Setting up VPN with AWS — 1/2
Introduction to the Series
Welcome to our blog post series on Working From Home. Here we will discuss our journey of migrating our VPN infrastructure to the cloud. In this first blog post, we will talk about the situation that we found ourselves in at the start of the pandemic when we were instructed by governments to have our employees work from home.
In later posts, we will describe our previous on-premise infrastructure, and the process of enabling remote access to it via a scalable cloud solution.
Disclaimer
I Love My Local Farmer is a fictional company inspired by customer interactions with AWS Solutions Architects. Any stories told in this blog are not related to a specific customer. Similarities with any real companies, people, or situations are purely coincidental. Stories in this blog represent the views of the authors and are not endorsed by AWS.
The Challenges of Working From Home
March 2020 was a really challenging time for our company. The spread of COVID-19 throughout Europe triggered legislation that meant that all of our workforce had to transition to working from home in a very short time period.
This demanded a drastic change in the lifestyle of our employees, most of whom enjoyed the socialization that office work brought, and the facilities available in our offices. The sudden isolation that arrived with lockdown was certainly a great challenge to many.
That said, not all of the problems that working from home introduced were purely a result of human emotion, there were also some technical barriers that needed to be overcome. The most notable technological challenge was that we were not yet prepared to allow all of our workforce to communicate with our internal network from remote computers.
Our On-Premise Infrastructure
Before we had migrated any of our stack to the Cloud, our infrastructure was all ‘on-premise’, consisting of data centres in Paris and Berlin, with VPN connections and lease lines connecting between them and our various offices.
Our back office applications, such as Jira, are hosted in our Paris data centre, and are only accessible over our internal network. Our largest office, Paris, connects to the Paris data centre via a dedicated lease line, whilst our smaller offices in Rome, Madrid and Berlin connect to the Paris data centre over VPN. The VPN connections from our data centres were robust enough to handle communications with our smaller offices, but lacked the capacity to support many more users. The lease line to our large Paris office mitigated the need for us to expand our VPN to be able to handle simultaneous connections from all of our employees.
The Decision to Migrate
During the first few days of lockdown we tried to get all of our employees to use our existing VPN solution; we were already using it to connect our Rome, Madrid and Berlin employees to our data centres prior to the work-from-home order. In order for our employees to move to work on laptops from their office desktops we had to set up all company laptops with the proper software and certificates to enable them to connect to the VPN.
With the majority of our laptops set up, we encountered a major technological roadblock; our VPN lacked the capacity to handle the additional connections coming from our Paris employees, all of whom had previously used the lease line that was directly connected between the Paris office and the data centre.
Our VPN gateway, with its single VPN concentrator, could not scale past its own hard limit of 50 IPSec clients. Getting new hardware would have taken weeks, if not months, due to the spike in demand of these components that arose early in the pandemic. We took this challenge as an opportunity to complete a project that we had had in the back of our minds for a while: move our back office to the cloud!
Our AWS Solution
Back in 2017, before we opened our Berlin data centre, we conducted a preliminary analysis of the offers from the main Cloud providers. We saw a strong correlation between the value propositions of each of the major cloud providers.
They all generally boiled down to three major advantages: to pay only for the resources that you use, to offload heavy lifting tasks onto managed cloud services, and to leverage the greater breadth and depth of services available on the cloud. All that said, such a transition would require us to adopt some new ways of operating that we were not yet ready for. We would have to move parts of our IT budget from a capital expenditure (CAPEX) to an operational expenditure (OPEX) model. We would also have to put systems in place to ensure the security of customer data in the cloud, and to train our IT employees in cloud technologies. In order to keep things simple, we thought it is best to replicate our Paris data centre as-is in a new ‘on-premise’ data centre in Berlin.
Fast forward to 2020 and, faced with the scaling issues of our existing infrastructure, we looked at our preliminary cloud analysis from 2017 and decided to implement a VPN solution on AWS. We required a scalable, affordable solution, that would come with low operational overhead, be compatible with our existing VPN clients, and be easily deployed.
After some research, we stumbled upon a blog post [1] that claimed that ‘AWS Client VPN will scale to meet the capacity needs and ensure a consistent user experience, despite influxes in usage’. This seemed to be exactly what we needed to satisfy our business requirements. After reading some of AWS’ own official blogs [1,2,3,4], and watching the quick presentation video on AWS Client VPN [5], we felt we had a good idea of how to proceed to replace our VPN concentrator using AWS Client VPN.
We set up an AWS Client VPN in a development environment and it worked as expected. Due to the increasing business pressures faced by our IT team, we decided to promote this solution to production to handle all of the VPN traffic to and from our data centres.
In the next blog post in this series, we will describe the details of how we put this solution in place in less than 2 days.
[1] https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-aws-client-vpn-to-securely-access-aws-and-on-premises-resources
[2] https://aws.amazon.com/blogs/networking-and-content-delivery/scaling-vpn-throughput-using-aws-transit-gateway
[3] https://aws.amazon.com/blogs/networking-and-content-delivery/using-microsoft-active-directory-mfa-with-aws-client-vpn
[4] https://aws.amazon.com/blogs/networking-and-content-delivery/using-aws-client-vpn-to-scale-your-work-from-home-capacity
[5] https://www.youtube.com/watch?v=fM0tR113t-0&t=10s
