PingOne Advanced Services

VPN network

VPNs are typically used in advanced network situations where you need to connect to an on-premise infrastructure, and a large amount of bandwidth is not required. Although you can make the same type of connection with a Direct Connect (DC) network, which offers more bandwidth, the cost of the connection is separate from PingOne Advanced Services.

You can also set up as many VPN connections as you need. Border Gateway Protocol (BGP) and static routing are both supported. If BGP is used, we’ll ask that you share your routes. PingOne Advanced Services is designed in the hub-and-spoke model, which does not allow routes to propagate to the VPCs behind the Transit Gateway.

This option is best if you:

  • Need to connect to an on-premise infrastructure.

  • Do not need a large amount of bandwidth.

  • Do not want to cover the cost of having this connection.

This network model uses the AWS VPN service, which is a route-based solution. For details regarding this connection:

  • Learn more about Appliances in Customer Gateway Configuration Formats.

  • Learn more about VPN settings in Tunnel options for your Site-to-Site VPN connection in the AWS Site-to-Site VPN User Guide.

  • A Site-to-Site VPN connection consists of two tunnels, each terminating in a different availability zone, to provide increased availability to your VPC. If there’s a device failure within AWS, your VPN connection automatically fails over to the second tunnel so that your access isn’t interrupted. From time to time, AWS also performs routine maintenance on your VPN connection, which might briefly disable one of the two tunnels of your VPN connection, which is why it’s important to configure both tunnels. Learn more about tunnel resiliency in Site-to-Site VPN tunnel endpoint replacements.

If a gateway device terminating the VPN tunnels uses policy-based routing:

  • Each VPN connection consists of two separate tunnels.

  • Each tunnel contains an IKE security association and a BGP peering connection.

  • You are limited to one unique security association (SA) pair per tunnel, (one inbound and one outbound).

This limitation requires that each PingOne Advanced Services region uses IP space that does not overlap and can be summarized into a single supernet to allow for a single SA per region VPN.

Learn more about VPN networks in Your customer gateway device in the AWS Site-to-Site VPN User Guide.

VPN network diagram
Diagram of a VPN network.

Learn more about items you might need to consider regarding setup in Setup considerations.