To set up a VPN between your data center and OutSystems Platform Cloud, your VPN gateway needs to:
- Be associated with a static IP address;
- Have direct internet access, rather than being set behind a device performing network address translation;
- Be able to initiate the VPN tunnel.
And your VPN concentrator needs to be able to:
- Maintain the same static public IP address;
- Establish IKE v1 Security Association using Pre-Shared Keys;
- Establish IPSec Security Associations in Tunnel mode;
- Use AES128-bit/AES256-bit encryption function;
- Use the SHA-1/SHA-256 hashing function;
- Use the Diffie-Hellman Perfect Forward Secrecy in "Group2"/"Group5" mode.
Also, because no network traffic can be generated on the Cloud environments side, in order to keep the VPN tunnel up stable, constant network traffic from the datacenter into the OutSystems VPN gateway must exist. One of the following options can be used for this purpose:
- Configure your VPN gateway to generate and keep alive traffic into the VPN. This can be done using features such as SLA monitor or by running periodic ICMP pings to an environment in the cloud;
- Configure a permanent ICMP ping from a set of servers in your datacenter to an environment in the cloud.
Bear in mind that VPN between AWS accounts is not supported.
We recommend that an instance is created on your side with VPN Software and Public IP, and we create a VPN on our side to connect to that instance.
OutSystems will supply the targets to be used for this purpose.
Gather the following information
Before requesting us to set up a VPN connection, make sure you know:
- The public IP of your internet gateway;
- The brand/model of your VPN concentrator;
- Your internal network IP range that has access to the VPN.
Without this information, it won't be possible to set up VPN.
IP subnet Range
By default, OutSystems Platform Cloud is created with a 10.A.B.0/24 internal IP range, where A and B are randomly generated. If you need to ensure a specific subnet range, let your account manager know about this requirement, before your infrastructure is provisioned.
To ensure high-availability for the VPN service you should configure two VPN tunnels. Amazon performs routine maintenance on the VPN gateways, which can disable one VPN tunnel for a brief period. Having two VPN tunnels set up ensures your connection automatically fails over to the second tunnel while the first is down for maintenance.
For this, your VPN concentrator must support asymmetric routing. Please note that Cisco ASA devices will only establish a single connection with first configured peer whereas second peer IP is kept down (‘standby’ - connected only in case peer no.1 is unreachable).