FAQ

• General

  Expand all

  How many VPN instances can I have in my project?

  Please refer to the VPN Quotas and Limitations for the allowed amount of VPN Gateway instances in a project.

  What are the limitations of STACKIT VPN?

  While STACKIT VPN provides robust security and scalability, there are a few limitations to consider:

  • Please refer to VPN Quotas and Limitations for an overview of allowed VPN quotas.
  • The VPN Gateway flavor defines the maximum allowed bandwidth and maximum allowed connections that can be configured in the gateway.
  • Only networks belonging to the same STACKIT Network Area (SNA) can be routed through the VPN.
  • Point-to-Site / client connections are not supported.

  Can I establish connections between STACKIT networks in different STACKIT Network Areas (SNAs)?

  Yes, you can connect two SNAs using STACKIT VPN.

  Can I use STACKIT VPN with NAT (Network Address Translation)?

  No, STACKIT VPN currently does not support NAT.

  Ensure to avoid address conflicts between your STACKIT Network area and remote site.

  Is there an additional fee for setting up an active-active VPN?

  No, currently all offered STACKIT VPN Gateways are HA Gateways working in an Active-Active setup.

  Can I set up a point-to-site VPN connection?

  No, the currently offered STACKIT VPN Gateways are designed for site-to-site connections only.

  Can I change the service plan for an active VPN instance?

  Yes, you can change the service plan for an active VPN instance. The service plan can be upgraded based on your requirements at any time. Note that changing the service plan may result in a short interruption of active connections. Downgrading to a lower plan is currently not supported.

  For step-by-step instructions on how to change the VPN service plan, refer to the “How to change the VPN service plan” tutorial in the documentation.

  How can I monitor the status and performance of my VPN connections?

  STACKIT VPN offers an API endpoint for status information on the connections consisting of the tunnel status, negotiated ciphers for each phase as well as packets and bytes sent and received. This information is accessible via the STACKIT Portal via the status page within the respective connection and STACKIT API connection status endpoint.

  Support for integration of your STACKIT VPN Gateway into your monitoring solution via the STACKIT Telemetry Hub will be coming soon.

  Can I integrate STACKIT VPN with other cloud services or third-party applications?

  Yes, STACKIT VPN can be integrated with other cloud services, hardware appliances and third-party applications that support the industry standard IPSec IKEv2 protocols. Ensure that the integration complies with your security policies and that proper configuration is in place to maintain secure connections.

  For specific integration scenarios, consult the how-tos section in the documentation.

  What options do I have for managing my STACKIT VPN instances?

  You can create, manage and delete your STACKIT VPN instances through the STACKIT Portal, API, SDK, CLI and Terraform provider.

  Portal integration as well as STACKIT Developer tools such as SDK, CLI and Terraform provider for STACKIT VPN are in development. Some functions may not be available yet and will follow shortly.

  How do I use the STACKIT Portal for STACKIT VPN management?

  The STACKIT Portal provides an intuitive dashboard for comprehensive management of all VPN features, allowing you to easily configure, monitor, and control your VPN resources.

  The getting started section in the documentation guides you through the lifecycle of creating, managing and deleting your STACKIT VPN instances via the STACKIT Portal.

  Access the STACKIT Portal here: STACKIT Portal

  How do I use the STACKIT API for STACKIT VPN management?

  The STACKIT VPN API provides comprehensive functionality to create, manage and delete VPN Instances within your STACKIT environment, enabling full control over your VPN resources programmatically.

  Access the API documentation here: STACKIT VPN API Documentation

  How do I use the STACKIT SDK for STACKIT VPN management?

  The STACKIT VPN functionality is integrated into the STACKIT SDK for Go, allowing for seamless automation and custom VPN configurations through code. It provides developers with the tools needed to programmatically deploy and manage VPN resources within the STACKIT Cloud.

  Comprehensive documentation for the STACKIT SDK, including usage examples and best practices, can be found here: STACKIT SDK for Go

  How do I use the STACKIT Terraform Provider for STACKIT VPN management?

  STACKIT VPN fully supports Terraform through the STACKIT Terraform Provider, empowering you to automate the deployment and management of VPN resources through infrastructure as code (IaC). This integration simplifies the provisioning and scaling of VPN configurations, allowing for consistent and repeatable deployments across your cloud environment.

  Detailed documentation for the STACKIT Terraform Provider can be found here: STACKIT Terraform Provider

  Does STACKIT VPN work in STACKIT Public Projects?

  No, STACKIT VPN relies on the network and routing capabilities of the STACKIT Network Area (SNA). STACKIT VPN is therefore only supported in Network Area projects.

• Configuration

  Expand all

  Does applying changes to my VPN configuration result in connection interruptions?

  This may depend on the changed settings and how your remote gateway is configured. Changing the ciphers for a connection can result in a renegotiation between the STACKIT VPN Gateway and your remote gateway. Ensure your remote gateway is also updated accordingly. Nevertheless, changing settings for one connection does not affect other connections on the same VPN gateway.
  Changing the service plan or availability zones for a VPN Gateway might result on a short interruption on all connections on this gateway.

  How can I configure routing for my VPN connections?

  The STACKIT SNA internal routing is handled automatically by the STACKIT VPN Gateway depending on the gateway routing type configuration.

  In POLICY_BASEDgateways routes are set based on the traffic selectors localSubnets and remoteSubnets.

  In ROUTE_BASED gateways you can define staticRoutes in your connections defining the network ranges reachable on your remote site.

  In BGP_ROUTE_BASED gateways the reachable networks for a connection are exchanged via BGP. Ensure your remote site gateway advertises the necessary networks accordingly. On STACKIT side by default the SNA range is advertised to your remote site. You can override this by setting the overrideAdvertisedRoutes in your STACKIT VPN gateway BGP settings.

  Important: Ensure to handle all routing for your VPN gateway within the VPN configuration. Adding manual routes directly in your SNA with the VPN gateway as next hop may fail or might be overridden by the gateway.

  How do I set up an active-active VPN configuration?

  Each STACKIT VPN Gateway allows for active-active connections to your remote site. Internally each HA VPN Gateway consists of two parallel instances each with its own public IP.

  In order to setup a active-active VPN connection on STACKIT side simply configure both tunnel1 and tunnel2 in your STACKIT VPN connection.

• IPsec IKEv2

  Expand all

  What are the default parameters used for the IPsec IKEv2 VPN connection?

  The default parameters STACKIT VPN are documented this Gateway and Connection options.

  The defaults may vary depending on specific configurations or updates, so it is advisable to check the current documentation or configuration settings for your specific STACKIT VPN instance and routing type.

  What cryptographic algorithms are supported for the IPsec IKEv2 VPN connection?

  STACKIT VPN supports a range of cryptographic algorithms for IPsec IKEv2 VPN connections. Please refer to Gateway and Connection options for a detailed list.

  Can I use custom cryptographic settings for IPsec IKEv2 VPN connections?

  Yes, custom cryptographic settings can be applied to IPsec IKEv2 VPN connections, allowing you to specify the exact encryption, integrity, and Diffie-Hellman groups used. This is often done to meet specific security requirements or to comply with organizational policies. However, both endpoints must support and agree on the custom settings for the connection to be established successfully.

• Site-to-site connections

  Expand all

  What do I have to consider when selecting an on-premise VPN device?

  When selecting a VPN device for a Site-to-Site VPN connection, consider the following:

  • Compatibility: Ensure the device supports the necessary VPN protocols IPsec IKEv2.
  • Performance: The device should handle the expected traffic volume without bottlenecks. Look for devices that match your bandwidth needs.
  • Scalability: Choose a device that can scale with your growing network demands and handle multiple VPN connections if needed.
  • Security Features: Consider devices with advanced security features such as firewalls, intrusion detection/prevention systems, and support for modern encryption standards.
  • High Availability: If uptime is critical, look for devices that support High Availability (HA) configurations.

  How do I have to configure my VPN device?

  Please refer to the manufacturers documentation of your device. Ensure matching settings are configured on both, your VPN device as well as the STACKIT VPN gateway.

  Can I have multiple site-to-site VPN connections with a single STACKIT VPN Gateway?

  Yes, you can have multiple site-to-site VPN connections with a single VPN Gateway. The amount of connections your STACKIT VPN Gateway supports depends on the selected plan.

  Can I use policy based routing with multiple site-to-site VPN connections?

  Yes, but it is highly recommended to use route based VPN with either static routes or BGP instead as policy based routing has some limitations. When using policy based routing with multiple external connections traffic may not be able to be directed between two connections and packets will be discarded.

• High availability

  Expand all

  What is high availability (HA) in the context of STACKIT VPN and what are the benefits?

  High availability (HA) in STACKIT VPN ensures that your VPN connections remain operational even during unexpected failures or maintenance. By utilizing multiple active VPN tunnels or redundant components, HA minimizes downtime and ensures that mission-critical applications remain accessible even during network disruptions, thereby supporting business continuity and disaster recovery plans.

  How does STACKIT VPN achieve high availability?

  STACKIT VPN achieves High Availability through several strategies, including Active-Active VPN configurations, which create multiple simultaneous VPN tunnels. If one tunnel fails, traffic is automatically rerouted to the remaining active tunnels, ensuring uninterrupted service.

  What is the difference between active-active and active-passive configurations?

  In an Active-Active configuration, all VPN connections are active and share the traffic load, providing redundancy and higher throughput. In an Active-Passive configuration, one connection is active while the other remains on standby and only activates if the primary connection fails.

  STACKIT VPN operates as active-active gateway.

  How do I set up an active-active VPN configuration in STACKIT?

  Currently all STACKIT VPNs are active-active Gateways consisting of two underlying independent VPN instances. The instances in this gateway type will operate concurrently, supporting load balancing and redundancy.

  Can high availability prevent all types of downtime?

  While HA significantly reduces the risk of downtime, it cannot prevent all types of service interruptions. Factors such as global network outages or misconfigurations can still cause disruptions. However, HA is designed to mitigate common issues like hardware failures, network congestion, and planned maintenance.

  Is high availability necessary for all VPN setups?

  High availability is particularly important for businesses that require constant connectivity, such as those running mission-critical applications or services. For smaller setups with less stringent uptime requirements, a single instance VPN configuration might suffice, but HA provides an added layer of security and reliability.

  What are the requirements for implementing high availability in STACKIT VPN?

  Currently all STACKIT VPN gateways support by default active-active high availability setups. Each VPN gateway consists internally of two independent VPN instances each with its own public IP. For each configured connection tunnel1 operates via the first instance while tunnel2 operates via the second instance. Ensure both tunnels in a connection to your remote site are configured and established to utilize the HA active-active capabilities.

  Some examples for different setups are demonstrated in the how-tos section.

• Border Gateway Protocol

  Expand all

  How does BGP work in the context of STACKIT VPN and what are the benefits?

  In STACKIT VPN, BGP is used to dynamically exchange routing information between your on-premise network and the STACKIT environment. This allows for automatic updates to routing tables, ensuring that traffic is always routed through the best available path, especially in High Availability (HA) configurations.

  Using BGP with STACKIT VPN provides several benefits, including:

  • Dynamic Routing: Automatic updates to routes without manual reconfiguration.
  • Failover Support: Enhanced failover capabilities in HA setups, ensuring continuous connectivity.
  • Scalability: Efficient management of large, complex networks with multiple connections.
  • Redundancy: BGP can manage multiple redundant paths, improving network reliability.

  What role does BGP play in high availability?

  BGP is used in HA configurations to manage the routing of traffic between different networks. In a STACKIT VPN HA setup, BGP helps ensure that traffic is routed through the optimal VPN connection, providing dynamic failover and improved reliability.

  Is BGP available for all STACKIT VPN gateways?

  Yes, BGP is an optional feature that can be used for all STACKIT VPN gateways. However, it must be enabled during creation of the gateway and ensured that the local VPN devices support BGP.

  Ensure to select routing type BGP_ROUTE_BASED when creating your STACKIT VPN Gateway.

  Can I use BGP with an already existing VPN connections which was created with BGP disabled?

  No, BGP needs to be enabled while creating the gateway. Enabling BGP after creating the STACKIT VPN gateway is currently not supported.

  What are the requirements for using BGP?

  You must create a STACKIT VPN Gateway with routing type set to BGP_ROUTE_BASED. Your local network device must support BGP and be configured correctly to exchange routing information via the STACKIT VPN gateway.

  Is there any restriction for ASN allocation?

  STACKIT VPN supports the 16-bit and 32-bit private ASN ranges.

  • 16-bit: 64 512 - 65 534
  • 32-bit: 4 200 000 000 - 4 294 967 294

• Others

  Expand all

  What cost do I have to expect?

  There is a charge for the VPN Gateway based on the selected plan. Each plan allows for different maximum bandwidth and different maximum connections that can be configured.

  Please refer to the STACKIT VPN service certificate for a detailed description.

  You can use the STACKIT cost calculator to calculate the expected costs for your VPN requirements.

  Is there a charge for VPN traffic?

  No, STACKIT currently don’t charge for any VPN ingress or egress traffic. You are only charged for the VPN Gateway.

  Do you have any open questions that are not answered in any of our docs?

  Feel free to create a service request in the STACKIT Help Center.