Enabling Cloud-Native VPN/Encryption Options Over Dedicated Cloud Connectivity Paths
When implementing a dedicated connection into the public cloud through ExpressRoute to Microsoft Azure or Direct Connect to Amazon Web Services, the security of the transport path is part of a security risk assessment to minimize the risk of any potential man-in-the-middle attack.
Azure and AWS have published details on how to use VPN services through their respective dedicated cloud connectivity options:
This topic describes several scenarios leveraging dedicated cloud connectivity, including:
- Scenario 1: IPsec VPN – Azure ER Microsoft Peering or AWS DX Public VIF
- Scenario 2: IPsec VPN via Megaport Cloud Router (MCR) – Azure ER Microsoft Peering or AWS DX Public VIF
- Scenario 3: IPsec VPN – Azure ER Private Peering or AWS DX Private VIF with Network Virtual Appliance (NVA)Network Virtual Appliances (NVA) are used in Azure or AWS to control the flow of traffic between network segments that are classified with different security levels. For example, between a secure virtual network and the public internet.
in Azure or AWS
- Scenario 4: IPsec VPN – Multicloud with Network Virtual Appliance (NVA) in Azure and AWS
Scenario 1
|
IPsec VPN – Azure ER Microsoft Peering or AWS DX Public VIF
|
Prerequisites
|
- Owned public IP addresses that can be assigned to use Microsoft Peering and Public VIF.
Note: If public IP addresses are not owned, use MCR (Scenario 2).
- Owned network appliance capable of IPsec.
|
Megaport Technology Required |
How many? |
Port |
Yes |
1 or (2 in a Link Aggregation/LAG) |
Megaport Cloud Router (MCR) |
No |
|
Virtual Cross Connect (VXC) |
Yes |
1 to each CSP (Azure or AWS) |
|
Considerations
|
- Azure and AWS use industry standard protocol IPsec AES128 or AES256 for encryption: using other protocols for security or performance is not easily customizable.
- Azure and AWS IPsec VPN can be configured with Active-Active HA configuration.
- The maximum throughput available to AWS Virtual Private Gateway is 1.25 Gbps. The maximum throughput of Azure VPNs depends on the VPN Gateway SKU.
|
Scenario 2
|
IPsec VPN via Megaport Cloud Router (MCR) – Azure ER Microsoft Peering or AWS DX Public VIF
This solution is suitable for organizations that do not own public IP addresses.
|
Prerequisites
|
- Customer-owned network appliance capable of IPsec.
|
Megaport Technology Required |
How many? |
Port |
Yes |
1 (2 in a Link Aggregation/LAG) |
Megaport Cloud Router (MCR) |
Yes |
1 |
Virtual Cross Connect (VXC) |
Yes |
1 to each CSP (Azure or AWS) and 1 Private VXC |
|
Considerations
|
- Azure and AWS use industry standard protocol IPsec AES128 or AES256 for encryption: using other protocols for security or performance is not easily customizable.
- Azure and AWS IPsec VPN can be configured with Active-Active HA configuration.
- The maximum throughput available to AWS Virtual Private Gateway is 1.25 Gbps. The maximum throughput of Azure VPNs depends on the VPN Gateway SKU.
|
Scenario 3
|
IPsec (or other) VPN - Private Peering or Private VIF with Network Virtual Appliance (NVA) in Azure or AWS.
|
Prerequisites
|
- Customer-owned IPsec-capable network appliances on-premises and in the cloud.
|
Megaport Technology Required |
How many? |
Port |
Yes |
1 (2 in a Link Aggregation/LAG) |
Megaport Cloud Router (MCR) |
No |
|
Virtual Cross Connect (VXC) |
Yes |
1 to each CSP (Azure or AWS) |
|
Considerations
|
- Organizations have the flexibility of the encryption method for better security or better performance.
- Additional cost to the VMs running the NVA.
- Organizations will need to consider how to design and deliver HA for this scenario.
- The maximum throughput can exceed 1.25 Gbps up to the maximum Port size (1 Gbps or 10 Gbps) with the right compute power available on the NVA.
|
Scenario 4
|
IPsec (or other) VPN - Multicloud with Network Virtual Appliance (NVA) in Azure and AWS.
This solution is suitable for organizations with on-premises infrastructure that is not geographically close to the CSPs.
|
Prerequisites
|
- Customer owns IPsec-capable network appliances on-premises and in the cloud.
|
Megaport Technology Required |
How many? |
Port |
Yes |
1 (2 in a Link Aggregation/LAG) |
Megaport Cloud Router (MCR) |
Yes |
1 |
Virtual Cross Connect (VXC) |
Yes |
1 to each CSP (Azure and AWS) and 1 Private VXC |
|
Considerations
|
- Provides a flexible encryption method for better security or better performance.
- Additional cost to the VMs running the NVA.
- Need to consider how to design and deliver HA for this scenario.
- The maximum throughput can exceed 1.25 Gbps with the required compute power available on the NVA.
|
Helpful references