Private/Exclusive instance required
Our Site-to-site VPN allows you to safely connect together multiple LAN networks (local-area network that spans a relatively small area) in different locations using a Cloud VPN tunnel (Google Cloud managed service, see documentation). Firstly, the feature protects the logins to the Exponea Application, preventing unauthorized access to private instances. Compared with remote access VPN, the site-to-site VPN eliminates the need for each device in a network to run their own VPN client software, is easier to scale and the latency of the network is much lower. Secondly, the VPN tunnel can be used as an additional security layer for data imports and API calls from campaigns.
Site-to-site VPN works in the following way:
The Cloud VPN connects the relevant LAN networks to the GCP Virtual Private Cloud (VPC) network through an IPsec VPN connection. Traffic traveling between the two networks is encrypted by one VPN gateway and then decrypted by another VPN gateway. This protects the data as it travels over the internet.
IPsec or Internet protocol security is a protocol suite that encrypts the entire IP traffic before the packets are transferred from the source to the destination. It is capable and responsible for authenticating the identities of the two nodes before the actual communication takes place between them.
Securely connect local-area network (LAN) in order to allow a secured tunnel between Exponea, client's on-premise data warehouse, and Exponea users workstations.
There are three possible VPN connections, that will be analysed throughout this article
- When logging into Exponea´s private instance, a client may use VPN enabled workstation to login
- Exponea may import and export from data sources on client's internal network through a secured VPN
- While working, Exponea VPN may call API endpoints on client's internal network
The feature protects the logins to the Exponea Application by preventing unauthorized access. The site-to-site VPN eliminates the need for each device in a network to run their own VPN client software, makes it much easier to scale, and the latency of the network is much lower.
There are three possible set-ups for securing Exponea login:
Application is accessible on a public domain from the public internet. Users can access the Exponea application from any public network. This set-up is used on all Exponea shared instances.
Public access with IP whitelist
Application is accessible on a public domain from a limited set of IP addresses. These IP addresses are whitelisted using Cloud Armor. Users can access from a whitelisted office network. Optionally, Exponea consultants can have this access when connected to Exponea VPN.
Intranet VPN access
Application is accessible on the intranet domain (computer network for sharing information) only from the intranet network. Users can access the Exponea application only by using VPN enabled workstations on an internal network. This configuration does not support access for Exponea consultants. A client must provide a Custom SSL certificate for the application intranet domain.
Site-to-site VPN allows Exponea to import and export from/to client internal file storage/databases and invoke HTTPS endpoints on the client's internal network.
Please note that with VPN enabled, our customer support team would not be able to access your application. If you need support, agents will operate with screenshots provided by you. We'll do our best to help you via guiding and suggesting the possible root causes of the issues you might have.
In case that the problem persists, we can try to arrange a session where you can share your screen. However, scheduling a session may take a longer time, depending on the capacity of our Customer support and this option should be used in case, when we believe it would help to solve the problem faster.
Scenarios can send requests to external API endpoints and to internal endpoints when VPN is configured
- enable Static IPs
- must use a secured HTTPS endpoint
- SSL (Secure Socket Layer) certificate must be issued by one of the publicly trusted certificates authorities
- domain name is resolved from either: a public DNS (Domain Name System) or a static domain-IP mapping (/etc/hosts file provided during VPN setup)
- Optionally, configure internal firewall to allow requests from a list of Static IPs
This part outlines the limitations of VPN when integrating for Webhooks
- IPv4 and IPv6 endpoints (=network endpoint) without a domain name (e.g. https://184.108.40.206/api.php) would be unsupported
- unencrypted HTTP endpoints (e.g. http://my.example.com/api.php)
- SSL certificates signed by custom certificate authorities
Imports from SFTP
With an Exponea VPN, users can import files from SFTP on a public domain.
SFTP imports do not support Static IPs and cannot connect to the intranet SFTP server
Imports from PostgreSQL and MySQL
PostgreSQL and MySQL imports can use Static IPs and can connect to intranet servers.
Imports from MS SQL
Imports from this Microsoft storage will be secured by Exponea VPN
MS SQL imports do not support support Static IPs and cannot connect to intranet MS SQL server
Exponea APIs (public tracking API, private Customers API, private Catalogs API) are available on a public domain from the internet.
- IP whitelist for private Customers API
- VPN intranet with sole access to private Customers API
Exponea is using Google Cloud VPN (IPsec compatible) which can be configured as Classic VPN or HA VPN (with a 99.99% service availability).
Google Cloud VPN can connect to multiple gateways and this way connect multiple networks on client-side (offices network, data warehouse network, ESB network).
There is a separate internal load balancer used when Intranet VPN Exponea login is enabled. This load balancer requires a custom certificate and internal domain name to be provided by the client.
All requests from Exponea platform (imports, exports, webhooks, monitoring ping) originate from a proxy with Static IPs addresses. We recommend creating allow rules on client's firewalls.
Cloud VPN with multiple gateways cannot be set up when IP ranges on client networks collide with each other
Exponea can be configured to monitor VPN tunnel uptime. There is a ICMP probe that regularly checks network availability to clients network if a client provides a server that responds to ping requests. Monitoring probe requests originate from internal Static IPs addresses.
VPN setup is available for Private instance and Exclusive instance. We support setting up 1 Cloud VPN for each Exponea instance.
Updated 7 months ago