Skip to main content

Set up a VPN to Your OutSystems Cloud

OutSystems

Set up a VPN to Your OutSystems Cloud

This topic details how you can set up a site-to-site VPN connection that allows secure communication between your on-premises network and OutSystems Cloud.

VPN and Your OutSystems Cloud

Your OutSystems Cloud environments are hosted on Amazon Web Services (AWS) and protected inside a virtual private cloud (VPC), which is logically isolated from the Internet and from other virtual networks in the AWS cloud. To establish a secure connection between your on-premises network and the OutSystems Cloud you can request the creation of a site-to-site virtual private network (VPN) connection using Internet Protocol security (IPSec).

The following diagram shows a single VPN connection, with your OutSystems Cloud, hosted on AWS, shown in the left side, and your on-premises network shown on the right side:

The VPN tunnels are anchored to a virtual private gateway on the OutSystems Cloud side, and to your VPN gateway on the on-premises network side.

The VPN connection consists of two VPN tunnels. If your VPN gateway supports asymmetric routing and if the first VPN tunnel is temporarily disabled, the VPN connection automatically switches over to the second VPN tunnel so that your access isn't interrupted.

VPN Specifications

Initiating the VPN

The VPN connection must be initiated and kept alive by generating constant network traffic from the on-premises network; the VPN tunnel cannot be initiated by the OutSystems Cloud. If your Site-to-Site VPN connection experiences a period of idle time (usually 10 seconds, depending on your configuration), the tunnel may go down. To initiate the VPN connection and keep it operating, you can use one of the following options:

  • Use your VPN gateway to generate network traffic by using features such as service-level agreement (SLA) monitor or by running constant Internet Control Message Protocol (ICMP) pings to an environment in the OutSystems Cloud.

or

  • Configure a permanent ICMP ping from a set of servers in the on-premises network to an environment in the OutSystems Cloud.
Redundancy

If your VPN gateway supports asymmetric routing, you should configure the two VPN tunnels to ensure high-availability of the VPN connection. Amazon performs routine maintenance on the virtual private gateways, which can disable one of the VPN tunnels for a brief period. Having two VPN tunnels configured ensures the failover to the second VPN tunnel if the first VPN tunnel goes down.

Please note that Cisco ASA devices will only establish a single connection with first configured peer whereas second peer IP is kept down (‘standby’ - connected only in case peer no.1 is unreachable).

Virtual private gateway device
The VPN Hardware Manufacturer for the virtual private gateway device is defined by AWS as "Amazon AWS VPC with VPN Service".
Limitation
The site-to-site VPN currently does not support IPv6 traffic.

Set up the First VPN to Your OutSystems Cloud

Before You Begin

Before you begin setting up your VPN, make sure you understand and comply with the following requirements:

Check the VPN Gateway Requirements

Your VPN gateway can be a physical or software device. Check this list to know if your VPN gateway has been tested by AWS with the site-to-site VPN.
If your VPN gateway is not on the previous list, it must meet the following requirements:

  • Maintain the same static public IP address.
  • Establish IKE v1 or IKE v2 Security Association using pre-shared keys.
  • Establish IPSec Security Associations in Tunnel mode.
  • Use AES128-bit or AES256-bit encryption function.
  • Use the SHA-1 or SHA-256 hashing function.
  • Use the Diffie-Hellman Perfect Forward Secrecy in groups 2 (1024 bit), 5 (1536 bit), 14-18 (2048 bit), 22, 23, or 24 (2048 bit).

Gather Necessary Information

Before requesting a VPN connection, make sure you have the following information:

  • The public IP of your VPN gateway. If your VPN gateway is behind a network address translation (NAT) device that's enabled for NAT traversal (NAT-T), use the public IP address of your NAT device.
  • The brand, model, and software version of your VPN gateway.
  • The internal IP range of the on-premises network that will access to the VPN.
  • The type of routing that your VPN gateway supports: if the gateway supports Border Gateway Protocol (BGP), use dynamic routing, otherwise use static routing.

Check On-Premises Network

Your on-premises network internal IP address range mustn't overlap with the internal IP address range of your OutSystems Cloud. Check out how to find out internal IP address range of your OutSystems Cloud

Make Sure You Have the Necessary Permissions

To request a VPN you must have the Administrator role in LifeTime.

The VPN request must be approved by an Infrastructure Administrator in the Support Portal.

Setup Overview

VPN setup overview

Make sure you read the previous section before you continue.

Step 1. Request the First VPN

To request the first VPN to your OutSystems Cloud follow these steps:

  1. Open LifeTime by accessing https://<lifetime_environment>/lifetime, where <lifetime_environment> is the address of your LifeTime environment.

  2. Select the Environments tab, open Options and select Activate VPN.

  1. Fill in the form by entering the values for each field:

    • Your email address.
    • The email address of the Network Engineer. If you are the Network Engineer enter your email.
    • The public IP of your VPN gateway. If your VPN gateway is behind a network address translation (NAT) device that's enabled for NAT traversal (NAT-T), use the public IP address of your NAT device.
    • The internal IP range of the on-premises network that will access to the VPN.
    • The brand, model, and software version of your VPN gateway.
    • The type of Routing that your VPN gateway supports. If your VPN gateway supports Border Gateway Protocol (BGP), select Dynamic routing, otherwise select Static routing.
  2. To send your request for a VPN, select Activate VPN Service. This creates a support ticket with the information you provided in the form.

Step 2. OutSystems Creates the VPN Connection and Contacts You

Once all the required information has been validated, OutSystems creates the VPN connection on your OutSystems Cloud, sends you the VPN Peer Address and the information needed to configure the VPN gateway on your on-premises network, including a configuration file created by AWS.
The type of configuration file you receive depends on your VPN gateway:

Step 3. Configure Your VPN Gateway

This step must be performed by your Network Engineer.

After receiving the required information to set up your VPN connection, complete the configuration of your VPN gateway by following the instructions in the communication sent by the OutSystems Support and in the configuration file.

During the VPN gateway configuration you should use the values provided in the configuration file.
Otherwise, you must make sure your VPN gateway configuration values respect the following AWS requirements:

Phase 1 Parameters
Protocol IKE v1 or IKE v2
Authentication Method Pre-shared Key
Protocol Communications Encapsulated UDP port 500, NAT-T (UDP port 4500)
Encryption Algorithm AES-128, AES-256
Diffie-Hellman Group 2 (1024 bit), 14-18 (2048 bit), 22, 23, and 24 (2048 bit)
Perfect Forward Secrecy (PFS) Yes
Hashing Algorithm for Integrity SHA-1, SHA-256
Re-negotiation time 28800 seconds
Mode Main
Phase 2 Parameters
Protocol IKE Phase II (IPSEC SA)
IPSec Protocol ESP; UDP port 500; NAT-T is supported on your side.
Encryption Algorithm AES-128, AES-256
Encryption Mode Tunnel
Diffie-Hellman Group 2 (1024 bit), 5 (1536 bit), 14-18 (2048 bit), 22, 23, and 24 (2048 bit)
Hashing Algorithm for Integrity SHA-1, SHA-256
Lifetime Measurement Time
Time Lifetime 3600 seconds

Step 4. Configure Your Firewall

This step must be performed by your Network Engineer.

If your on-premises network includes a firewall between the Internet and your VPN gateway, implement the following rules in the firewall:

  • Allow UDP traffic on port 500 between your VPN gateway and each of the VPN tunnels to the OutSystems Cloud to enable the transmission of IKE packets. There should be four rules: a pair of inbound and outbound rules for each VPN tunnel.

  • Allow IP 50 Encapsulating Security Payload (ESP) traffic between your VPN gateway and each of the VPN tunnels to the OutSystems Cloud to enable the transmission of IPSec packets containing the encrypted network traffic. There should be four rules: a pair of inbound and outbound rules for each VPN tunnel.

  • If your OutSystems Cloud needs to access systems on your on-premises network add other inbound and outbound firewall rules. Make sure to create inbound and outbound rules for each of the VPN tunnels.
    For example, to access a SQL Server database allow TCP traffic on port 1433, and to access an Oracle database allow TCP traffic on port 1521.

  • If you are using NAT-T on your VPN gateway, allow UDP traffic on port 4500. Add outbound and inbound firewall rules.

Requesting Additional VPN Connections to Your OutSystems Cloud

If you need additional VPN connections, contact your Account Manager to obtain more information.

Troubleshooting

The VPN tunnels are down
If there isn't enough traffic being sent from your on-premises network to the OutSystems Cloud through the VPN, the VPN tunnels will be closed. Check how to keep the VPN tunnels open in Initiating the VPN.
Can't connect to a database on the on-premises network
Confirm that your firewall configurations and the database server are allowing inbound connections from the OutSystems Cloud IP range. By default, OutSystems Cloud doesn't block outbound connections.
The VPN connection is intermittent
  • This may be caused by asymmetric routing not being supported by your VPN gateway. Test your VPN connection by using only one open VPN tunnel: stop one of the VPN tunnels by making sure you don't send any traffic from the on-premises network through that tunnel.

  • This can also be caused by having more than one Security Association (SA) configured per tunnel. If your firewall implements a policy-based VPN, only one SA pair is supported. Only one inbound and one outbound SA is supported per VPN tunnel.

Troubleshoot your connection from your OutSystems Cloud with NetChecker
Use NetChecker to perform network tests from your OutSystems Cloud front-end servers and to help you troubleshoot your VPN connection.
Still not working?
If the issue persists, contact OutSystems Support. If you create a support ticket make sure to include the current VPN configuration and any related error messages. A support engineer will help you troubleshoot your configuration, and if necessary schedule a conference call.