Copy for LLM ▼

Copy Page Content Open in ChatGPT Open in Claude Open in VS Code View Markdown

PDF

Enabling Cloud-Native VPN/Encryption Options Over Dedicated Cloud Connectivity Paths

When implementing a dedicated connection into the public cloud through ExpressRoute to Microsoft Azure or Direct Connect to Amazon Web Services, the security of the transport path is part of a security risk assessment to minimize the risk of any potential man-in-the-middle attack.

Azure and AWS have published details on how to use VPN services through their respective dedicated cloud connectivity options:

• Configure a site-to-site VPN over Microsoft Peering
• Establish a VPN Using AWS Direct Connect

This topic describes several scenarios using dedicated cloud connectivity, including:

• Scenario 1: IPsec VPN – Azure ER Microsoft Peering or AWS DX Public VIF
• Scenario 2: IPsec VPN via Megaport Cloud Router (MCR) – Azure ER Microsoft Peering or AWS DX Public VIF
• Scenario 3: IPsec VPN – Azure ER Private Peering or AWS DX Private VIF with Network Virtual Appliance (NVA)Network Virtual Appliances (NVA) are used in Azure or AWS to control the flow of traffic between network segments that are classified with different security levels. For example, between a secure virtual network and the public internet.
  in Azure or AWS
• Scenario 4: IPsec VPN – Multicloud with Network Virtual Appliance (NVA) in Azure and AWS

 

• Scenario 1
• Scenario 2
• Scenario 3
• Scenario 4

Scenario 1
IPsec VPN – Azure ER Microsoft Peering or AWS DX Public VIF
Prerequisites
Owned public IP addresses that can be assigned to use Microsoft Peering and Public VIF. Note: If public IP addresses are not owned, use MCR (Scenario 2). Owned network appliance capable of IPsec.
Megaport Technology Required		How many?
Port	Yes	1 or (2 in a Link Aggregation/LAG)
Megaport Cloud Router (MCR)	No
Virtual Cross Connect (VXC)	Yes	1 to each CSP (Azure or AWS)
Considerations
Azure and AWS use industry standard protocol IPsec AES128 or AES256 for encryption: using other protocols for security or performance is not easily customizable. Azure and AWS IPsec VPN can be configured with Active-Active HA configuration. The maximum throughput available to AWS Virtual Private Gateway is 1.25 Gbps. The maximum throughput of Azure VPNs depends on the VPN Gateway SKU.

Scenario 2
IPsec VPN via Megaport Cloud Router (MCR) – Azure ER Microsoft Peering or AWS DX Public VIF This solution is suitable for organizations that do not own public IP addresses.
Prerequisites
Customer-owned network appliance capable of IPsec.
Megaport Technology Required		How many?
Port	Yes	1 (2 in a Link Aggregation/LAG)
Megaport Cloud Router (MCR)	Yes	1
Virtual Cross Connect (VXC)	Yes	1 to each CSP (Azure or AWS) and 1 Private VXC
Considerations
Azure and AWS use industry standard protocol IPsec AES128 or AES256 for encryption: using other protocols for security or performance is not easily customizable. Azure and AWS IPsec VPN can be configured with Active-Active HA configuration. The maximum throughput available to AWS Virtual Private Gateway is 1.25 Gbps. The maximum throughput of Azure VPNs depends on the VPN Gateway SKU.

Scenario 3
IPsec (or other) VPN - Private Peering or Private VIF with Network Virtual Appliance (NVA) in Azure or AWS.
Prerequisites
Customer-owned IPsec-capable network appliances on-premises and in the cloud.
Megaport Technology Required		How many?
Port	Yes	1 (2 in a Link Aggregation/LAG)
Megaport Cloud Router (MCR)	No
Virtual Cross Connect (VXC)	Yes	1 to each CSP (Azure or AWS)
Considerations
Organizations have the flexibility of the encryption method for better security or better performance. Additional cost to the VMs running the NVA. Organizations will need to consider how to design and deliver HA for this scenario. The maximum throughput can exceed 1.25 Gbps up to the maximum Port size (1 Gbps or 10 Gbps) with the right compute power available on the NVA.

Scenario 4
IPsec (or other) VPN - Multicloud with Network Virtual Appliance (NVA) in Azure and AWS. This solution is suitable for organizations with on-premises infrastructure that is not geographically close to the CSPs.
Prerequisites
Customer owns IPsec-capable network appliances on-premises and in the cloud.
Megaport Technology Required		How many?
Port	Yes	1 (2 in a Link Aggregation/LAG)
Megaport Cloud Router (MCR)	Yes	1
Virtual Cross Connect (VXC)	Yes	1 to each CSP (Azure and AWS) and 1 Private VXC
Considerations
Provides a flexible encryption method for better security or better performance. Additional cost to the VMs running the NVA. Need to consider how to design and deliver HA for this scenario. The maximum throughput can exceed 1.25 Gbps with the required compute power available on the NVA.

Helpful references

• Readme file: AWS - Azure Private IP VPN with Megaport

• Video: AWS - Azure Private IP VPN with Megaport(19:35)