Anypoint VPC DLB and VPN - Part VII | MuleSoft | VPN Architecture | IPSec Tunneling and VPC Peering

00:06

hello friends my name is Jeetendra

00:09

Bhavna I am a senior music architect in

00:12

today's video we are going to see what

00:14

is a mule soft virtual private network

00:17

that is any point VPN in last video we

00:20

have seen like how we can set up the VPC

00:22

how we can set up the dedicated load

00:24

balancer what is the difference between

00:25

shared load balancer and the dedicated

00:27

load balancer so I will suggest before

00:30

watching this video please go through

00:32

those to do so it will give the idea on

00:35

like what is the vbc what is dedicated

00:37

load balancer and it will make no easy

00:40

for you to understand the moonship

00:42

Virtual Private Network okay so we'll

00:46

start it with what is the muse of pipian

00:48

or any point VPN so VPN is basically

00:51

stand for virtual private network and

00:53

any point VPN a create a secure

00:55

connection between a cloud up and your

00:57

on-premise data center what does this

00:59

means basically let consider you have

01:02

deployed your application on the cloud

01:04

up and now you want to access a micro

01:07

subsequent database or any any database

01:09

which is exist on on-premise data data

01:12

center or maybe any services or any

01:15

system which exists on the on-premises

01:18

data center okay so how you can access

01:21

that so for that you need to create a

01:23

VPN between your cloud up and your

01:26

on-premise data center so what are the

01:29

various capability of any point VPN so

01:32

any point VPN support a side to side

01:34

Internet Protocol security connections

01:37

so that is the IPSec tunneling each any

01:41

point consists of two tunnels that

01:43

enables you to connect to a single IP

01:46

address at the remote location and to

01:48

connect the additional remote location

01:50

here at another VPN so what does this

01:52

mean so basically you have one VPN

01:56

device on your on-premise data center so

01:58

each VPN device have a a remote IP

02:01

address right so what we are doing from

02:04

cloud of we are connecting to that

02:06

remote IP address or to that remote or

02:08

to that VPN endpoint so in other guess

02:12

like you know in some cases

02:13

you may have to do you know connect to

02:15

the multiple VPN devices so cause some

02:17

data center may have a multiple VPN

02:19

devices so in that case you create a

02:22

multiple VPN to connect them multiple

02:24

VPN devices okay

02:27

so what is like you know the physical or

02:29

software implants is called as a VPN

02:31

endpoint which I mentioned that is the

02:32

VPN device is a terminator on your side

02:35

of the connection the mule side mule

02:38

sub-site of a connection is

02:40

implementation of a virtual private

02:41

gateway so basically mules of all vgw is

02:48

associated with a single V PC okay so

02:50

one VPN is associated with a single V PC

02:53

but can support up to 10 VPN connections

02:57

ok so you can like one V PC can be

03:00

associated with no I like are 10 VPNs

03:04

basically and they split provided by a

03:07

muse of VPN is are around like know the

03:09

maximum throughput is around one point

03:11

25 Gbps so what is like what kind of you

03:18

know it supports two kind of routing one

03:21

is dynamic routing and one is static

03:23

routing

03:24

so in dynamic routing basically you know

03:26

if your VPN device is supporting a BCP

03:29

protocol in that case you can go with a

03:31

dynamic routing that is the border

03:32

gateway protocol okay in case if your

03:35

VPN device or if your VPN endpoint it

03:39

doesn't support a dynamic routing then

03:41

you can use the static routing in static

03:42

routing what you have to do you have to

03:44

provide the CIDR mass you know subnets

03:46

that needs to be accessible through your

03:49

endpoint VPN so basically you have a one

03:53

premise data center and your application

03:55

might be exist in some subnet right

03:57

right but you're like you want to egg

04:00

you know X is the MS sequel database or

04:02

some services you know some back-end

04:03

services they might be existing on some

04:05

subnet so you have to configure do

04:08

subnet in the any point of VPN so you

04:12

are saying like I am along allowing this

04:14

particular subnet for cloud up to

04:18

connect on premise data center so that

04:22

is how the IPSec VPN I personally look

04:25

so I have created

04:27

my VPC which is ten dot zero dot one dot

04:29

zero 24 I have on pretty much the data

04:32

center which ever like CIDR block or up

04:35

one ninety two dot one sixty eight dot

04:36

zero dot zero dot slash twenty two which

04:39

our database and some back in services

04:40

and I deployed some of the application

04:42

in my cloud of within the V PC and I

04:44

want to access these databases and

04:46

service so for that what I will do I

04:48

will set up a VPN between a cloud of and

04:51

the on-premise data center so VPN will

04:53

have its remote IP address so VPN device

04:55

will have a remote ID IP address or it

04:57

is also known known as you know it is

05:01

also known as basically like the VP an

05:07

endpoint basically okay so this is how

05:11

we can set up a IPSec tunneling VPN

05:13

between cloud and on-premise data center

05:15

so that is the secure connection between

05:17

your cloud up and the on-premise data

05:19

center so basically I will explain once

05:21

again so I have a cloud up within the

05:23

cloud of I have set up the V PC which

05:25

like which I was CID or mask up ten dot

05:28

zero dot one dot 0/24

05:30

I have deployed multiple annual shopped

05:32

application and this particular muse of

05:34

application has to access the databases

05:36

and the services exist on the on-premise

05:38

data center which have a subnet of one

05:41

ninety two dot one sixty eight dot zero

05:42

dot zero dot slash twenty two so this

05:44

database and services exist within this

05:46

particular sealed er block or subnet so

05:49

apart from that like I have VPN endpoint

05:52

which is 197 dot eighty cent or sixty

05:54

eight dot ninety and what happens so

05:56

when we configure the V pin we have to

05:58

keep this particular VPN remote IP

06:00

address I will show you in demo or how

06:04

we can configure that so once you clear

06:06

configure or any point VPN and it will

06:08

also give you know the crowd of external

06:10

gateway IP addresses that we need to

06:12

configure on the VPN device let's start

06:17

like how we can set up any point VPN

06:19

IPSec tunnel for setting of VPN so what

06:22

you have to do you you have to make sure

06:24

like your V PC is already set up

06:26

so without BBC you cannot set up the

06:28

view in first step you need to set up

06:29

the V PC in my last video I've already

06:31

shown how you can set up of the PC okay

06:34

so for setting of VPN you need to give

06:36

it navigate to run time in is a VPN so

06:39

you can see you go

06:40

you know run time manager and like you

06:43

will see the VP ins so now once you see

06:45

the VPN so you can say you know create a

06:47

VPN once you click on create VPN you

06:50

have to provide the name of VPN you have

06:52

to select the VPC from the drop-down for

06:54

which we need to create a VPN so

06:55

basically you need to give it the you

06:56

know you need to select the VPC from the

06:58

dropdown basically okay

07:00

you select the VPC so when you're saying

07:02

like I want to create basically this is

07:05

my V PC so this is the subnet of no

07:07

particular acedia block allowed in that

07:10

particular V PC No

07:11

so we are selecting that particular V PC

07:12

then remote IP address so you need to

07:14

enter the remote IP address this

07:16

particular remote IP address of your

07:17

remote of your VPN endpoint or VPN

07:20

device that is 197 this can be you know

07:23

this is just an example there are two

07:25

topic writing routing which I've already

07:27

described dynamic and static routing in

07:30

case of dynamic routing so basically you

07:32

need to make sure your VPN device

07:34

support the BCP protocol that is a

07:35

border gateway protocol in that dynamic

07:38

routing we have to enter a remote ASN so

07:41

that can be between 6 4 5 1 2 6 5 5 3 4

07:44

and default age 6 5 0 0 1 you can use

07:47

any existing ASN in your network ok or

07:51

privatization that is not assigned to

07:53

your network basically so basically this

07:56

remote ASM is for your on-premise data

07:58

center ok so you put like either you can

08:01

use some existing ASN which is already

08:03

called available or you can select

08:05

anyone any anything from this

08:07

particularly in 6 4 5 1 2 6 5 5 3 4 and

08:10

which should not be assigned to your

08:13

network basically then secondly you have

08:16

to also enter a local lesson that is the

08:18

mule rob TSN for the mule public for the

08:21

VPN no mules or VPN you have to enter so

08:23

default is 6 4 5 1 2 and use the private

08:26

ASN and that should not be assigned to

08:28

your network so basically don't use the

08:30

ASN which is already assigned to your

08:32

network and this is basically from

08:34

Europe in case of static routing so you

08:37

either you can go with dynamic routing

08:39

or static in case of static routing I

08:41

mentioned like you know if you want to

08:43

accessible VPN like you know select the

08:45

static routing and enter the CIDR ends

08:48

that need to be accessible to the VPN so

08:50

in that in this case so I want to access

08:52

this particular seed

08:54

see idea rains one 92.6 to do sled 0:22

08:57

so i will configure that shield see

08:58

ideally in my any point VPN ok there can

09:02

be multiple CID arranged so basically up

09:04

to 90 up you can add up to 95 CID

09:06

arranged so as you mentioned you can add

09:09

more CI de RINs using add noodles in

09:11

static route up to 95 subnets can be

09:14

added let me go with diagram it no so

09:17

basically I mentioned like you select

09:18

the name you can give any name up to

09:21

your VPN select the V PC for which you

09:23

are creating 3 pins and remote IP

09:24

address this is the remote IP address

09:26

belong to your VPN endpoint you are on

09:28

to my sweep in device so that will that

09:30

should be a public key publicly

09:32

available then routing you can select

09:34

static or BGP if you are selecting

09:36

static you know so you have to provide

09:38

the CIDR in so like in in our case the

09:41

CID range will be this 192 or sixty dot

09:43

0 dot slash 22 where your end system

09:46

exists so you provide silly ring if you

09:48

want to add more CID arrange so there

09:50

can be multiple CID arranged for your

09:52

mesh data center so you can add all

09:54

those things up to 95 cid range is

09:56

allowed within one VPN then the local is

10:00

in its default I have used 6 4 5 1 2

10:02

okay and for adding new CI deter you

10:05

just click on this add new rules no

10:08

force a BCP as I mentioned same thing

10:10

like name V PC you know remote IP

10:12

routing type b zp and you provide the

10:15

remote ESN that is by default 6 5 0 0 1

10:18

and localizing that is the mule Rob TSN

10:20

that is 6 4 5 1 2 4 es n means like you

10:23

know autonomous system number basically

10:26

ok so generally mostly like it depend

10:29

like you know like if your deviant

10:32

device support a busy bee protocol then

10:34

in that case you can go with busy P

10:35

otherwise you with static then apart

10:38

from that the next step you have to

10:39

select the tunnel configuration either

10:41

you can select the automatic or either

10:43

you can select the custom so basically

10:45

when we create a VPN

10:46

88 to tunnel tunnel 1 and the tunnel to

10:48

basically okay so I will show you what

10:50

does this mean so in case of automatic

10:53

you you don't require any configuration

10:54

ok it will automatically create the

10:57

tunnels for you for your any point

10:58

European which can be visible after the

11:00

creation of the vehicle user select

11:02

automatic and just click on this create

11:04

libyan

11:04

it will create the tunnel for you tunnel

11:07

one in 1004

11:08

you in case of custom right which which

11:12

is bit complex so you need to provide

11:14

PSK that is pre shared key Betty which

11:17

is used for authentication between you

11:19

know on premise in the cloud of VPN

11:21

connection so it can be from 8 to 64

11:24

character it should not start with 0 and

11:26

you have to provide point-to-point CA

11:28

idea so basically you can specify a size

11:31

of Celestra TC idea block from you know

11:34

I 169 dot 254 dot 0 dot 0 / 16 greens

11:38

and see idea block must be nice unique

11:41

across all the VPN connection

11:42

Celia see idea block not supported these

11:45

are the few CIDR block you cannot use

11:49

for this point-to-point see idea so make

11:51

sure like - 50.0 slash 30 cannot be used

11:53

1 2 3 4 5 6 this cannot be used you can

11:56

use 1 69.2 54.6 dot 0 / 34 tunnel to 160

12:01

9.2 54.6 7.0 is less 34 tunnel one like

12:05

that you know and that you can provide

12:10

the P of PSK tunnel 0 and the tunnel 1

12:13

either you can get it from your network

12:15

administrator and either you can use

12:17

anything then you can share with your

12:18

network and mistresses - they can

12:20

configure on you know on their device so

12:24

once you set up the VPN so there are

12:26

various status you know the status keep

12:28

changing the 5 status will be pending at

12:30

the tunnel 1 internal 2 will be down so

12:32

both will be down so in that case what

12:34

is happening the it VPN is creating so

12:36

VPN is just created ok and there are

12:39

some actions pending on the background

12:40

you might see this status for 10 to 15

12:42

minute after creating VPN so basically

12:45

what will happen so your tunnel will be

12:48

down down and you know like and the

12:50

status will be the pending so you it

12:52

creating the VPN and performing some

12:54

excess on the bacon so once it get at

12:56

the VPN successfully you know everything

12:58

is done so status will become available

13:00

and down down to basically a VPN has

13:03

successfully created but you need to do

13:07

some configuration on your VPN device ok

13:10

so for that then other status is up up

13:13

or up / down up up means like you know

13:16

your tunnel 1 and the tunnel 2 is active

13:19

in working in active active mode so

13:20

basically the VPN D

13:22

supporting active active mode no type of

13:25

configuration if your tunnel one is up

13:28

and tunnel two is down or tunnel two is

13:30

up and tunnel one is down in that case

13:32

your VPN device is working in active

13:34

passive mode okay so to achieve this we

13:37

have to do some configuration on the VPN

13:39

device okay

13:40

in case of failed down down it means

13:43

your VPN has not been created properly

13:45

there is some issue with your VPN you

13:47

need to create you know you need to

13:49

delete the weekend injury try it okay so

13:53

some time you will see would turn on one

13:54

tunnel to is up in that case that

13:56

particular VPN device is working in

13:58

activity mode in case one tunnel is up

14:00

and other is down so one is you know

14:02

active working inactive board and

14:03

another is the know it's back up service

14:06

in case of a tunnel one goes down so

14:09

tunnel two will be come up you know and

14:10

it will make sure like you know your

14:12

there is a communication between cloud

14:14

up and any point doesn't break up and in

14:17

case of up up it's fine like if one

14:18

tunnel goes down the other is already

14:20

available okay so what you have to do so

14:23

once the VPN is created you can download

14:25

a VPN config so basically once you

14:27

create a you know once you come VPN has

14:30

been successfully graded this option

14:31

called get VPN config you will see just

14:33

click on get weave in concrete you can

14:35

device you can select your device vendor

14:37

so basically you have a some VPN device

14:38

it might be Cisco Palo Alto whatever so

14:41

you APN select if there is no device

14:43

mention you know in this particular

14:45

device vendor you can see use 10 Eric

14:46

one then select the device platform and

14:49

device software these are the country

14:50

and just download the config you know

14:53

and just share with your network

14:55

administration and miss later so you can

14:57

perform the configuration on we print

14:59

email and make sure the connection is

15:00

stabilized between a cloud and any point

15:02

cloud up in the datacenter

15:05

the other concept let me correct it this

15:13

is the other concept like you know

15:15

sometimes what happens like you don't

15:17

have a want too much data center like

15:19

you have your all the application within

15:21

the private subnet or a of your AWS

15:24

cloud in that case you know you like you

15:28

can use IPSec tunneling but you know in

15:29

that case like when you want to do the

15:31

peer between two subnet to private

15:33

subnet you can use the V PC peering let

15:35

go

15:35

you have cloud up you have a VP in the

15:39

cloud up and like you have a private

15:40

subnet VPC in the AWS so you are you are

15:44

all the application back-end services

15:45

running on the AWS private subnet in

15:48

that case you can make use of the PC

15:49

peering so rebus availing basically

15:51

connect to VP sees in case it pierce

15:54

your private Amazon will be seen

15:55

directly to your any point be busy did

15:57

this enables you to router traffic

15:59

between two pieces so they can

16:01

communicate escrow they are in the same

16:03

network so this is how of the piece

16:06

appearing works so let me do one thing

16:08

here it's a wee piece appearing so

16:12

basically you have like you know the

16:14

cloud up environment in u.s. east one

16:16

and this is my V PC ten dot zero dot one

16:18

dot zero and like my AWS private V PC

16:21

our private subnet which is 192 or 62

16:23

toward zero slash 22 which is also in

16:25

u.s. one so you can set up the V PC

16:26

peering between your cloud up and the

16:29

EWS privately PC basically so so

16:33

basically so this is how you can set up

16:36

the PC and when you need to set up the

16:37

PC when you want to do the pierre-pierre

16:40

between your cloud up V PC and the EWS

16:43

private subnet or private V PC in that

16:46

risk you can use the sweep is appearing

16:48

so there are certain points you need to

16:49

consider so basically when you are

16:51

creating a V PC it must be when you want

16:54

to do the V PC bearing you need to make

16:55

sure your cloud of the PC and the AWS

16:58

privately PC are in the same reason okay

17:01

so basically if you see on the any point

17:03

platform you don't have an option to get

17:05

rid of you piss appearing for that you

17:07

have to reduce the ticket with the mules

17:08

of support team and you have to field

17:10

one discovery template so basically I

17:12

provided link here so you can go to here

17:14

you know in this particular link so you

17:19

can fill that particular this discovery

17:21

template so and we will rock will create

17:23

a V PC for you

17:24

so the it pro it we need to provide some

17:26

basic detail like what is the subnet of

17:28

the AWS V PC what is the subnet of your

17:31

cloud of who are the contact person such

17:33

kind of information even like you know

17:35

you can ask you can read a ticket with

17:37

mules of support to setup your VPN IPSec

17:40

tunneling also but you can also do you

17:43

know yourself also so that's why VP and

17:45

IP SEC Tournament sometimes also known

17:47

as the self-service okay for view PC

17:49

pleasing you

17:49

to connect contact universe of

17:52

supportive to creatively piss appearing

17:54

okay thanks I hope you liked the video

17:56

thanks for watching it