

‎01-23-2018 09:30 AM

Hi Vladimir,



Perhaps the picture you posted is cropped or something but the only thing I can see on the left side of your picture is the ServiceNow side.



Still, to answer your question... anything that is available at the internet level should be accessible from ServiceNow. For instance, lets say I want to call an API from XYZ internet service; ServiceNow is capable of doing that. There are no rules that needs to be configured for that. Same will apply for a "sftp" at the customer side that is open to all the world; that will then be available to ServiceNow as well.



In general terms, if it's open ServiceNow can reach to it. If it's restricted by network configurations, etc... then a MID Server must exist within that network segment.



find_real_file.png



Thanks,


Berny


View solution in original post

Preview file
355 KB
0 Helpfuls
8 REPLIES 8

Go to solution
sergiu_panaite
ServiceNow Employee
ServiceNow Employee

‎01-23-2018 07:27 AM

You're right when you say "users/MID can reach any ServiceNow Instance via HTTPS without any firewall configuration on SNOW side" but the ServiceNow network is a bit more complex than your picture, there are several layers of different types of screening. The general idea is that yes, you can reach ServiceNow instance as long as you use HTTPS and no extra configuration is needed on our side.


Go to solution
vladimircheresh
Kilo Contributor
In response to sergiu_panaite

‎01-23-2018 07:50 AM

Hi Sergiu,



Thanks for the answer. Do you know if there is special cases when you need to open ports on the left bottom firewall (SNOW outbound to customer network + no VPN) who would be normally responsible?



Example:


Create SFTP configuration in SNOW to pull data from a customer server (not sure if port 22 is allowed on SNOW side by default.)


Let's assume it is not.



Is it ServiceNow network team that needs to be engaged in such cases for that left bottom piece of firewall?



Thanks!



Best Regards,


0 Helpfuls

Go to solution
bernyalvarado
Mega Sage

‎01-23-2018 08:06 AM

Hi Vladimir,



The top left part of the diagram should be transparent to customers. So you don't have to worry about that. You can still do all the great stuff you would like to do... like SFTP, SSH, etc... ... how? Through the MID Server.



The MID Server is the key component that is missing on your diagram that allows the communication between the ServiceNow instance and the customer's network.



Thanks,


Berny