How to securely connect CloudHub VPC with your data centre

When data security is critical, setting up a secure channel to access the data in your company’s data centre is best practice.

For Anypoint Platform users, setting up a CloudHub VPC and VPN gateway is a straightforward process using the self-service features provided on Anypoint Platform Runtime Manager.

This blog discusses the key points to consider in order to achieve secure connectivity between CloudHub VPC and your data centre.

What is VPC?

A Virtual Private Cloud (VPC), is a set of computing resources (storage, network, compute) that are isolated and made available only to the CloudHub users.

MuleSoft’s CloudHub is a multi-tenant integration platform in the Cloud.  CloudHub Virtual Private Cloud (VPC) allows you to create a virtual, private, and isolated network segment on AWS cloud to host your CloudHub workers.

CloudHub VPC is part of CloudHub managed services which allows us to deploy, run and manage our applications in a dedicated and secure environment. 

• VPC can be setup via MuleSoft Support or in a self-service manner within Anypoint Runtime Manager.  
• MuleSoft VPC is a customized/extended version of AWS VPC, they are not identical.
• VPC on its own is completely isolated and will most likely need connectivity to the outside world.

Why VPN?

A Virtual Private Network (VPN) is a network tunnel between Cloudhub VPC and the company’s corporate network.

• A VPC is a virtual software defined network in the cloud. To connect to your tenancy and access the data securely from your on-premise data centre, you need a VPN connection between your data centre and your CloudHub VPC.
• If you have secure data that you don’t want to transmit over the internet without encryption then you need an IPsec VPN.

What are the VPC Connectivity options?

The various VPC Connectivity methods are:

• Public Internet: Default connectivity to CloudHub VPC. Application and APIs are accessible using http://myapp.cloudhub.io
  
  
• IPsec tunnel with network-to-network configuration: Recommended and most used solution for VPC to on-premise (I,e customer corporate data centres ) connectivity.
  
  
• VPC Peering: Pair an Amazon VPC directly to a CloudHub VPC.
  
  
• CloudHub Direct Connect: If the customer network connectivity has Amazon VPC using Amazon Direct Connect, they can create a hosted virtual interface to their CloudHub VPC.

What is IPSec ?

Internet Protocol Security (IPSec) is a protocol suite for securing communications between two networks. Typically used to connect Cloudhub to customers on premise network.

• Connecting to your Anypoint VPC extends your corporate network and allows CloudHub workers to access resources behind your corporate firewall. An IPsecVPN tunnel allows you to access your resources over this secure tunnel using private IP’s

IPSec – VPN Connectivity

The diagram below shows the network setup to implement a VPN connection from your Data Centre to the Anypoint VPC in the CloudHub.

On the MuleSoft side, high availability is built into the Anypoint VPN as shown in the above diagram with Router 1 and Router 2 each with its own public facing IPs and with respective tunnel 1 and tunnel 2. If you also intends to build high availability into their VPN setup they would need to implement the VPN across at least two different customer gateways.

The VPN set up process changed in MULE 4.0 version over time with various updates rolled out on the Anypoint Platform. A self-service feature was released to enable the users to create the VPN configuration and eliminate the dependency on the MuleSoft support team, which used to be the case earlier.

Set-Up Process:

The general process is available in the documentation at Create an Anypoint VPN.

Configuration Settings – To Consider :

• Connecting to VPN devices

Even though the self-service feature is made available, it does not support all the types of VPN devices.

For example the image below shows the list of VPN device vendors. The VPN config details can be downloaded for these vendors. We need to go with ‘generic’ option in case the VPN device vendor is not listed.

Before configuring the VPN device on the customer side with the generic configuration details it is always better to take a confirmation from the MuleSoft support team and validate if the VPN device vendor and the version is supported by the platform. 

• VPC Firewall configuration:
  To connect the customer data centre to CloudHub, you need to add the IP or the CIDR range to the VPC firewall to allow access.

• Private or Internal DNS :
  Domain Name System (DNS) is a set of records like a phonebook for the internet. We access websites, web services and information through domain names like whishworks.com, google.com, etc. The process of DNS resolution involves converting a hostname (such as www.whishworks.com) into a computer-friendly IP address (such as 192.168.1.1). An IP address is given to each system or device on the Internet, and that address is necessary to find the appropriate Internet device - like a street address is used to find a particular home. When a user wants to load a webpage, a translation must occur between what a user types into their web browser (example.com) and the machine-friendly address necessary to locate the example.com webpage.
  

If you are trying to connect to internal systems using internal DNS names which are registered in your DNS server and not available publicly, the DNS server and the domain names have to be registered on the VPC as shown below.

Connectivity Test:

Once all the above taken care of, provide the reference to the networking team to generate some interesting traffic to test from their end. (How to Generate Interesting Traffic for Anypoint VPN)

• CloudHub to data centre

Use the nettools application to test the connectivity. (How To Use Network Tools Application)

• Customer datacentre to CloudHub

To test the connectivity from the customer data centre to CloudHub, spin up a sample API and deploy it on CloudHub ensuring it is in the same VPC. Trigger some requests from any machine or VM to check that the connectivity works as expected. You should be able to connect to the APIs using the internal worker DNS names of the API deployed in CloudHub. (CloudHub Internal DNS Records)

If you would like to find out more about connecting CloudHub with your data centre, we can help. Give us a call on +44 (0)203 475 7980 or email us at Salesforce@coforge.com

Other useful links:

How to apply pagination in Mule Scheduled Jobs

MuleSoft Managed Services

API Recipes with MuleSoft Anypoint Platform