Supaana Solutions - driven by Insights Agility and Automation

Enter your keyword

Site to Site VPN

Hybrid Cloud - Scale vpn tunnel capacity to overcome performance degradation

  • Home
  • AWS
  • Hybrid Cloud – Scale vpn tunnel capacity to overcome performance degradation

Hybrid Cloud – Scale vpn tunnel capacity to overcome performance degradation

Site-to-Site VPN helps you to establish a secure and encrypted tunnel for smooth traffic flow between on-premises datacenter/branch office to your virtual cloud network (AWS / AZURE or any other public cloud). Primarily, two tunnels are set up in Active and Standby configuration setup to achieve redundancy and high availability in network. The problem arises when the traffic flow hits the tunnel capacity and performance starts to degrade. In this article we will explore one such scenario and a viable solution to scale the VPN tunnel capacity to desired volume.

Problem Scenario:

As we know each site-to-site VPN tunnel has capacity limitations which is determined by Firewall specifications. Once a tunnel hits its capacity, network performance starts degrading. To overcome this scenario, we can use the Multiple tunnels approach as mentioned below-

Possible Solution:

Multiple tunnels – Multiple tunnels are extremely useful in enhancing the network capacity. Using BGP and ECMP on both ends we can enhance capacity by building multiple tunnels. Capacity is directly dependent on the ECMP specification of your Firewall. Different vendors have different supported specs.

Equal Cost Multiple Path (ECMP) processing – ECMP is a network traffic load balancing feature that enables the Firewall to use multiple equal-cost routes to the same destination. In absence of ECMP, the Firewall chooses one route out of all available multiple equal-cost routes from the routing table and adds it to the forwarding table. All other routes are discarded unless there is an outage in the chosen route. ECMP is the key feature required to accommodate desired traffic from the head office or Colocation datacentre to your preferred cloud.

All cloud service providers have inbuilt monitoring solutions, those can be used to analyse the situation and prepare the network to accommodate desired traffic.

Using this feature all tunnels are used equally for the traffic. Iperf3 can be used to simulate the dummy traffic to test the capacity of the tunnels.