IBM Cloud Docs
VPNs for VPC overview

VPNs for VPC overview

IBM Cloud has two VPN services. VPN for VPC offers site-to-site gateways, which connect your on-premises network to the IBM Cloud VPC network. Client VPN for VPC offers client-to-site servers, which allow clients on the internet to connect to VPN servers, while still maintaining secure connectivity.

Site-to-site gateways

IBM Cloud VPN for VPC provides a simple, yet powerful solution for highly scalable, and robust site-to-site VPN gateways. With this service, you can create site-to-site VPN tunnels for secure, encrypted connectivity. Connect from on-premises sites to IBM Cloud through a VPN gateway on an IBM Cloud VPC, and a peer gateway on-premises.

This service provides a mixture of industry-standard security and encryption options as well as support for Pre-Shared Key (PSK) authentication. With this service, you can quickly add and remove VPN connections with the option to use pre-defined configurations. For more information, see About site-to-site VPN gateways.

Site-to-site VPN in IBM Cloud provides you with the following options to connect your on-premises network to the IBM Cloud VPC network:

Policy-based VPN

This VPN mode uses defined security policies to determine which traffic is encrypted and sent through the VPN tunnel. Administrators can specify the source, destination, and services for which the traffic is tunneled, enabling fine-grained control over what is transmitted.

Route-based VPN

This VPN mode relies on routing tables to direct traffic through the VPN tunnel. In a route-based configuration, traffic is sent through the tunnel based on available routes, rather than specific policies. This approach is beneficial for larger, complex networks where dynamic routing is required, allowing for better scalability and adapting to changes in network topology.

Route-based VPN further supports the following connection types:

Static route-based VPN connection

In the static route-based connection, the routes are manually specified and configured in the routing table. This option is best for stable environments with fixed network topologies.

Dynamic route-based VPN connection

In the dynamic route-based connection, the routes are automatically discovered and route information is exchanged between networks with protocols such as BGP. This option simplifies management and adapts to network changes, which makes it ideal for large or evolving environments.

The following features are included in a site-to-site VPN gateway:

  • Secure tunnels - Create a VPN in route-based or policy-based mode to set up IPsec site-to-site tunnels between your VPC and your on-premises private network, or another VPC.
  • High availability - Built on two VPN devices, provides appliance-level redundancy.
  • Pre-defined and custom encryption proposals - Choose from multiple pre-defined proposals for a quick, secure VPN configuration with customizable Internet Key Exchange (IKE) Phase 1 and Phase 2 encryption settings.
  • Monitoring - View the monitoring dashboard to see the current status of all tunnels and connections. You can also suspend and restart your individual VPN connections at any time.

Client-to-site servers

IBM Cloud Client VPN for VPC provides an open-source compatible client-to-site VPN solution that allows users to connect to IBM Cloud resources through secure, encrypted connections.

When your users are working remotely, traveling, or at a location without a site-to-site VPN connection, they can use an OpenVPN client to connect to VPN servers on your IBM Cloud VPC. For more information, see About client-to-site VPN servers.

The following features are included in client-to-site VPN:

  • Secure, encrypted connectivity - A TLS 1.2/1.3-based secure, encrypted way for your employees (or individuals) to access IBM Cloud VPC remotely. With VPN servers set up for client connections and support of Transit Gateway, you can also privately interconnect to Classic IaaS and other VPCs on IBM Cloud.
  • High availability - Spans multiple availability zones for high throughput and resiliency.
  • Multi-factor authentication - Apply to your VPN server and client connections to provide an added layer of security to meet compliance and security requirements.
  • Operations and management - View the VPN server dashboard to monitor status and manage the lifecycle of VPN servers and their client connections. In different business scenarios, you can also delete clients that are connected to the servers.