Connection types
Zuletzt aktualisiert am
STACKIT VPN provides secure tunnels to connect your on-premise network to your cloud resources. To ensure your network traffic flows efficiently, it’s important to understand the different connection types available. STACKIT supports policy-based VPNs and two types of route-based VPNs.
The following sections describe the key differences, benefits, and use cases for each method.
Policy-based VPN
Section titled “Policy-based VPN”A policy-based VPN identifies traffic for encryption based on specific IP address ranges. These ranges are defined in a “policy” or a security association (SA). When a packet matches the source and destination criteria in the policy, the VPN gateway encrypts and tunnels the packet.
- Routing: Traffic is routed based on a match with the defined policy rather than a routing table.
- Complexity: Configuration can become difficult if you need to connect many subnets, as each pair of subnets requires a unique policy.
- Use case: Use this type when connecting to older legacy gateways that do not support virtual tunnel interfaces (VTI).
Route-based VPN with static routes
Section titled “Route-based VPN with static routes”A route-based VPN creates a virtual tunnel interface (VTI) that acts like a physical network interface. Traffic is directed into the tunnel based on the standard routing table of the system. In this configuration, you must manually define the routes.
- Routing: You manually enter the IP ranges for the remote network into the STACKIT Portal or via the STACKIT CLI.
- Flexibility: It’s more flexible than policy-based VPNs because you can change routing rules without renegotiating the VPN tunnel.
- Use case: This is suitable for stable environments with simple network topologies where the remote network ranges do not change frequently.
Route-based VPN with BGP
Section titled “Route-based VPN with BGP”This connection type also uses a VTI but automates the routing process using the Border Gateway Protocol (BGP). STACKIT VPN and your on-premise gateway exchange routing information dynamically.
- Routing: BGP automatically updates the routing tables on both ends of the tunnel. If a new subnet is added to your on-premise network, it’s automatically advertised to your STACKIT infrastructure.
- High availability: BGP can detect if a path is unavailable and automatically reroute traffic through a secondary tunnel if configured.
- Use case: We recommend this type for complex or enterprise-grade environments where network requirements change often or where high availability is critical.
Comparison / summary
Section titled “Comparison / summary”The following table summarizes the primary differences between the supported VPN types:
| Feature | Policy-based | Route-based (Static) | Route-based (BGP) |
|---|---|---|---|
| Routing method | Policy matching (SA) | Manual routing table entries | Dynamic exchange via BGP |
| Interface type | No virtual interface | Virtual tunnel interface (VTI) | Virtual tunnel interface (VTI) |
| Scalability | Low (manual policy for each subnet) | Medium (manual route management) | High (automated route updates) |
| Redundancy | Difficult to automate | Manual failover | Automatic failover |
| Configuration | Static | Semi-dynamic | Fully dynamic |
Architectural considerations for high availability
Section titled “Architectural considerations for high availability”Regardless of the routing type you choose, STACKIT VPN Service deploys two internal gateway instances in an active-active ready configuration.
- Redundancy: You should always configure both tunnel1 and tunnel2 to connect to your remote peer.
- Asymmetric routing: Ensure your remote firewall or router is configured to handle asymmetric traffic, as return packets may arrive through a different tunnel than the outgoing packets.