Pureport supports the following routing methods for establishing a VPN tunnel to an existing office or data center location:
- Dynamic Routing (Route-based VPN with BGP)
Allows you to dynamically add new clouds and sites to an existing Pureport Network without requiring changes to the VPN configuration each time. You only need to change the security policy on the on-premises gateway to allow inbound traffic (if desired) from the newly connected cloud or site.
- Static Routing (Policy-based VPN or Route-based VPN with static routing)
Requires you to manual change the Pureport VPN configuration and the on-premises VPN gateway configuration any time you wish to connect a new site or cloud to an existing Pureport Network. Be aware that any changes to the Pureport VPN configuration may trigger a re-deployment of the VPN gateways inside your Pureport Network in order to commit the new configuration, potentially resulting in a brief interruption of network traffic.
Pureport recommends using Dynamic Route-Based routing with BGP in situations in which the Network may experience frequent topology changes in order to keep manual updates to your VPN configurations to a minimum. Refer to the Pureport Knowledge Base for sample Route-Based with BGP configurations for the most common routing and firewall platforms
Dynamic Routing using BGP
You should use a route-based VPN with dynamic routing via the BGP routing protocol if supported by the on-premises VPN gateway. This allows you to add and remove IP subnets to your Network without having to reconfigure or rebuild a VPN tunnel. You only need to change the security policy to allow the new traffic. Dynamic routing allows automatic, full-mesh configuration between all connections you add to your Pureport Network.
Pureport supports Policy-based and Route-based methods of static routing over a VPN tunnel. You should use one of these static methods only if your on-premises gateway does not support BGP with IPSEC, or if there is some other obstacle (such as routing topology, networking/security policy, etc.) that precludes using BPG over a VPN tunnel.
For Policy-based VPN routing, each pair of customer-side IP ranges (the on-premises side of the tunnel) and Pureport-side ranges (attached to clouds or other VPN tunnels ) must be specified individually and are used as the traffic selectors for the VPN tunnel.
For example, if subnets A and B are on-premises, and subnets C and D at other points in your Pureport Network, you would need four traffic selectors:
- A to C
- A to D
- B to C
- B to D
Route-Based VPN (static)
Route-based VPN with static routing allows you to specify subnets on each side of the VPN tunnel. You must add routes manually to both sides when you create the tunnel. This is cleaner and simpler than a policy-based VPN, but does not allow you to automatically add new locations to the routing tables on the on-premises gateway or, in cases where new IP subnets are added on-premises, the new routes to be automatically added to the rest of your Pureport Network.