Design and Feature Requirement for a User-VPN Solution

If you are building a new or re-architecting a User-VPN (aka SSL VPN or Client to Site VPN) based solution, then you should consider at least following design ingredients in your solution

  • Built on OpenVPN® and is compatible with all OpenVPN® client software
  • Provide certificate based SSL VPN user authentication
  • LDAP/AD Integration
  • Support multi factor authentication (MFA) methods such as Google, DUO, Okta, SAML and LDAP
  • You should also be able to combine various authentication and authorization components to add extra level of security for the interaction. For instance the solution first authenticate from a corporate LDAP entity and then consult with DUO for MFA
  • Authenticate a VPN user directly from the VPN client to any IDP via SAML protocol. The SAML protocol and a client with SAML support must be the key requirement
  • Supports external PKI for OpenVPN Certificates
  • The solution must provide a Profile Based Access Control so that beyond the authentication and autharization that was discussed above, one should also control the access right at the IP Address, CIDR or Subnet level (aka Profile Based Network Segmentation)

The Aviatrix solution has all the above mentioned design ingredients. On top of that it has features such as Geo-Location based connectivity to the closest VPN GW (or Concentrator) with support for both TCP and UDP based load-balancing

Look at this Clara customer case-study (Clara is part of SoFI now) for reference

Direct Connect Gateway

Direct Connect Gateway is getting popularity. With large networks and deployment across regions, it is evident that customers are picking Direct Connect Gateway to provide high-availability across regions. One should remember that even with the Direct Connect GW in picture, data path still goes through the physical connection. It means that for regions that are far apart, one might notice some latency/delays.

Managing and automating Direct Connect (DX) Gateway could be challenging. Aviatrix is the platform that can orchestrate a DX Gateway that is serving as a bridge between two Transit Gateways across regions provided there is no VGW in the datapath and the DX Gateway is attached to the TGWs via the default security domain (Security Domain is Aviatrix construct to provide network segmentation between VPCs/vNETs)

Aviatrix will orchestrating the Multi-Region architecture with DX Gateway and will handle all the route propagation. In addition, it will deliver the following additional capabilities to the network:

  • Full HA Capabilities with no single point of failure in the network with High Performance Encryption between Regions @ 5Gbps
    • IPSec VPN could also be used as a Backup to the DX Gateway
  • Centralized Firewall Management
  • Multi-Cloud Connectivity