VPN Integration Overview¶
Liferay DXP Cloud provides a VPN client-to-site connection that has port forwarding and redundant tunnels support. This feature is commonly used to connect a subscriber’s production environment on DXP Cloud to their internal network. For security and reliability, these VPN connections are segregated for each environment (production, staging, or development).
Subscribers can use redundant VPN tunnels by mapping their connections between their DXP Cloud services to their corresponding VPN server’s IP addresses. The redundancy is placed in different availability zones to provide resiliency. The client-to-site approach covers connecting to a service running on the company network. This model is recommended for the containerized architecture and Kubernetes network layer provided.
Once a VPN connection is configured, you can view log messages from the VPN server from your environment’s Logs page by selecting VPN Logs from the dropdown list.
See the VPN server limitations section for more information.
The client to site VPN feature supports the following protocols:
Subscribers can choose one of the protocols (IPSec or OpenVPN) to perform the connection from DXP Cloud console settings page for the desired environment. Any number of forwarding ports can be configured for the connection in the console UI.
IKEv2 protocol with an IPsec server, you can either use
TLS authentication protocols. See Basic Setup for an IPsec Server_ for more information.
See Connecting a VPN Server to DXP Cloud for more information.
Connecting DXP Cloud to an IPSec VPN Server¶
In this use case, assume there is a DXP Portal instance running inside DXP Cloud and needs to access an HTTP service running inside an internal network.
Note the following:
The Hello World service on
192.168.100.30:8080running inside the customer’s internal network is accessible from the DXP Portal service via the server address
The client-to-server connection is made through the customer’s VPN server running on
The port forwarding rule exposes the local port 33000 which maps to the application running on
After the connection and port forwarding rule are configured, requests to the Hello World service can be made from any DXP Cloud service.
curl vpn:33000 <body><h1>Hello world!</h1></body></html>
DXP Cloud IP Ranges for Private Cluster¶
Liferay DXP Cloud offers optional Private Clusters which isolate each subscriber’s services into their own dedicated cluster. Each cluster is configured with a dedicated gateway for all outbound Internet traffic from the subscriber’s cluster and is assigned a static external IP.