Skip to main content

 

 

 

 

Template:OutSystems/Documentation_KB/Breadcrumb_New_Layout

 

 

Template:OutSystems/OSLanguageSwitcher

 

 

 

OutSystems

Set up a VPN to your OutSystems Cloud

This topic details how you can set up a site-to-site VPN connection that allows secure communication between your on-premises network and OutSystems Cloud.

Check in the Cloud services catalogue if the VPN service is available for your OutSystems Cloud edition.

VPN and your OutSystems Cloud

Your OutSystems Cloud environments are hosted on Amazon Web Services (AWS) and protected inside a virtual private cloud (VPC), which is logically isolated from the Internet and from other virtual networks in the AWS cloud.

To establish a secure connection between your on-premises network and the OutSystems Cloud you can create a site-to-site virtual private network (VPN) connection using Internet Protocol security (IPSec).

The following diagram shows a single VPN connection, with your OutSystems Cloud, hosted on AWS, shown in the left side, and your on-premises network shown on the right side:

The VPN tunnels are anchored to a virtual private gateway on the OutSystems Cloud side, and to your VPN gateway on the on-premises network side.

The VPN connection consists of two VPN tunnels. If your VPN gateway supports asymmetric routing and if the first VPN tunnel is temporarily disabled, the VPN connection automatically switches over to the second VPN tunnel so that your access isn't interrupted.

VPN specifications

Initiating the VPN

The VPN connection must be initiated and kept alive by generating constant network traffic from the on-premises network; the VPN tunnel can't be initiated by the OutSystems Cloud. If your Site-to-Site VPN connection experiences a period of idle time (usually 10 seconds, depending on your configuration), the tunnel may go down. To initiate the VPN connection and keep it operating, you can use one of the following options:

  • Use your VPN gateway to generate network traffic by using features such as service-level agreement (SLA) monitor.

or

  • Ping the OutSystems cloud DNS servers.
Redundancy

If your VPN gateway supports asymmetric routing, you should configure the two VPN tunnels to ensure high-availability of the VPN connection. Amazon performs routine maintenance on the virtual private gateways, which can disable one of the VPN tunnels for a brief period. Having two VPN tunnels configured ensures the failover to the second VPN tunnel if the first VPN tunnel goes down.

Please note that Cisco ASA devices will only establish a single connection with first configured peer whereas second peer IP is kept down (‘standby’ - connected only in case peer no.1 is unreachable).

Virtual private gateway device
The VPN Hardware Manufacturer for the virtual private gateway device is defined by AWS as "Amazon AWS VPC with VPN Service".
Limitation
The site-to-site VPN currently doesn't support IPv6 traffic.

Set up a VPN to OutSystems Cloud

The procedure below applies only to OutSystems Cloud running LifeTime Management Console 11.6.1 or later. For earlier LifeTime versions, follow the procedure in Set up a VPN using LifeTime 11.6.0 or earlier.

Before you begin

Before you begin setting up your VPN, make sure you understand and comply with the following requirements:

Check the VPN gateway requirements

Your VPN gateway can be a physical or software device. Check this list to know if your VPN gateway has been tested by AWS with the site-to-site VPN. If your VPN gateway isn't in the previous list, it must meet the following requirements:

  • Maintain the same static public IP address.
  • Establish IKE v1 or IKE v2 Security Association using pre-shared keys.
  • Establish IPSec Security Associations in Tunnel mode.
  • Use IPsec Dead Peer Detection (DPD).
  • Use AES128-bit or AES256-bit encryption function.
  • Use the SHA-1 or SHA-256 hashing function.
  • Use the Diffie-Hellman Perfect Forward Secrecy in groups 2 (1024 bit), 5 (1536 bit), 14-18 (2048 bit), 22, 23, or 24 (2048 bit).

Gather the necessary information

Before creating a VPN connection, make sure you have the following information:

  • Your Internet gateway public IP. If your VPN gateway is behind a network address translation (NAT) device that's enabled for NAT traversal (NAT-T), use the public IP address of your NAT device.
  • The internal network IP range that will access the VPN.
  • The type of routing that your VPN gateway supports. If the gateway supports Border Gateway Protocol (BGP), use dynamic routing, otherwise use static routing.

Check your on-premises network

Your on-premises network internal IP address range mustn't overlap with the internal IP address range of your OutSystems Cloud. Check how to find out internal IP address range of your OutSystems Cloud.

Make sure you have the necessary permissions

To create a VPN you must have the Administrator role in LifeTime.

Setup Overview

VPN setup overview

Make sure you read the previous section before you continue.

Step 1. Create the VPN

To create a VPN to your OutSystems Cloud follow these steps:

  1. Open LifeTime by accessing https://<lifetime_environment>/lifetime, where <lifetime_environment> is the address of your LifeTime environment.

  2. Select the ENVIRONMENTS tab and open the Options dropdown.

  3. If you are creating the first VPN, select Create VPN. Otherwise, select VPN Management and click the Create new VPN link.

  4. Fill in the form by entering the values for each field:

    • The purpose of this new VPN.
    • The Internet gateway public IP. If your VPN gateway is behind a network address translation (NAT) device that's enabled for NAT traversal (NAT-T), use the public IP address of your NAT device.
    • The Internal network IP range to access VPN.
    • The type of Routing that your VPN gateway supports. If your VPN gateway supports Border Gateway Protocol (BGP), select Dynamic routing, otherwise select Static routing.
  5. Click the Create VPN button.

OutSystems is now creating your new VPN. You can check the status of the process on Your VPN Connections screen, under ENVIRONMENTS > Options > VPN Management.

Step 2. OutSystems creates the VPN connection and notifies you when it’s ready

OutSystems creates the VPN connection on your OutSystems Cloud. When the VPN is created, OutSystems sends you an email notifying that the VPN configuration file is ready to be downloaded and the information needed to configure the VPN gateway on your on-premises network. This email is sent to the user that created the VPN in LifeTime.

Step 3. Download the configuration file

After receiving the OutSystems email notifying that your VPN is created, you must download your VPN configuration file:

  1. In LifeTime, select the ENVIRONMENTS tab.
  2. Open the Options dropdown and select VPN Management.
  3. Identify your new VPN in the list of VPN connections and click the Download Configuration link.

Step 4. Configure your VPN gateway

This step must be performed by your Network Engineer.

Configure your VPN gateway using the values provided in the configuration file you downloaded in Step 3.

If you want to use your own configuration, make sure your VPN gateway configuration values respect the following AWS requirements:

Phase 1 Parameters
Protocol IKE v1 or IKE v2
Authentication Method Pre-shared Key
Protocol Communications Encapsulated UDP port 500, NAT-T (UDP port 4500)
Encryption Algorithm AES-128, AES-256
Diffie-Hellman Group 2 (1024 bit), 14-18 (2048 bit), 22, 23, and 24 (2048 bit)
Perfect Forward Secrecy (PFS) Yes
Hashing Algorithm for Integrity SHA-1, SHA-256
Re-negotiation time 28800 seconds
Mode Main
Phase 2 Parameters
Protocol IKE Phase II (IPSEC SA)
IPSec Protocol ESP; UDP port 500; NAT-T is supported on your side.
Encryption Algorithm AES-128, AES-256
Encryption Mode Tunnel
Diffie-Hellman Group 2 (1024 bit), 5 (1536 bit), 14-18 (2048 bit), 22, 23, and 24 (2048 bit)
Hashing Algorithm for Integrity SHA-1, SHA-256
Lifetime Measurement Time
Time Lifetime 3600 seconds

Step 5. Configure your firewall

This step must be performed by your Network Engineer.

If your on-premises network includes a firewall between the Internet and your VPN gateway, implement the following rules in the firewall:

  • Allow UDP traffic on port 500 between your VPN gateway and each of the VPN tunnels to the OutSystems Cloud to enable the transmission of IKE packets. There should be four rules: a pair of inbound and outbound rules for each VPN tunnel.

  • Allow IP 50 Encapsulating Security Payload (ESP) traffic between your VPN gateway and each of the VPN tunnels to the OutSystems Cloud to enable the transmission of IPSec packets containing the encrypted network traffic. There should be four rules: a pair of inbound and outbound rules for each VPN tunnel.

  • If your OutSystems Cloud needs to access systems on your on-premises network add other inbound and outbound firewall rules. Make sure to create inbound and outbound rules for each of the VPN tunnels. For example, to access a SQL Server database, allow TCP traffic on port 1433, and to access an Oracle database, allow TCP traffic on port 1521.

  • If you are using NAT-T on your VPN gateway, allow UDP traffic on port 4500. Add outbound and inbound firewall rules.

Troubleshooting

Check the VPN connectivity and troubleshooting guide.