As we know, Cloudhub 2.0 has brought important changes to the Runtime Plane in Anypoint, especially related to infrastructure. The good news is that when it comes to VPN connections, nothing has changed. Cloudhub 2.0 continues to use a Virtual Private Gateway (VGW) in the background, which means that the process of creating a VPN connection is more or less the same as Cloudhub 1.0. Let’s see it in detail.But before you create anything in your Anypoint platform, I encourage you to have a look at the requirements and limitations for VPN connections in Anypoint. That’ll help you understand if you’ve got everything you need before creating any VPN connection.
Remember that, before you can create any VPN connection, you first need to create a Private Network for your Private Space. Once that is in place, we’ll follow the next steps:
- First, Select Runtime Manager > Private Spaces.
- Next, select the Private Space in which you’ll create the new VPN
- In the Network tab, click on Create Connection from the Connections section
- Select VPN as Connection Type and provide a name to your new VPN connection
- Next, enter the Remote IP address of your VPN device. This needs to be a single and static IP address. Remember, you can’t modify this value after you create this connection.
- Choose the Routing Type you’ll use for the connection (Dynamic or Static). Remember again, you can’t modify the routing type for this connection after you create this connection. However, if you’re using Static Routing you’ll be able to modify routes after the connection is created.
Static Routing
- Local ASN - This can be confusing, pay attention: We don’t use the local ASN for static routing, however if this is the first VPN connection of the Private Space we need to specify value. The local ASN we provide in here will be used for the future VPN connections added to this Private Space using Dynamic Routing.
- If you plan to use Static Routing you’ll need to provide the external private networks for which this Private Space should route the traffic (the so called interesting traffic) to this VPN. You need to use CIDR notation and separate the different networks with commas. Before you do that, take into account the following:
- These routes will be added to the Routing Table of the current Private Space along with the rest of routes in other VPN connections associated to this Private Space. Remember that, in total, we can have a maximum of 95 routes.
- Make sure there’s no overlapping between the list of networks you’re providing.
- Cloudhub 2.0 connects internally to other subnets within the Private Space. For that reason, there’s a list of CIDR blocks that are reserved (see below) and that you cannot use for your static routes:
172.17.0.0/16
100.64.0.0/10198.19.0.0/16224.0.0.0/4169.254.0.0/16127.0.0.0/80.0.0.0/8
- Only Route-based VPN is supported. Policy-based VPN is not supported
Dynamic Routing
- If you choose to use Dynamic Routing this VPN connection will rely on the Border Gateway Protocl (BGP) to update the routing table of the current Private Space. So, make sure your VPN device on your side supports BGP
- Local ASN - In here you need to provide an ASN that is not in use in your internal network. You only have to provide one local ASN per Private Space, so this option will only show up if this is the first VPN connection for your Private Space.
- Remote ASN - provide a remote private ASN
Advanced Options
If necessary you can provide the following Advanced Options:
- Automatic Tunnel Initiation - This is enabled by default and you only specify it once per Private Space, so if this is not the first VPN you create for your Privagte Space this option won’t show up. In the past, when there was no interesting traffic in the VPN, the tunnel went down and it could only be brought back up from the customer side, the Anypoint VPN was not able to initiate the tunnel and keep it active. With this option you’re safe, don’t change this option and your tunnel won’t go down due to inactivity. However, if you really need to disable the option be aware that may not maintain continuous connectivity and it will be your responsibility to maintain the tunnel active generating traffic from your side. If you need to know more check this article on How to Generate Interesting Traffic for Anypoint VPN
- Tunnel Configuration - In here you can use the default (automatic) if you don’t have extra requirements. But if so, you can provide:
- IP ranges for the internal addresses of the VPN tunnels
- Pre-Shared Keys - In case you want to enter manually specific values for the PSKs of each tunnel
- Finally, click on Create VPN and wait. Your new VPN connection should be available in maximum 15 mins. If not, something went wrong, in which case, I’d recommend to create it again.
- Once your VPN is up and running is time to test the connection. For that, the quickest and easiest way is to use the Anypoint Network Tools.
And that's it! As you can see, if you know what you're doing creating a VPN connection can be done in a few minutes. Hope this was useful!