Amazon Web Services’ Virtual Private Clouds are an effective means of ensuring security within the public cloud. Connecting to them through virtual private networks, however, can be tricky.
Amazon Web Services (AWS) Virtual Private Cloud (VPC) logically isolates instances and, optionally, securely connects a private data center with Amazon’s cloud via virtual private network (VPN). Last year, VPC features were made available by default for new Elastic Compute Cloud (EC2) users and existing customers who launch new instances in a region.
“Going to a VPC is easier because now instead of worrying about firewall rules and trying to make sure you cover everything, you can set it up by security group, and apply those security groups to types of instances and things like that," said Craig Loop, director of technology for RealityDate Corp., a Naperville, Ill., company that sells property information to mortgage bankers.
Using Security Groups instead of firewalls has also boosted performance in the cloud for HubSpot Inc., a digital marketing SaaS company in Cambridge, Mass. VPC lets HubSpot completely automate its networks within AWS, which in turn, allows the company to dynamically scale its big data analytics applications, HubSpot’s CIO, Jim O’Neill, told SearchAWS.com recently.
The trouble with VPNs
However, setting up site-to-site VPN connections into VPCs has been troublesome for some IT pros.
Attaching multiple remote offices into the same VPC through VPN, for example, can be difficult to learn, according to Kent Langley, CEO of Ekho, Inc., a digital marketing firm in San Rafael, Calif., which runs entirely on AWS. And although Amazon has the technology to deal with that, it’s still quite difficult.
“You have to have some specialized knowledge and skills, so they haven’t gotten as far on that side of things, in my opinion, as they have with some of their other infrastructure as a service and platform as a service products,” Langley said.
Experienced networking consultants say they have had difficulty connecting VPNs to VPCs for clients, particularly when they try to create custom scenarios for VPC-- even though such connections aren't new in enterprise networking.
Mark Szynakacloud architect at Cloud e-Broker
For example, a large corporate client of Greg Ferro, a U.K.-based independent consultant, needed to set up a VPN from an EC2 instance inside a VPC to a third party that has a public IP address behind another public IP. This calls for a specific type of VPN that’s “a piece of cake on a normal enterprise network,” Ferro said.
Technically, this should work in an AWS VPC, but Ferro said he hasn’t been able to get it set up using tools Amazon provides. The third party in this case wants to generate a pre-shared key, but the AWS VPN client’s pre-shared key cannot be modified. The AWS VPN client also ran into problems connecting to the third-party’s server behind a layer of Network Address Translation (NAT).
To connect the VPN to a third party, Ferro and his client set up a physical VPN appliance in the customer’s data center instead.
“It wasn’t immediately obvious how VPC was going to work in an enterprise,” Ferro said. “I’ll need to invest significant time and effort to understand how VPC works and how I could map a corporate platform onto it.”
The AWS VPN client is also limited to one pair of IPSec security associations, which is enough to allow a lot of traffic but not enough to allow many connections to terminate into the same VPN, according to Teren Bryson, consulting systems engineer at a Midwestern reseller. AWS’s VPN also offers 128-bit encryption as opposed to the stronger AES 256-bit encryption.
VPN endpoint devices ‘finicky’
There are third-party tools that replace the AWS VPN endpoints, but other IT pros say that these devices also are problematic.
“VPN connections particularly are [the] most troublesome [part of Amazon’s VPC],” said Mark Szynaka, cloud architect at Cloud e-Broker, a New York consulting firm. “They’re very finicky – that part is the most challenging.”
Consultants to small and medium businesses recommend using caution when choosing a third-party VPN device to tie into Amazon’s VPC.
“We’ve had some challenges with lower-end small business firewalls being an end point and the tunnels dropping,” said Glenn Grant, president and CIO for Boston, Massachusetts-based AWS partner G2 Technology Group. “If you get midrange to upper end [firewalls], they’re solid as a rock.”
However, while a low-end device can cost as little as $800, these ‘solid’ VPN endpoints can cost between $10,000 and $20,000, Grant said.
Meanwhile, Szynaka said he ran into issues with dropped connections with a similar device from Palo Alto Networks and Ferro said he also struggled with getting a Vyatta virtual router to work for his purposes.
Brocade Communications Systems Inc., which owns Vyatta, said Ferro’s issues could have stemmed from a configuration error. The company said the use case outlined is common with Brocade customers using the vRouter in AWS, and there have been no prior issues to its knowledge.
Palo Alto Networks did not respond to a request for comment as of press time.
Amazon Web Services declined to comment on the record for this story.