Tips for setting up a VPN Tunnel to your Acquia Cloud servers

    See more
    • Updated

    Issue 

    I am having trouble setting up my VPN connection and the tunnels are failing to establish. 

    Resolution

    Tips to ensure your VPN tunnel is setup correctly:

    • Acquia's gateway is not the initiator of the connection: The VPN tunnel is established when traffic is generated from your side of the VPN connection. Acquia's gateway is not the initiator of the connection, your gateway must initiate the tunnels. 
    • Do not use any proxy or other intermediary IP or firewall to establish the tunnel. The Acquia tunnel endpoints allow traffic ONLY from the Customer Gateway IP. Acquia is unable to use another connection other than the CGW IP to set up the tunnel.
    • Use a network monitoring tool to generate keepalive pings. If the VPN tunnel experiences a period of idle time (~10 seconds, depending on the configuration), the tunnel may go down. To prevent this, We recommend using a network monitoring tool to generate keepalive pings. 
    • You will find two tunnels connected to Acquia: Each VPN connection consists of two separate tunnels, with each tunnel having its own public endpoint IP address. Acquia cannot remove either of these tunnels. One is intended to be used as a primary, and the other as a backup incase the primary becomes unavailable. This is expected behavior. 
    • Set a primary tunnel on your connection. Having two tunnels up at the same time can potentially cause asymmetric routing. If you are having VPN issues with both tunnels up, specify one tunnel as the primary by setting a preferred route.
    • What IP Range will I see?: Interesting traffic that originates from Acquia’s side of the tunnel will come from the IP range that matches your Acquia Shield VPC (for example, 172.16.32.0/20). When traffic is decrypted from one side of the tunnel, the source IP will be the private IP of the original sender.
    • Enable PFS. Ensure that Perfect Forward Secrecy (PFS) is enabled.
    • Recommended networking equipment list. See the list of networking equipment given to you previously. If you don’t have this list, reach out to your Account Manager. 

     

    Please review this image if you have any questions about the topology of a VPN tunnel to your Acquia Cloud servers. 

    AWS VPN Tunnel example diagram

    Are you connected to Acquia Cloud, but it doesn't appear to be working? See our troubleshooting guide here: My VPN Tunnel is connected to Acquia Cloud, but is not working

    Acquia Products

    Topics

    Related articles