When aggregating hundreds or thousands of mobile IPsec (remote workers) & site-to-site (Data Center to Cloud, Cloud to Cloud) VPNs to AWS, there has often been a trade-off of performance, cost, and manageability. There doesn’t need to be one.
The Netgate® TNSR High-Performance Routing & VPN Appliance for Amazon AWS is a powerful solution that connects thousands of mobile users, branch sites, and data centers. Customers are choosing the TNSR High-Performance Routing & VPN Appliance to get high performance, low TCO, and simple management, avoiding any trade-offs.
TNSR leverages vector packet processing (VPP) and acceleration technologies for high-speed routing and VPN performance. For more information on VPP, please peruse the link https://info.netgate.com/vpp.
AWS VPN tunnels are limited to 1.25 Gbps of throughput. There are other limits as well, such as maximum customer gateways, connection count, etc. Please see https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-limits.html. While customers may create multiple tunnels and leverage ECMP to overcome this limit, this can get complicated at scale and adds to the connection count. There is also no guarantee of equal distribution depending on the 5 tuple hash flows of customer traffic. TNSR software performance scales based on the underlying instance type and network, and Netgate has optimized the tunnel termination count to the optimal EC2 instances available. Right-sizing CPU core count allows the software to achieve higher performance.
Customers can use all standard BGP attributes to control traffic flows between their locations and the AWS edge. Customers may leverage route filtering, community strings, route maps, etc. The VPN connection may be IPsec or WireGuard®. Customers may also use OSPF between the branch and AWS TNSR Edge.
There are multiple ways to manage TNSR software, including Command Line Interface (CLI), RESTCONF API, and Graphical User Interface (GUI). TNSR software configuration through CLI and RESTCONF API enables the product to be managed by IT automation platforms like Ansible®, SaltStack®, Puppet®, or Chef™. TNSR software can export data to Prometheus, ERSPAN, and IPFIX, allowing customers to use their existing on-site & cloud-hosted monitoring solutions. Using the same configuration commands across platforms helps streamline operations. TNSR also supports SNMP.
Netgate has spent several decades curating, integrating, and improving open-source software. This ethos of efficiency and aggressive price performance is why pfSense software is the world’s most downloaded firewall. Netgate has replicated this model with the TNSR High-Performance Router & VPN Concentrator. When it comes to VPN performance and price, TNSR has the lowest TCO in the AWS Marketplace.
Netgate support engineers have garnered a global reputation for their technical abilities, customer focus, and willingness to go the extra mile.
https://www.netgate.com/support
There are two levels of Netgate support for instances on AWS.
Technical Support and software updates are included with all TNSR AWS software subscriptions.
The 25 and 50 VPN appliances include TAC Pro. If phone support or a faster response time is desired, Netgate offers an upgrade path to receive TAC Enterprise support for an additional $399/year.
The 100 and 250+ appliances include TAC Enterprise.
Base TNSR Router (Ideal for proof of concept testing and low usage VPN).
(t3.micro & t3.nano are intended for POC or test implementations, not production)
Production-ready TNSR instances support predefined numbers of tunnels. These TNSR instances are available on larger instances sized to fully support expected data flow within the AWS infrastructure and across the boundary, supporting your edge-to-cloud network designs to support mobile IPsec (remote workers) & site-to-site (Data Center to Cloud, Cloud to Cloud) VPNs.
AWS infrastructure costs can quickly bloat as the need to connect more sites and/or remote workers drives increased VPN count. Below are some cost-saving tips to reduce the impact of scope creep.
Netgate’s sales team, sales@netgate.com, and our value-added solution providers, https://www.netgate.com/partner-locator, are eager to assist you with proof of value, network design, and deployment of the TNSR AWS solution.
This blog reviewed how TNSR VPN appliances in AWS can dramatically reduce costs for customers wishing to connect mobile users, branches, and data centers to AWS workloads while delivering unparalleled performance and feature sets. Netgate TNSR VPN Concentrator has the capability and scale to support multi-100 Gbps connectivity to your remote/branch offices, remote workforce, and multi-cloud. Each TNSR VPN appliance option includes support, popular management options, and ease of use. There is no need for compromise.
Yes, you can use VPNs on AWS. AWS offers both Site-to-Site VPN and Client VPN services, allowing secure connections between your on-premises network and AWS, or for individual users to connect to AWS resources.
Yes, Amazon allows and provides VPN services. AWS offers its own VPN solutions and also allows customers to use third-party VPN software on EC2 instances if they prefer.
AWS VPN is highly secure, using industry-standard encryption protocols. It supports IPsec for Site-to-Site VPN and OpenVPN for Client VPN, both providing strong encryption for data in transit.
AWS Client VPN is a managed client-based VPN service that enables secure access to AWS resources and on-premises networks. It allows remote users to connect to AWS or on-premises resources using an OpenVPN-based VPN client.
AWS Site-to-Site VPN Connection is a secure connection between your on-premises network and your Amazon VPC. It uses IPsec to create an encrypted tunnel between your network and AWS, allowing secure communication over the internet.
You can create a low-cost VPN using an EC2 instance. Launch an EC2 instance, install TNSR software, configure it, and use it as your VPN server. Be aware of ongoing EC2 and data transfer costs.
A Route Table in AWS is a set of rules that determine where network traffic is directed within a VPC. It contains a list of routes that specify the destination CIDR blocks and their targets (such as Internet Gateway, NAT Gateway, or VPC peering connection).
VPC peering is a networking connection between two VPCs that enables you to route traffic between them privately. It allows resources in different VPCs to communicate as if they were within the same network.
A Route Table determines how network traffic is directed within a VPC. It contains rules (routes) that specify where packets should be sent based on their destination IP address.
Amazon VPC (Virtual Private Cloud) is a service that lets you launch AWS resources in a logically isolated virtual network. It gives you complete control over your virtual networking environment, including IP address ranges, subnets, and route tables.
Amazon VPC Transit Gateway is a service that enables you to connect multiple VPCs and on-premises networks through a central hub. It simplifies network architecture and reduces operational complexity when connecting numerous VPCs and networks.
To configure a NAT Gateway in AWS, create it in a public subnet, allocate an Elastic IP address to it, and update your private subnet's route table to direct internet-bound traffic to the NAT Gateway. Ensure the NAT Gateway's security group allows necessary outbound traffic.
In Amazon VPC, you don't configure physical routers. Instead, you manage routing through Route Tables associated with subnets. Configure these tables to direct traffic between subnets, to internet gateways, or to other VPC connections as needed.
AWS doesn't provide traditional physical routers. Instead, it offers virtual routing functionality through services like Route Tables, Internet Gateways, and Transit Gateways within the VPC infrastructure.
Routing in AWS refers to the process of directing network traffic between different resources within AWS or to external networks. It's primarily managed through Route Tables in VPCs, which determine how packets are forwarded based on their destination.
You don't create a physical router in AWS. Instead, you manage routing through Route Tables. Create a custom Route Table in the VPC console, add necessary routes, and associate it with your subnets to control traffic flow.
AWS primarily uses static routing within VPCs, managed through Route Tables. For connecting VPCs or to on-premises networks, AWS supports BGP (Border Gateway Protocol) in services like Direct Connect and VPN connections.
A better router doesn't increase your internet speed beyond what your ISP provides. However, it can improve Wi-Fi coverage, reduce latency, and handle multiple devices more efficiently, potentially making your internet experience feel faster.
It's generally better to have a separate modem and router. This setup allows for more flexibility, easier upgrades, and often better performance than combo units. It also enables you to choose a high-quality router tailored to your specific needs.
A high-speed router can make a significant difference in local network performance and Wi-Fi coverage. It can handle multiple devices more efficiently, reduce latency, and provide faster Wi-Fi speeds, especially for local file transfers and streaming.