Network Connectivity Overview - Support and Troubleshooting

Network Connectivity Overview Table of Contents Purpose Summary Internet Access Overview Requirements DDoS Susceptibility Public Internet Exchange Peering Overview Key characsteristics Requirements DDoS Susceptibility Private Exchange Peering Overview Key characsteristics Requirements DDoS Susceptibility Direct Connect Overview Key characsteristics Requirements DDoS Susceptibility Additional resources Purpose The purpose of this document is to provide the overview of the different network connectivity options we offer to access Commercial customer instances.

Being a cloud company, networking is one of the most critical aspects of how customers access and consume the services offered by ServiceNow. The network also partially determines the end-user’s perception and experience with services consumed on the ServiceNow platform. The design goals for the cloud network that serves end-users are as follows.

High performance. Optimized number of hops between source and destination. Redundant with automatic recovery in case of failure. Secure. Scalable. Global reach. The preferred and default means of access to ServiceNow’s services is via the Internet. Recognizing that some companies may not want to use the Internet for access due to legal, corporate or other policies, ServiceNow also offers connections via other means as outlined in this document.

Summary Internet Access Offers broad and easy access to ServiceNow services through a standard internet connection. While cost-effective and widely available, it is less secure and can be subject to performance variability due to the public nature of the internet. Suitable for general use cases not requiring high security or low latency.

Public Internet Exchange (e.g., AMS-IX, LINX) Ideal for open, cost-effective peering with ServiceNow, making it well-suited for exchanging large amounts of general internet traffic and giving more control over traffic flows.

Private Exchange (e.g., Equinix Fabric, Megaport) Excellent for scalable and flexible private connections to ServiceNow. It is also significantly less susceptible to DDOS attacks.

Direct Connect Provides the most secure and high-performance connection, making it suitable for enterprises needing secure, dedicated circuits for direct access to ServiceNow. Especially useful for security-sensitive traffic, though it is the most expensive option.

Internet Access Overview Internet access is the default and preferred means of connectivity between the customer and ServiceNow. It uses HTTPS from any modern browser, ensuring high security via TLS encryption. This is the most scalable solution for geographically dispersed customers.

ServiceNow connects to multiple major Internet Service Providers (ISPs) based on the data center location. This ensures robust connectivity and optimized hops to the customer. All ISP connections are provisioned using Border Gateway Protocol (BGP) for route exchange and dynamic failover. Multi-gigabit capacity is provisioned in all data centers at any given time and proactively monitored for usage and anomalies.

Figure 1. Internet Access

Requirements Customers need to have Internet access via ISPs of their choosing. ServiceNow strongly recommends the provision of Internet access using multiple Tier1 ISPs for redundancy.

DDoS Susceptibility Very High Risk of DDoS Attacks: Usual internet access is highly susceptible to DDoS attacks because traffic flows over the public internet, which is inherently open and exposed to malicious actors. Since this is the default access path for most internet traffic, attackers can easily identify public IP addresses to target.

DDoS attacks on Internet access can include volumetric attacks (overwhelming bandwidth), protocol attacks (e.g., SYN floods), and application-layer attacks (e.g., HTTP floods), making it one of the most commonly targeted pathways for DDoS attacks.

Public Internet Exchange Peering Overview Public Internet Exchange Peering is a connectivity option where customers connect to a public Internet Exchange (IX) to peer with ServiceNow. This allows customers to connect to ServiceNow without using an ISP and provides a cost-effective alternative to private exchange peering.

A public IX (like DE-CIX, LINX) is essentially a physical location where multiple networks (e.g., ISPs, content delivery networks, enterprises) come together to exchange internet traffic via a shared switching fabric. The goal is to facilitate efficient traffic exchange through peering, reducing latency and transit costs.

Key characsteristics Typically uses a shared Layer 2 switch or series of switches to allow multiple participants to peer. The connectivity is generally “best effort,” where all participants connect to the IX and peer using BGP (Border Gateway Protocol). Participants can freely choose to establish either multilateral peering (via route servers) or bilateral peering with other participants.

Current list of public exchanges with ServiceNow presense can be seen at PeeringDB site.

Figure 2. Public Internet Exchange Peering

Requirements Customers need to connect to the public Internet Exchange and solicit peering from ServiceNow over the exchange. All of a given region’s IP address block(s) will be announced over all external (eBGP) connections. Only Internet-routable (Public) IP blocks will be accepted over the eBGP peering sessions established with client’s public AS number. For diversity and redundancy, it is recommended that the Internet-learned routes be used as a backup to the ones from the public peering links. This will ensure continuity of access if there are issues with public peering or the exchange. A minimum of 2 BGP sessions per IX is required. For better redundancy 4 BGP sessions are recommended. DDoS Susceptibility High Risk of DDoS Attacks: Since public IXs are shared environments with many participants, they are more vulnerable to DDoS attacks. Traffic is often exposed to the public internet, making it easier for attackers to send large volumes of malicious traffic through the IX.

Private Exchange Peering Overview A private exchange is a service that enables point-to-point, secure, and scalable connections between parties (e.g., between enterprises, cloud service providers, and data centers) over a private network. These are managed interconnection platforms offering more control over traffic paths, bandwidth, and security. Examples of such exhcnages are Equinix Cloud Exchange (now called Equinix Fabric) and Megaport.

Key characsteristics Provides dedicated, point-to-point or point-to-multipoint connections on a private Layer 2/3 network. Offers secure connectivity options, often with guarantees on bandwidth and performance (QoS), bypassing the public internet for increased security and performance.

Figure 3. Private Exchange Peering

Requirements Customers need to connect to the private exchange and solicit peering from ServiceNow over the exchange. Customers must provide a /31 public-Internet address block for each connection that is provisioned. Only Internet-routable (Public) IP blocks will be accepted over the eBGP peering sessions established with client’s public AS number. All of a given region’s IP address block(s) will be announced over all external (eBGP) connections. For diversity and redundancy, it is recommended that the Internet-learned routes be used as a backup to the ones from the private peering links. This will ensure continuity of access if there are issues with private peering or the exchange. A minimum of 1 BGP session/Virtual Circuit per ServiceNow DC is required. For better redundancy 2 BGP sessions/Virtual Circuits per DC are recommended. DDoS Susceptibility Lower Risk of DDoS Attacks: Private exchanges are designed to provide dedicated, point-to-point connections that bypass the public internet, significantly reducing exposure to DDoS attacks. Since these connections are private and directly link one network to another, it is difficult for external attackers to send malicious traffic.

Controlled Environment: The private nature of these exchanges limits the number of potential points of attack. Any DDoS attack would generally have to come from within the connected networks or partners, rather than from the open internet.

Direct Connect Overview A dedicated physical circuit between a customer’s premises and a ServiceNow without intermediate exchanges. This is commonly used to achieve a secure, high-performance, and low-latency link between two entities, bypassing the public internet altogether. This is highly controlled and provisioned through the telecom carrier or service provider, ensuring predictable and stable performance.

Key characsteristics Ideal for mission-critical, latency-sensitive applications that require dedicated bandwidth and secure, high-performance connections. Provides the highest level of security and control since traffic travels directly between the customer and ServiceNow, eliminating exposure to potential threats from public networks or shared exchanges. The most expensive option out of all types of connections If a data center is closed or an instance is moved to a new data center pair, new circuit provisioning will be required.

Figure 4. Direct Connect

Requirements Connections to ServiceNow are via 1 or 10 Gigabit Ethernet (GE) ports. A minimum of 1 link per data center is required, with a recommendation for 2 links per data center for diversity. External Border Gateway Protocol (eBGP) is used to exchange routes between ServiceNow and the customer. Customers must provide a /31 public-Internet address block for each link that is provisioned. Only Internet-routable (Public) IP blocks will be accepted over the eBGP peering sessions established with client’s public AS number. All of a given region’s IP address block(s) will be announced over all external (eBGP) connections. The customer is responsible for all cross-connect charges incurred in the data centers where their instances are hosted. Turn-up of such connections requires coordination with carriers, data centre providers and ServiceNow technical teams. For diversity and redundancy, it is recommended that the Internet-learned routes be used as a backup to the ones from the Direct Connect links. This will ensure continuity of access if there are issues with those links.

DDoS Susceptibility Least Vulnerable to DDoS : Direct connectivity provides a dedicated, private circuit between the customer and ServiceNow, effectively eliminating exposure to DDoS attacks that occur on the public internet. Since these connections are not part of any shared infrastructure and are tightly controlled, they have a significantly reduced risk of being targeted by DDoS attacks.

Closed Network Architecture: As the traffic flows are limited to a specific route between two endpoints, external malicious actors cannot easily access or target the connection.

Additional resources Connecting to ServiceNow Instance via Equinix Cloud Exchange

Internet circuit providers per datacenter