Enabling Cloud Native VPN/Encryption Options Over Dedicated Cloud Connectivity Paths

When implementing a dedicated connection into the public cloud through ExpressRoute to Microsoft Azure or Direct Connect to Amazon Web Services, the security of the transport path is part of a security risk assessment to minimize the risk of any potential man-in-the-middle attack.

Azure and AWS have published details on how to use VPN services through their respective dedicated cloud connectivity options:

But what about using a Megaport as your connectivity partner for your ExpressRoute or Direct Connect? What can Megaport provide beyond the private pathway to the cloud?

This topics reviews several scenarios leveraging dedicated cloud connectivity, including:

  • Scenario 1: IPsec VPN – Azure ER Microsoft Peering or AWS DX Public VIF
  • Scenario 2: IPsec VPN via Megaport Cloud Router (MCR) – Azure ER Microsoft Peering or AWS DX Public VIF
  • Scenario 3: IPsec VPN – Azure ER Private Peering or AWS DX Private VIF with Network Virtual Appliance (NVA) in Azure or AWS
  • Scenario 4: IPsec VPN – Multicloud with Network Virtual Appliance (NVA) in Azure and AWS

 

Scenario 1
IPsec VPN - Microsoft Peering or Public VIF
Prerequisites
  • Owned public IP addresses that can be assigned to use Microsoft Peering and Public VIF.
    Note: If public IP addresses are not owned, use MCR (Scenario 2).
  • On-premises network appliance that supports IEEE 802.1ad (Q-in-Q) – specifically for Azure.
    Note: If 802.1ad is not supported, use MCR (Scenario 2).
  • Owned network appliance capable of IPsec.
Megaport Technology Required How many?
Megaport Yes 1 or (2 in a Link Aggregation/LAG)
Megaport Cloud Router (MCR) No
Virtual Cross Connect (VXC) Yes 1 to each CSP (Azure or AWS)
Scenario 1
Considerations
  • Azure and AWS use industry standard protocol IPsec AES128 or AES256 for encryption: using other protocols for security or performance is not easily customizable.
  • Azure and AWS IPsec VPN can be configured with Active-Active HA configuration.
  • The maximum throughput available to both Azure VPN Gateway and AWS Virtual Private Gateway is 1.25 Gbps.
Scenario 2
IPsec VPN through MCR - Microsoft Peering or Public VIF.
This solution is suitable for organizations that do not own public IP addresses.
Prerequisites
  • Customer owned network appliance capable of IPsec.
Megaport Technology Required How many?
Megaport Yes 1 (2 in a Link Aggregation/LAG)
Megaport Cloud Router (MCR) Yes 1
Virtual Cross Connect (VXC) Yes 1 to each CSP (Azure or AWS) and 1 Private VXC
Scenario 2
Considerations
  • Azure and AWS use industry standard protocol IPsec AES128 or AES256 for encryption: using other protocols for security or performance is not easily customizable.
  • Azure and AWS IPsec VPN can be configured with Active-Active HA configuration.
  • The maximum throughput available to both Azure VPN Gateway and AWS Virtual Private Gateway is 1.25 Gbps.
Scenario 3
IPsec (or other) VPN - Private Peering or Private VIF with Network Virtual Appliance (NVA) in Azure or AWS.
Prerequisites
  • Customer (on-premises) network appliance that supports IEEE 802.1ad (Q-in-Q) – specifically for Azure.
    Note: If 802.1ad is not supported, use MCR (Scenario 2) but use private peering or a private VIF.
  • Customer owns IPsec-capable network appliances on-premises and in the cloud.
Megaport Technology Required How many?
Megaport Yes 1 (2 in a Link Aggregation/LAG)
Megaport Cloud Router (MCR) No
Virtual Cross Connect (VXC) Yes 1 to each CSP (Azure or AWS)
Scenario 3
Considerations
  • Organisations has the flexibility of the encryption method for better security or better performance.
  • Additional cost to the VMs running the NVA.
  • Organisations will need to consider how to design and deliver HA for this scenario.
  • The maximum throughput can exceed 1.25 Gbps up to the maximum Megaport size (1 Gbps or 10 Gbps) with the right compute power available on the NVA.
Scenario 4
IPsec (or other) VPN - Multicloud with Network Virtual Appliance (NVA) in Azure and AWS.
This solution is suitable for organizations with on-premises infrastructure that is not geographically close to the CSPs.
Prerequisites
  • Customer owns IPsec-capable network appliances on-premises and in the cloud.
Megaport Technology Required How many?
Megaport Yes 1 (2 in a Link Aggregation/LAG)
Megaport Cloud Router (MCR) Yes 1
Virtual Cross Connect (VXC) Yes 1 to each CSP (Azure and AWS) and 1 Private VXC
Scenario 4
Considerations
  • Provides a flexible encryption method for better security or better performance.
  • Additional cost to the VMs running the NVA.
  • Need to consider how to design and deliver HA for this scenario.
  • The maximum throughput can exceed 1.25 Gbps up to the maximum Megaport Cloud Router size (5 Gbps) with the required compute power available on the NVA.

Last update: