Although creating a VPN connection for Cloudhub might seem a complicated (and for some scary!) task, the truth is that it’s not like that... if you know what you’re doing :)In this post, we’re going to walk through the process of creating an Anypoint VPN connection in detail.
But before you create anything in your Anypoint platform, I encourage you to have a look at the requirements and limitations for VPN connections in Anypoint. That’ll help you understand if you’ve got everything you need before creating any VPN connection.
Once we understand that, we're ready to create the Anypoint VPN connection. For that, we'll follow the next steps:
- First, Select Runtime Manager > VPNs
- Next, click on Create VPN at the top, and that will take us to the Create VPN page.
- From there, we first provide a Name to our VPN connection
- From the first dropdown, we'll select the VPC our VPN will be created for. Before you say anything - no, you can't share a VPN connection across VPCs (I always get asked for that :))
- Next, enter the Remote IP address of your VPN device. This needs to be a single, public and static IP address. Remember, you can’t modify this value after you create this connection
- Choose the Routing Type you’ll use for the connection (BGP or Static). Remember again, you can’t modify the routing type for this connection after you create this connection. However, if you’re using Static Routing you’ll be able to modify routes after the connection is created.
Dynamic Routing (BGP)
- If you choose to use Dynamic Routing this VPN connection will rely on the Border Gateway Protocl (BGP) to update the routing table of the current Private Space. So, make sure your VPN device on your side supports BGP.
- Local ASN - In here you need to provide an ASN that is not in use in your internal network in the range 64512-65534. The default value is 64512.
- Remote ASN - Here we need to provide the ASN of your network. You need to use an ASN that is not in use in your network. Typically a private ASN would be in the range 64512-65534 and the default value is 65001
Static Routing
- If you plan to use Static Routing you’ll need to provide the external private networks for which this VPC should route the traffic (the so-called interesting traffic) to this VPN. You need to use CIDR notation. If you need more than one static route use the Add New Rule option. Before you do that, there’s a couple of considerations:
- These routes will then be added to the Routing Table of the current VPC along with the rest of routes in other VPN connections associated to this VPC. Remember that, in total, we can have a maximum of 95 routes.
- Make sure there’s no overlapping between the list of networks you’re providing
- Local ASN - For this we can just leave the default value 6512
Advanced Options
If necessary you can provide the following Advanced Options:
- PSK - Provide manually the Pre-Shared Key for each tunnel
- Point-To-Point CIDR: Here you can provide the CIDR block for the internal address of the tunnel, but be careful not to select one of the following CIDR blocks, as they are reserved for Cloudhub.
169.254.0.0/30 169.254.1.0/30 169.254.2.0/30 169.254.3.0/30 169.254.4.0/30 169.254.5.0/30 169.254.169.252/30
- After that you can click the Create VPN button and wait. It will take up to 15 mins to create the VPN connection.
Setup the VPN endpoint on the other side of the connection
With that, the configuration of the Anypoint side is done. Now, the last step is setup the connection on the other side. For that:
- First, from Runtime Manager we'll click on the VPN connection we've just created
- Then, we'll click in the Get VPN Config. This will open a new window where we'll be able to get all the details we need for our VPN endpoint
- Make sure you select the Vendor, Platform and Version of your VPN device. If our device is not in the list then use the Generic option.
- Click View Config and then the Copy button. Paste it in a text file, we'll use these values for our VPN device
- And lastly, go to your VPN device and use the values for the IPsec settings you need to provide to configure both tunnels. We can't give you more details in here, as every VPN device is different
Test the Connection
- If everything went well you should see your VPN connection in the list of VPN connections with the Status Column displaying at least one tunnel UP. Having one or both tunnels UP will depend on the type of routing and your VPN device type.
- The last thing we need to do is to test our connection. For that, the quickest and easiest way is to use the Anypoint Network Tools and start doing a Ping or Traceroute to a private IP in your internal network