Enabling Cloud Native VPN/Encryption Options Over Dedicated Cloud Connectivity Paths

When implementing a dedicated connection into the public cloud (via ExpressRoute to Microsoft Azure or Direct Connect to Amazon Web Services), enterprises undertaking a security risk assessment often examine the security of the transport path chosen, and attempt to minimise the risk of any potential man-in-the-middle attack. In line with the access mechanism used over Public Internet, usually the built-in VPN capabilities of the cloud provider are already well known, although limited by the available bandwidth of the transport mechanism (public Internet). Both Azure and AWS have published the articles on how to use VPN services via their respective dedicated cloud connectivity options: Configure a site-to-site VPN over Microsoft Peering and Establish a VPN Using Direct Connect. But, what about using a Megaport as your connectivity partner for your ExpressRoute or Direct Connect? What can Megaport provide beyond the private pathway to the cloud? In this KB article, we will look at three different scenarios leveraging dedicated cloud connectivity, including:

1) IPSec VPN – Azure ER Microsoft Peering or AWS DX Public VIF
2) IPSec VPN via Megaport Cloud Router (MCR) – Azure ER Microsoft Peering or AWS DX Public VIF
3) IPSec (Or other) VPN – Azure ER Private Peering or AWS DX Private VIF with Network Virtual Appliance (NVA) in Azure or AWS
4) IPSec (Or other) VPN – Multi-cloud with Network Virtual Appliance (NVA) in Azure and AWS

Scenario 1
IPSec VPN – Microsoft Peering or Public VIF
Prerequisites
  • Customer owns public IP addresses that can be assigned to use Microsoft Peering and Public VIF
  • If public IP addresses not owned, use MCR (Scenario 2)
  • Customer (on-premises) network appliance supports IEEE 802.1ad (Q-in-Q) – specifically for Azure
  • If 802.1ad not supported, use MCR (Scenario 2)
  • Customer owns network appliance that is capable of doing IPSec
Megaport Technology Required How many?
Megaport Yes 1 or (2 in a Link Aggregation/LAG)
Megaport Cloud Router (MCR) No
Virtual Cross Connect (VXC) Yes 1 to each CSP (Azure and/or AWS)
Considerations
  • Azure and AWS use industry standard protocol IPSec AES128 or AES256 for encryption, but if organisations prefer to use other protocols for security reason or performance reason, it is not easily customisable.
  • Azure and AWS IPSec VPN can be configured with Active-Active HA configuration.
  • The maximum throughput that is available to both Azure VPN Gateway and AWS Virtual Private Gateway are 1.25Gbps.
Scenario 2
IPSec VPN via MCR – Microsoft Peering or Public VIF
This solution is suitable for organisations that do not own public IP addresses
Prerequisites
  • Customer owns network appliance that is capable of doing IPSec
Megaport Technology Required How many?
Megaport Yes 1 or (2 in a Link Aggregation/LAG)
Megaport Cloud Router (MCR) Yes 1
Virtual Cross Connect (VXC) Yes 1 to each CSP (Azure and/or AWS) and 1 Private VXC
Considerations
  • Azure and AWS use industry standard protocol IPSec AES128 or AES256 for encryption, but if organisations prefer to use other protocols for security reason or performance reason, it is not easily customisable.
  • Azure and AWS IPSec VPN can be configured with Active-Active HA configuration.
  • The maximum throughput that is available to both Azure VPN Gateway and AWS Virtual Private Gateway are 1.25Gbps.
Scenario 3
IPSec (or other) VPN – Private Peering or Private VIF with Network Virtual Appliance (NVA) in Azure or AWS
Prerequisites
  • Customer (on-premises) network appliance supports IEEE 802.1ad (Q-in-Q) – specifically for Azure
  • If 802.1ad not supported, use MCR (Scenario 2) but using Private Peering or Private VIF.
  • Customer owns network appliances on-premises and in the cloud that are both capable of doing IPSec.
Megaport Technology Required How many?
Megaport Yes 1 or (2 in a Link Aggregation/LAG)
Megaport Cloud Router (MCR) No
Virtual Cross Connect (VXC) Yes 1 to each CSP (Azure and/or AWS)
Considerations
  • Organisations has the flexibility of the encryption method for better security or better performance.
  • Additional cost to the VMs running the NVA.
  • Organisations will need to consider how to design and deliver HA for this scenario.
  • The maximum throughput can exceed 1.25Gbps up to the maximum Megaport size (1Gbps or 10Gbps) with the right compute power available on the NVA.
Scenario 4
IPSec (Or other) VPN – Multi-cloud with Network Virtual Appliance (NVA) in Azure and AWS
This solution is suitable for organisations that their on-premises infrastructure is not geographically close to the CSPs
Prerequisites
  • Customer owns network appliances on-premises and in the cloud that are both capable of doing IPSec.
Megaport Technology Required How many?
Megaport Yes 1 or (2 in a Link Aggregation/LAG)
Megaport Cloud Router (MCR) Yes 1
Virtual Cross Connect (VXC) Yes 1 to each CSP (Azure and AWS) and 1 Private VXC
Considerations
  • Organisations has the flexibility of the encryption method for better security or better performance.
  • Additional cost to the VMs running the NVA.
  • Organisations will need to consider how to design and deliver HA for this scenario.
  • The maximum throughput can exceed 1.25Gbps up to the maximum Megaport Cloud Router size (5 Gbps) with the right compute power available on the NVA.

Additional useful links:
Knowledgebase – Cloud Connectivity
Microsoft Cloud: Azure ExpressRoute
AWS Cloud: Direct Connect
MCR – Microsoft Azure via ExpressRoute
MCR – Amazon Web Services via Direct Connect

©2019 Megaport. Megaport, Virtual Cross Connect, VXC and MegaIX are registered trademarks of Megaport (Services) Pty Ltd ACN 607 432 646.

Log in with your credentials

Forgot your details?