This feature is currently available in Alpha version

Private/Exclusive instance required

Our Site-to-site VPN allows you to safely connect together multiple LAN networks (local-area network that spans a relatively small area) in different locations using a Cloud VPN tunnel (Google Cloud managed service, see documentation). Firstly, the feature protects the logins to the Exponea Application, preventing unauthorized access to private instances. Compared with remote access VPN, the site-to-site VPN eliminates the need for each device in a network to run their own VPN client software, is easier to scale and the latency of the network is much lower. Secondly, the VPN tunnel can be used as an additional security layer for data imports and API calls from campaigns.

Site-to-site VPN works in the following way:
The Cloud VPN connects the relevant LAN networks to the GCP Virtual Private Cloud (VPC) network through an IPsec VPN connection. Traffic traveling between the two networks is encrypted by one VPN gateway and then decrypted by another VPN gateway. This protects the data as it travels over the internet.

IPsec or Internet protocol security is a protocol suite that encrypts the entire IP traffic before the packets are transferred from the source to the destination. It is capable and responsible for authenticating the identities of the two nodes before the actual communication takes place between them.

Site-to-site VPN from Exponea

Securely connect local-area network (LAN) in order to allow a secured tunnel between Exponea, client's on-premise data warehouse, and Exponea users workstations.

There are three possible VPN connections, that will be analysed throughout this article

  • When logging into Exponea´s private instance, a client may use VPN enabled workstation to login
  • Exponea may import and export from data sources on client's internal network through a secured VPN
  • While working, Exponea VPN may call API endpoints on client's internal network

Exponea login

The feature protects the logins to the Exponea Application by preventing unauthorized access. The site-to-site VPN eliminates the need for each device in a network to run their own VPN client software, makes it much easier to scale, and the latency of the network is much lower.

There are three possible set-ups for securing Exponea login:



Public access

Application is accessible on a public domain from the public internet. Users can access the Exponea application from any public network. This set-up is used on all Exponea shared instances.

Public access with IP whitelist

Application is accessible on a public domain from a limited set of IP addresses. These IP addresses are whitelisted using Cloud Armor. Users can access from a whitelisted office network. Optionally, Exponea consultants can have this access when connected to Exponea VPN.

Intranet VPN access

Application is accessible on the intranet domain (computer network for sharing information) only from the intranet network. Users can access the Exponea application only by using VPN enabled workstations on an internal network. This configuration does not support access for Exponea consultants. A client must provide a Custom SSL certificate for the application intranet domain.

Practical integrations and limitations

Site-to-site VPN allows Exponea to import and export from/to client internal file storage/databases and invoke HTTPS endpoints on the client's internal network.


Please note that with VPN enabled, our customer support team would not be able to access your application. If you need support, agents will operate with screenshots provided by you. We'll do our best to help you via guiding and suggesting the possible root causes of the issues you might have.
In case that the problem persists, we can try to arrange a session where you can share your screen. However, scheduling a session may take a longer time, depending on the capacity of our Customer support and this option should be used in case, when we believe it would help to solve the problem faster.

Scenarios can send requests to external API endpoints and to internal endpoints when VPN is configured

Requirements for webhooks to an internal API endpoint

  • enable Static IPs
  • must use a secured HTTPS endpoint
  • SSL (Secure Socket Layer) certificate must be issued by one of the publicly trusted certificates authorities
  • domain name is resolved from either: a public DNS (Domain Name System) or a static domain-IP mapping (/etc/hosts file provided during VPN setup)
  • Optionally, configure internal firewall to allow requests from a list of Static IPs


This part outlines the limitations of VPN when integrating for Webhooks

Imports through VPN




Imports from SFTP

With an Exponea VPN, users can import files from SFTP on a public domain.

SFTP imports do not support Static IPs and cannot connect to the intranet SFTP server

Imports from PostgreSQL and MySQL

PostgreSQL and MySQL imports can use Static IPs and can connect to intranet servers.

Imports from MS SQL

Imports from this Microsoft storage will be secured by Exponea VPN

MS SQL imports do not support support Static IPs and cannot connect to intranet MS SQL server

Tracking and Data API

Exponea APIs (public tracking API, private Customers API, private Catalogs API) are available on a public domain from the internet.


  • IP whitelist for private Customers API
  • VPN intranet with sole access to private Customers API


Exponea is using Google Cloud VPN (IPsec compatible) which can be configured as Classic VPN or HA VPN (with a 99.99% service availability).

Google Cloud VPN can connect to multiple gateways and this way connect multiple networks on client-side (offices network, data warehouse network, ESB network).

Exponea ingress (data entering Exponea)

There is a separate internal load balancer used when Intranet VPN Exponea login is enabled. This load balancer requires a custom certificate and internal domain name to be provided by the client.

Exponea egress (data entering Exponea)

All requests from Exponea platform (imports, exports, webhooks, monitoring ping) originate from a proxy with Static IPs addresses. We recommend creating allow rules on client's firewalls.


Cloud VPN with multiple gateways cannot be set up when IP ranges on client networks collide with each other


Exponea can be configured to monitor VPN tunnel uptime. There is a ICMP probe that regularly checks network availability to clients network if a client provides a server that responds to ping requests. Monitoring probe requests originate from internal Static IPs addresses.


VPN setup is available for Private instance and Exclusive instance. We support setting up 1 Cloud VPN for each Exponea instance.

Updated 7 months ago


This feature is currently available in Alpha version

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.

We rely on cookies

to optimize our communication and to enhance your customer experience. By clicking on the Accept and Close button, you agree to the collection of cookies. You can also adjust your preferences by clicking on Manage Preferences. For more information please see our Privacy policy.

Manage cookies
Accept & close

Cookies preferences

Accept & close