Connection scenarios
Last updated on
STACKIT VPN enables secure, scalable, and flexible virtual private network connections within the STACKIT cloud environment. This service is tailored to meet the needs of organizations that require secure and reliable connectivity across distributed environments, whether for business continuity, hybrid cloud deployments, or multi-site integration. With STACKIT VPN, you can seamlessly connect your on-premise data centers, remote offices, or existing cloud environments to your STACKIT cloud resources, ensuring encrypted data transmission and robust network security.
STACKIT VPN supports various deployment configurations depending on your organization’s specific requirements.
Site-to-site VPN
Section titled “Site-to-site VPN”A site-to-site VPN with STACKIT enables the secure connection of an entire on-premise network, such as a corporate office, to your STACKIT Network Area (SNA) in the STACKIT environment. This configuration allows seamless integration between your cloud resources and your physical infrastructure, enabling them to function as a single, unified network. Each participating site, whether it’s your headquarters, branch office, or data center, uses a VPN gateway, typically a router or firewall,that encrypts and decrypts traffic, creating a secure tunnel between the two locations.
- Corporate network integration:
STACKIT VPN allows for the secure integration of a company’s headquarters with its branch offices or remote data centers, ensuring they operate as a cohesive network. This is ideal for businesses with multiple locations that require consistent access to shared resources and applications. - Mergers and acquisitions:
When companies merge or acquire other businesses, STACKIT VPN enables the rapid integration of disparate networks without the need for extensive reconfiguration, reducing downtime and ensuring business continuity. - Hybrid cloud:
STACKIT VPN supports hybrid cloud architectures by securely connecting your on-premise data centers or other cloud environments with STACKIT cloud resources. This allows for flexible deployment strategies, where workloads can be moved between environments based on performance, cost, or compliance requirements.
Site-to-multisite VPN
Section titled “Site-to-multisite VPN”A site-to-multisite VPN connects the STACKIT cloud to multiple branch networks. Each branch network establishes a secure VPN connection to your STACKIT Network Area (SNA), forming a hub-and-spoke topology. This configuration is particularly useful for organizations with a central office or headquarters that needs to manage and communicate with several remote locations.
- Retail chains:
STACKIT VPN is ideal for retail businesses that need to connect their central cloud-based resources to multiple store locations. This setup ensures that each store can securely access inventory, sales, and customer data from the central system. - Educational institutions:
For universities or school systems, STACKIT VPN can link a central campus with satellite campuses, enabling shared access to resources like learning management systems, research databases, and administrative tools. - Franchises:
Franchise businesses can use STACKIT VPN to securely connect franchise locations with central cloud services, facilitating centralized management of operations, reporting, and inventory control.
In the following diagram, the default-colored line represents the first STACKIT VPN connection, while the orange line represents the second STACKIT VPN connection:
High availability VPN
Section titled “High availability VPN”For enhanced reliability, STACKIT VPN supports multiple High Availability VPN setups in active/active configuration which allows for the creation of multiple VPN tunnels between your STACKIT Network Area and your remote site that are actively used to balance the load and provide redundancy. This configuration is essential for businesses that require high availability and performance, as it ensures continuous operation even in the event of a connection failure.
An active/active VPN gateway configuration in STACKIT VPN provides enhanced redundancy and high availability for your network connections. Unlike the active/standby configuration, where only one gateway instance is actively handling traffic at a time, the active/active setup allows multiple instances to simultaneously manage traffic, ensuring seamless connectivity and improved load balancing. This approach reduces downtime during maintenance or unexpected outages and offers better utilization of available resources.
- High availability:
By distributing traffic across multiple active VPN connections, STACKIT VPN minimizes downtime and maintains network availability. This is crucial for mission-critical applications that demand constant connectivity. - Disaster recovery:
In the event of a failure, STACKIT VPN’s active/active setup ensures that traffic is automatically rerouted to the remaining active connections, supporting your disaster recovery plans and reducing the risk of data loss or service disruption. - Performance optimization:
STACKIT VPN enables the use of multiple active connections to increase bandwidth and throughput. This setup is ideal for environments where high data transfer rates are required, such as large-scale data processing, video conferencing, or cloud-based application delivery. - Dual redundancy:
By combining active/active configurations on both the STACKIT side and the on-premise network, a fully meshed connection with multiple IPsec tunnels is achieved, significantly enhancing reliability and reducing the risk of downtime. - BGP integration:
Border Gateway Protocol (BGP) can be used to manage routing between the on-premise devices and the STACKIT VPN gateway, ensuring optimal routing and load distribution across all available tunnels.
For optimal performance, ensure that:
- Both tunnels are configured properly:
Your on-premise VPN device should accept multiple tunnels, each connected to a different public IP address of the STACKIT VPN gateways. - Routing and failover mechanisms are in place:
Proper routing ensures that traffic can seamlessly switch between tunnels in case of gateway maintenance or failure, preventing any disruption in service.
STACKIT VPN gateway with single customer gateway
Section titled “STACKIT VPN gateway with single customer gateway”The STACKIT VPN Gateway can use a single connection with two tunnels to connect to the customer gateway. This setup allows for redundancy on STACKIT VPN instances and the tunnels.
STACKIT VPN gateway with two customer gateways
Section titled “STACKIT VPN gateway with two customer gateways”Both tunnels in the connection need to connect to the same remote site. Usually they are connected to the same customer gateway. For more flexibility STACKIT VPN allows also defining different remote endpoints for each tunnel allowing to connect to a different customer gateway in the same network. This allows connecting to the customer network which has two gateways with only a single connection being setup in STACKIT VPN.
STACKIT VPN with dual redundancy connection
Section titled “STACKIT VPN with dual redundancy connection”For the highest level of reliability, consider implementing an active/active design with dual redundancy. This involves setting up your instances both in your on-premise network and in STACKIT VPN, resulting in a fully meshed network with four active IPsec tunnels. Note that the STACKIT VPN gateway operates already with two internal VPN instances. Hence only a single STACKIT VPN gateway is required.
In this configuration:
- Deploy two on-premise VPN devices:
Each device should connect to a separate STACKIT VPN gateway instance, ensuring that all possible paths between your on-premise network and the STACKIT environment are covered. - Create two connections / four IPsec tunnels:
Establish tunnels between each on-premise VPN device and the corresponding STACKIT VPN gateways. This provides the highest possible availability and resilience. - Load balance across all tunnels:
Distribute traffic using ECMP across the four tunnels to maximize throughput and ensure continuous connectivity, even in the event of multiple failures.
This setup is ideal for mission-critical applications where high availability and minimal downtime are essential.
With the flexibility of STACKIT VPN you can configure your dual redundancy connection depending on the setup on your remote site.
Type 1 - Two customer gateways with same remote address in connection
Section titled “Type 1 - Two customer gateways with same remote address in connection”In the following diagram, the default-colored lines represent the first STACKIT VPN connection, while the orange lines represent the second STACKIT VPN connection:
Type 2 - Two customer gateways with different remote addresses in connection
Section titled “Type 2 - Two customer gateways with different remote addresses in connection”In the following diagram, the default-colored lines represent the first STACKIT VPN connection, while the orange lines represent the second STACKIT VPN connection:
Type 3 - Four customer gateways with different remote addresses in connection
Section titled “Type 3 - Four customer gateways with different remote addresses in connection”Some customer side restrictions may only allow for a single remote endpoint to be setup in their active/active VPN gateways. In order to allow for an easy setup with these restrictions STACKIT VPN allows for defining two different remote endpoint addresses in a single connection.
In the following diagram, the default-colored lines represent the first STACKIT VPN connection, while the orange lines represent the second STACKIT VPN connection:
