To reduce the footprint of the SecurID deployment in your on-premises network environment, you can deploy the identity router in the Amazon Web Services (AWS) cloud.

You can host all of your resources in the AWS Virtual Private Cloud (VPC), or connect your on-premises resources to one or more identity router instances hosted in the VPC. Each resource, including the identity router, can be part of a private or public subnet, or both, depending on connection requirements. If you deploy the identity router in a private subnet, you can deploy a NAT load balancer in the public subnet to direct traffic to and from the identity router.

If your deployment requires high availability, you can set up multiple identity routers in the VPC, and configure your Amazon environment so that each identity router is hosted in a different availability zone.

The following sections describe typical AWS deployments. Before setting up the identity router, refer to your AWS documentation and work with your network administrator to determine the appropriate deployment model to connect your organization's cloud-based and on-premises network resources.

Full Cloud Deployment Full Cloud Deployment

In a full cloud deployment, all of your network resources are deployed in the VPC. A router in the VPC manages traffic between public and private subnets containing the identity router, identity sources, and optional resources such as Authentication Manager. The resources within the VPC communicate with the Cloud Authentication Service and protected web applications through an internet gateway.

Hybrid Cloud DeploymentHybrid Cloud Deployment

In a hybrid cloud deployment, the identity router is deployed in the VPC either alone or in addition to other cloud-based instances, but resources such as identity sources and Authentication Manager are hosted on your on-premises network and connected to the VPC through a VPN gateway or AWS Direct Connect. As in the full cloud deployment, a router in the VPC manages traffic between subnets, and the identity router contacts the Cloud Authentication Service and web applications through an internet gateway.