Private/Exclusive instance required
Our Site-to-site VPN allows you to safely connect together multiple LAN networks (local-area network that spans a relatively small area) in different locations using a Cloud VPN tunnel (Google Cloud managed service, see documentation). Firstly the feature protects the logins to the Exponea Application, preventing unauthorized access to private instances. Compared with remote access VPN, the site-to-site VPN eliminates the need for each device in a network to run their own VPN client software, is easier to scale and the latency of the network is much lower. Secondly, the VPN tunnel can be used as an additional security layer for data imports and API calls from campaigns.
Site-to-site VPN works in the following way:
The Cloud VPN connects the relevant LAN networks to the GCP Virtual Private Cloud (VPC) network through an IPsec VPN connection. Traffic traveling between the two networks is encrypted by one VPN gateway and then decrypted by another VPN gateway. This protects the data as it travels over the internet.
IPsec or Internet protocol security is a protocol suite that encrypts the entire IP traffic before the packets are transferred from the source to the destination. It is capable and responsible for authenticating the identities of the two nodes before the actual communication takes place between them.
Securely connect local-area network (LAN) in order to allow a secured tunnel between Exponea, client's on-premise data warehouse, and Exponea users workstations.
The feature protects the logins to the Exponea Application by preventing unauthorized access. The site-to-site VPN eliminates the need for each device in a network to run their own VPN client software, makes it much easier to scale, and the latency of the network is much lower.
There are three possible set-ups for securing Exponea login:
Application is accessible on a public domain from the public internet. Users can access the Exponea application from any public network. This set-up is used on all Exponea shared instances.
Public access with IP whitelist
Application is accessible on a public domain from a limited set of IP addresses. These IP addresses are whitelisted using Cloud Armor. Users can access from a whitelisted office network. Optionally, Exponea consultants can have this access when connected to Exponea VPN.
Intranet VPN access
Application is accessible on the intranet domain (computer network for sharing information) only from the intranet network. Users can access the Exponea application only by using VPN enabled workstations on an internal network. This configuration does not support access for Exponea consultants. A client must provide a Custom SSL certificate for the application intranet domain.
Site-to-site VPN allows Exponea to import and export from/to client internal file storage/databases and invoke HTTPS endpoints on the client's internal network.
Scenarios can send requests to external API endpoints and to internal endpoints when VPN is configured
Requirements for webhooks to internal API endpoint
- enable Static IPs
- must use secure HTTPS endpoint
- SSL must be issued by one of the publicly trusted CAs
- domain name is resolved from either: a public DNS or a static domain-IP mapping (/etc/hosts file provided during VPN setup)
- Optionally, configure internal firewall to allow requests from a list of Static IPs
Updated about 6 hours ago