Anypoint VPC DLB and VPN - Part VII | MuleSoft | VPN Architecture | IPSec Tunneling and VPC Peering
Summary
TLDRIn this educational video, Jeetendra, a senior music architect, explains the concept of a MuleSoft Anypoint Virtual Private Network (VPN). He covers how to set up a secure connection between cloud environments and on-premise data centers using Anypoint VPN. The tutorial includes details on IPSec tunneling, dynamic vs. static routing, and configuring VPN endpoints. It also touches on VPC peering for connecting private subnets within the same region, emphasizing the importance of proper configuration for stable cloud-to-datacenter communication.
Takeaways
- 😀 Jeetendra and Bhavna introduce themselves as senior music architects.
- 🔒 The video discusses Anypoint VPN, a secure connection between cloud and on-premise data centers.
- 🌐 Anypoint VPN supports IPSec tunneling, creating side-to-side Internet Protocol security connections.
- 🛠️ Each Anypoint VPN consists of two tunnels, allowing connection to a single IP address at a remote location.
- 🔗 A VPN device on the on-premise data center has a remote IP address, which is connected to from the cloud.
- 🌐 Anypoint VPN supports up to 10 VPN connections per VPN gateway, associated with a single VPC.
- 🚀 The maximum throughput provided by Anypoint VPN is approximately 1.25 Gbps.
- 🔄 Anypoint VPN supports two types of routing: dynamic routing (using BGP protocol) and static routing.
- 🔑 Static routing requires specifying CIDR blocks that need to be accessible through the VPN endpoint.
- 🖥️ The video provides a step-by-step guide on setting up an Anypoint VPN, including selecting a VPC, entering a remote IP address, and choosing routing types.
- 🔧 The video also explains how to set up IPSec tunneling for a VPN, including configuring tunnels and selecting tunnel configurations.
Q & A
What is a MuleSoft Virtual Private Network (VPN)?
-A MuleSoft VPN, also known as Anypoint VPN, creates a secure connection between a cloud environment and an on-premise data center.
Why is it necessary to set up a VPN between cloud and on-premise data centers?
-It's necessary to access databases, services, or systems located in an on-premise data center when your application is deployed in the cloud.
What are the capabilities of Anypoint VPN?
-Anypoint VPN supports site-to-site Internet Protocol security connections, enabling you to connect to a single IP address at a remote location and to another VPN.
What is the maximum throughput provided by Anypoint VPN?
-The maximum throughput provided by Anypoint VPN is around 1.25 Gbps.
What are the two types of routing supported by Anypoint VPN?
-Anypoint VPN supports dynamic routing (using BGP protocol) and static routing.
What is a VPN endpoint and how is it related to a VPN connection?
-A VPN endpoint is a physical or software appliance that terminates the connection on the on-premise side. Each VPN device has a remote IP address that is connected to the cloud environment.
How many VPN connections can one VPN support?
-One VPN can support up to 10 VPN connections.
What is the difference between dynamic and static routing in the context of VPN?
-In dynamic routing, if the VPN device supports BGP protocol, it can be used. In static routing, you have to provide the CIDR blocks that need to be accessible through the VPN endpoint.
What is the role of a pre-shared key (PSK) in setting up a VPN?
-A pre-shared key (PSK) is used for authentication between the on-premise and cloud VPN connection and can be from 8 to 64 characters long.
What is the purpose of downloading a VPN config after setting up a VPN?
-The VPN config is downloaded to provide the necessary configuration details to the network administrator for setting up the VPN device and ensuring a stable connection between the cloud and on-premise data centers.
What is VPC peering and when should it be used?
-VPC peering is used to connect VPCs, allowing direct routing of traffic between them. It should be used when you want to peer between two subnets or private VPCs.
Outlines
🌐 Introduction to Anypoint VPN
The paragraph introduces the concept of a Virtual Private Network (VPN) and specifically, Anypoint VPN. The speaker, Jeetendra, explains that a VPN creates a secure connection between a cloud environment and an on-premise data center. He discusses the need for such a connection when applications are deployed in the cloud and require access to databases or services located on-premises. Anypoint VPN supports IPSec tunneling, which allows for the creation of two tunnels to connect to a single IP address at a remote location. The paragraph also touches on the capabilities of Anypoint VPN, such as supporting up to 10 VPN connections per VPC and offering a maximum throughput of 1.25 Gbps. It also explains the difference between dynamic and static routing, with dynamic routing requiring support for the BGP protocol and static routing requiring manual configuration of CIDR blocks.
🛠️ Setting Up IPSec Tunneling VPN
This section provides a step-by-step guide on how to set up an IPSec tunneling VPN between a cloud environment and an on-premise data center. The speaker describes the process of configuring a VPN, starting with setting up a VPC and then creating a VPN connection. He explains the need to provide a name for the VPN, select the appropriate VPC, and enter the remote IP address of the VPN endpoint. The paragraph also discusses the two types of routing: dynamic and static. For dynamic routing, the speaker mentions the requirement for the VPN device to support the BGP protocol and the need to enter a remote ASN. For static routing, he explains the need to provide CIDR blocks that need to be accessible through the VPN. The speaker also mentions the ability to add up to 95 CIDR blocks for static routing. A diagram is referenced to illustrate the process.
🔐 Tunnel Configuration and VPN Status
The paragraph discusses the tunnel configuration options for setting up a VPN, which include automatic and custom configurations. In automatic configuration, the system handles the creation of tunnels (tunnel 1 and tunnel 2) without additional input from the user. For custom configuration, the user must provide a pre-shared key (PSK) for authentication and specify a point-to-point CIDR block, which must be unique across all VPN connections and cannot be one of the reserved CIDR blocks. The speaker also explains the various statuses a VPN can have, such as pending, down, up/down, and up/up, each indicating a different stage in the VPN creation or operational process. The paragraph concludes with instructions on downloading the VPN configuration once the VPN has been successfully created, which can then be shared with network administrators for further setup.
🔄 VPC Peering as an Alternative to VPN
In this paragraph, the speaker introduces VPC Peering as an alternative to VPN for connecting to AWS private subnets when all applications are within the private subnet of an AWS cloud. VPC Peering allows for direct routing of traffic between two VPCs, making them appear as if they are on the same network. The speaker explains that VPC Peering is used when there is a need to peer between two subnets or a private VPC with an AWS cloud. He mentions that for setting up VPC Peering, the cloud VPC and the AWS private VPC must be in the same region. The paragraph concludes with a note that if a user wishes to set up VPC Peering, they must contact MuleSoft support and fill out a discovery template. The speaker also points out that while VPN setup can be done as a self-service, VPC Peering requires assistance from MuleSoft support.
Mindmap
Keywords
💡MuleSoft
💡Virtual Private Network (VPN)
💡Anypoint VPN
💡Cloud Environment
💡On-Premise Data Center
💡IPSec Tunneling
💡Dedicated Load Balancer
💡Shared Load Balancer
💡VPC
💡Routing
💡VPN Endpoint
Highlights
Introduction to Anypoint VPN for creating a secure connection between cloud and on-premise data centers.
Explanation of VPN and its function to access databases or services on-premises from the cloud.
Description of Anypoint VPN's capability to support side-to-side IPSec tunneling.
Details on how Anypoint VPN connects to a single IP address at a remote location.
Mention of the physical or software implementation called a VPN endpoint.
Information on how one VPN is associated with a single VPC but can support up to 10 VPN connections.
Explanation of the maximum throughput provided by Anypoint VPN, which is around 1.25 Gbps.
Description of the two types of routing supported by Anypoint VPN: dynamic and static.
Instructions on setting up an IPSec tunneling VPN between cloud and on-premise data centers.
Step-by-step guide on configuring Anypoint VPN, including selecting the VPC and entering the remote IP address.
Discussion on dynamic routing with BCP protocol and static routing with CIDR blocks.
Clarification on the local ASN and remote ASN for dynamic routing configuration.
Explanation of the tunnel configuration process in Anypoint VPN, including automatic and custom options.
Description of VPN status changes from pending to available and the actions required for configuration.
Instructions on downloading the VPN configuration for various devices.
Differentiation between Anypoint VPN for cloud-to-on-premise connectivity and VPC peering for cloud-to-cloud connectivity.
Process of setting up VPC peering and considerations for its configuration.
Advice on contacting MuleSoft support for setting up VPC peering.
Transcripts
hello friends my name is Jeetendra
Bhavna I am a senior music architect in
today's video we are going to see what
is a mule soft virtual private network
that is any point VPN in last video we
have seen like how we can set up the VPC
how we can set up the dedicated load
balancer what is the difference between
shared load balancer and the dedicated
load balancer so I will suggest before
watching this video please go through
those to do so it will give the idea on
like what is the vbc what is dedicated
load balancer and it will make no easy
for you to understand the moonship
Virtual Private Network okay so we'll
start it with what is the muse of pipian
or any point VPN so VPN is basically
stand for virtual private network and
any point VPN a create a secure
connection between a cloud up and your
on-premise data center what does this
means basically let consider you have
deployed your application on the cloud
up and now you want to access a micro
subsequent database or any any database
which is exist on on-premise data data
center or maybe any services or any
system which exists on the on-premises
data center okay so how you can access
that so for that you need to create a
VPN between your cloud up and your
on-premise data center so what are the
various capability of any point VPN so
any point VPN support a side to side
Internet Protocol security connections
so that is the IPSec tunneling each any
point consists of two tunnels that
enables you to connect to a single IP
address at the remote location and to
connect the additional remote location
here at another VPN so what does this
mean so basically you have one VPN
device on your on-premise data center so
each VPN device have a a remote IP
address right so what we are doing from
cloud of we are connecting to that
remote IP address or to that remote or
to that VPN endpoint so in other guess
like you know in some cases
you may have to do you know connect to
the multiple VPN devices so cause some
data center may have a multiple VPN
devices so in that case you create a
multiple VPN to connect them multiple
VPN devices okay
so what is like you know the physical or
software implants is called as a VPN
endpoint which I mentioned that is the
VPN device is a terminator on your side
of the connection the mule side mule
sub-site of a connection is
implementation of a virtual private
gateway so basically mules of all vgw is
associated with a single V PC okay so
one VPN is associated with a single V PC
but can support up to 10 VPN connections
ok so you can like one V PC can be
associated with no I like are 10 VPNs
basically and they split provided by a
muse of VPN is are around like know the
maximum throughput is around one point
25 Gbps so what is like what kind of you
know it supports two kind of routing one
is dynamic routing and one is static
routing
so in dynamic routing basically you know
if your VPN device is supporting a BCP
protocol in that case you can go with a
dynamic routing that is the border
gateway protocol okay in case if your
VPN device or if your VPN endpoint it
doesn't support a dynamic routing then
you can use the static routing in static
routing what you have to do you have to
provide the CIDR mass you know subnets
that needs to be accessible through your
endpoint VPN so basically you have a one
premise data center and your application
might be exist in some subnet right
right but you're like you want to egg
you know X is the MS sequel database or
some services you know some back-end
services they might be existing on some
subnet so you have to configure do
subnet in the any point of VPN so you
are saying like I am along allowing this
particular subnet for cloud up to
connect on premise data center so that
is how the IPSec VPN I personally look
so I have created
my VPC which is ten dot zero dot one dot
zero 24 I have on pretty much the data
center which ever like CIDR block or up
one ninety two dot one sixty eight dot
zero dot zero dot slash twenty two which
our database and some back in services
and I deployed some of the application
in my cloud of within the V PC and I
want to access these databases and
service so for that what I will do I
will set up a VPN between a cloud of and
the on-premise data center so VPN will
have its remote IP address so VPN device
will have a remote ID IP address or it
is also known known as you know it is
also known as basically like the VP an
endpoint basically okay so this is how
we can set up a IPSec tunneling VPN
between cloud and on-premise data center
so that is the secure connection between
your cloud up and the on-premise data
center so basically I will explain once
again so I have a cloud up within the
cloud of I have set up the V PC which
like which I was CID or mask up ten dot
zero dot one dot 0/24
I have deployed multiple annual shopped
application and this particular muse of
application has to access the databases
and the services exist on the on-premise
data center which have a subnet of one
ninety two dot one sixty eight dot zero
dot zero dot slash twenty two so this
database and services exist within this
particular sealed er block or subnet so
apart from that like I have VPN endpoint
which is 197 dot eighty cent or sixty
eight dot ninety and what happens so
when we configure the V pin we have to
keep this particular VPN remote IP
address I will show you in demo or how
we can configure that so once you clear
configure or any point VPN and it will
also give you know the crowd of external
gateway IP addresses that we need to
configure on the VPN device let's start
like how we can set up any point VPN
IPSec tunnel for setting of VPN so what
you have to do you you have to make sure
like your V PC is already set up
so without BBC you cannot set up the
view in first step you need to set up
the V PC in my last video I've already
shown how you can set up of the PC okay
so for setting of VPN you need to give
it navigate to run time in is a VPN so
you can see you go
you know run time manager and like you
will see the VP ins so now once you see
the VPN so you can say you know create a
VPN once you click on create VPN you
have to provide the name of VPN you have
to select the VPC from the drop-down for
which we need to create a VPN so
basically you need to give it the you
know you need to select the VPC from the
dropdown basically okay
you select the VPC so when you're saying
like I want to create basically this is
my V PC so this is the subnet of no
particular acedia block allowed in that
particular V PC No
so we are selecting that particular V PC
then remote IP address so you need to
enter the remote IP address this
particular remote IP address of your
remote of your VPN endpoint or VPN
device that is 197 this can be you know
this is just an example there are two
topic writing routing which I've already
described dynamic and static routing in
case of dynamic routing so basically you
need to make sure your VPN device
support the BCP protocol that is a
border gateway protocol in that dynamic
routing we have to enter a remote ASN so
that can be between 6 4 5 1 2 6 5 5 3 4
and default age 6 5 0 0 1 you can use
any existing ASN in your network ok or
privatization that is not assigned to
your network basically so basically this
remote ASM is for your on-premise data
center ok so you put like either you can
use some existing ASN which is already
called available or you can select
anyone any anything from this
particularly in 6 4 5 1 2 6 5 5 3 4 and
which should not be assigned to your
network basically then secondly you have
to also enter a local lesson that is the
mule rob TSN for the mule public for the
VPN no mules or VPN you have to enter so
default is 6 4 5 1 2 and use the private
ASN and that should not be assigned to
your network so basically don't use the
ASN which is already assigned to your
network and this is basically from
Europe in case of static routing so you
either you can go with dynamic routing
or static in case of static routing I
mentioned like you know if you want to
accessible VPN like you know select the
static routing and enter the CIDR ends
that need to be accessible to the VPN so
in that in this case so I want to access
this particular seed
see idea rains one 92.6 to do sled 0:22
so i will configure that shield see
ideally in my any point VPN ok there can
be multiple CID arranged so basically up
to 90 up you can add up to 95 CID
arranged so as you mentioned you can add
more CI de RINs using add noodles in
static route up to 95 subnets can be
added let me go with diagram it no so
basically I mentioned like you select
the name you can give any name up to
your VPN select the V PC for which you
are creating 3 pins and remote IP
address this is the remote IP address
belong to your VPN endpoint you are on
to my sweep in device so that will that
should be a public key publicly
available then routing you can select
static or BGP if you are selecting
static you know so you have to provide
the CIDR in so like in in our case the
CID range will be this 192 or sixty dot
0 dot slash 22 where your end system
exists so you provide silly ring if you
want to add more CID arrange so there
can be multiple CID arranged for your
mesh data center so you can add all
those things up to 95 cid range is
allowed within one VPN then the local is
in its default I have used 6 4 5 1 2
okay and for adding new CI deter you
just click on this add new rules no
force a BCP as I mentioned same thing
like name V PC you know remote IP
routing type b zp and you provide the
remote ESN that is by default 6 5 0 0 1
and localizing that is the mule Rob TSN
that is 6 4 5 1 2 4 es n means like you
know autonomous system number basically
ok so generally mostly like it depend
like you know like if your deviant
device support a busy bee protocol then
in that case you can go with busy P
otherwise you with static then apart
from that the next step you have to
select the tunnel configuration either
you can select the automatic or either
you can select the custom so basically
when we create a VPN
88 to tunnel tunnel 1 and the tunnel to
basically okay so I will show you what
does this mean so in case of automatic
you you don't require any configuration
ok it will automatically create the
tunnels for you for your any point
European which can be visible after the
creation of the vehicle user select
automatic and just click on this create
libyan
it will create the tunnel for you tunnel
one in 1004
you in case of custom right which which
is bit complex so you need to provide
PSK that is pre shared key Betty which
is used for authentication between you
know on premise in the cloud of VPN
connection so it can be from 8 to 64
character it should not start with 0 and
you have to provide point-to-point CA
idea so basically you can specify a size
of Celestra TC idea block from you know
I 169 dot 254 dot 0 dot 0 / 16 greens
and see idea block must be nice unique
across all the VPN connection
Celia see idea block not supported these
are the few CIDR block you cannot use
for this point-to-point see idea so make
sure like - 50.0 slash 30 cannot be used
1 2 3 4 5 6 this cannot be used you can
use 1 69.2 54.6 dot 0 / 34 tunnel to 160
9.2 54.6 7.0 is less 34 tunnel one like
that you know and that you can provide
the P of PSK tunnel 0 and the tunnel 1
either you can get it from your network
administrator and either you can use
anything then you can share with your
network and mistresses - they can
configure on you know on their device so
once you set up the VPN so there are
various status you know the status keep
changing the 5 status will be pending at
the tunnel 1 internal 2 will be down so
both will be down so in that case what
is happening the it VPN is creating so
VPN is just created ok and there are
some actions pending on the background
you might see this status for 10 to 15
minute after creating VPN so basically
what will happen so your tunnel will be
down down and you know like and the
status will be the pending so you it
creating the VPN and performing some
excess on the bacon so once it get at
the VPN successfully you know everything
is done so status will become available
and down down to basically a VPN has
successfully created but you need to do
some configuration on your VPN device ok
so for that then other status is up up
or up / down up up means like you know
your tunnel 1 and the tunnel 2 is active
in working in active active mode so
basically the VPN D
supporting active active mode no type of
configuration if your tunnel one is up
and tunnel two is down or tunnel two is
up and tunnel one is down in that case
your VPN device is working in active
passive mode okay so to achieve this we
have to do some configuration on the VPN
device okay
in case of failed down down it means
your VPN has not been created properly
there is some issue with your VPN you
need to create you know you need to
delete the weekend injury try it okay so
some time you will see would turn on one
tunnel to is up in that case that
particular VPN device is working in
activity mode in case one tunnel is up
and other is down so one is you know
active working inactive board and
another is the know it's back up service
in case of a tunnel one goes down so
tunnel two will be come up you know and
it will make sure like you know your
there is a communication between cloud
up and any point doesn't break up and in
case of up up it's fine like if one
tunnel goes down the other is already
available okay so what you have to do so
once the VPN is created you can download
a VPN config so basically once you
create a you know once you come VPN has
been successfully graded this option
called get VPN config you will see just
click on get weave in concrete you can
device you can select your device vendor
so basically you have a some VPN device
it might be Cisco Palo Alto whatever so
you APN select if there is no device
mention you know in this particular
device vendor you can see use 10 Eric
one then select the device platform and
device software these are the country
and just download the config you know
and just share with your network
administration and miss later so you can
perform the configuration on we print
email and make sure the connection is
stabilized between a cloud and any point
cloud up in the datacenter
the other concept let me correct it this
is the other concept like you know
sometimes what happens like you don't
have a want too much data center like
you have your all the application within
the private subnet or a of your AWS
cloud in that case you know you like you
can use IPSec tunneling but you know in
that case like when you want to do the
peer between two subnet to private
subnet you can use the V PC peering let
go
you have cloud up you have a VP in the
cloud up and like you have a private
subnet VPC in the AWS so you are you are
all the application back-end services
running on the AWS private subnet in
that case you can make use of the PC
peering so rebus availing basically
connect to VP sees in case it pierce
your private Amazon will be seen
directly to your any point be busy did
this enables you to router traffic
between two pieces so they can
communicate escrow they are in the same
network so this is how of the piece
appearing works so let me do one thing
here it's a wee piece appearing so
basically you have like you know the
cloud up environment in u.s. east one
and this is my V PC ten dot zero dot one
dot zero and like my AWS private V PC
our private subnet which is 192 or 62
toward zero slash 22 which is also in
u.s. one so you can set up the V PC
peering between your cloud up and the
EWS privately PC basically so so
basically so this is how you can set up
the PC and when you need to set up the
PC when you want to do the pierre-pierre
between your cloud up V PC and the EWS
private subnet or private V PC in that
risk you can use the sweep is appearing
so there are certain points you need to
consider so basically when you are
creating a V PC it must be when you want
to do the V PC bearing you need to make
sure your cloud of the PC and the AWS
privately PC are in the same reason okay
so basically if you see on the any point
platform you don't have an option to get
rid of you piss appearing for that you
have to reduce the ticket with the mules
of support team and you have to field
one discovery template so basically I
provided link here so you can go to here
you know in this particular link so you
can fill that particular this discovery
template so and we will rock will create
a V PC for you
so the it pro it we need to provide some
basic detail like what is the subnet of
the AWS V PC what is the subnet of your
cloud of who are the contact person such
kind of information even like you know
you can ask you can read a ticket with
mules of support to setup your VPN IPSec
tunneling also but you can also do you
know yourself also so that's why VP and
IP SEC Tournament sometimes also known
as the self-service okay for view PC
pleasing you
to connect contact universe of
supportive to creatively piss appearing
okay thanks I hope you liked the video
thanks for watching it
تصفح المزيد من مقاطع الفيديو ذات الصلة
What is a Virtual Private Cloud?
Cloud Networking Overview (Using AWS as reference)
AWS: How To Setup A Site-to-Site VPN (Start to Finish) 2024
VPNs Explained | Site-to-Site + Remote Access
Torrent Safely Over a VPN With This Simple One-Click Guide
Mastering OCI Networking - Scenario 1 (Hub and Spoke with OCI Firewall)- Part B
5.0 / 5 (0 votes)