In recent months, customers operating on AWS have approached Converge to help address the performance of their VPN connections to AWS. A customer’s performance would function as expected for months after a migration sometimes even years and then suddenly, the VPN connections would experience days of sluggish performance, frustrating users and operations team.
Constant changes in internet routing by service providers potentially re-directing traffic over longer or slower paths is the likely culprit of these sudden performance issues. To proactively address unknowns that affect internet routing, Converge includes AWS Accelerated Site-To-Site VPN option as a best practice during the mobilize phase for our AWS MAP clients. This design significantly improves the performance and stability of clients site to site VPN connections.
Paloma Natural Gas worked with Converge Technology Solutions to migrate their IT infrastructure from a colocation facility to AWS. Paul Ward, the Converge AWS Consulting Architect added AWS Accelerated VPN to their architecture design after the client started to experience VPN performance issues. As performance demands on their VPN increased, the impact on users became noticeable. Validated performance testing demonstrated that file sharing (CIFS) improved by 300 percent after implementing Accelerated VPN.
“If you depend on the public internet to reach your cloud infrastructure, it is usually not possible to control exactly how your traffic gets there. Due to my company’s geographic locations and the routing of our traffic, there was an aspect of our connectivity that was noticeably impacted. In steps AWS Global Accelerator. This integration resolved our connectivity issues and vastly improved the cloud experience and reliability for our users.”
Mike Tisdale, Vice President IT, Paloma Natural Gas, LLC
What is Accelerated VPN?
AWS Accelerated VPN leverages AWS Global Accelerator to enhance the routing of traffic from an on-premises network to AWS, making use of the closest AWS edge location to the customer gateway. This service utilizes the AWS global network, known for its low-latency and congestion-free pathways, to ensure that your data reaches its AWS endpoint via the most efficient route possible.
Benefits of Accelerated VPN
- Optimized Performance: By routing traffic through AWS’s optimized network paths, Accelerated VPN minimizes latency and maximizes speed, which is crucial for applications requiring real-time data access and processing.
- Increased Reliability: Traffic is less susceptible to common internet disruptions, such as network congestion and variable latency, which can affect the performance of cloud-based applications. This reliability is vital for businesses where uptime and stable connectivity are critical.
- Simplified Management: AWS handles the creation and management of two accelerators (one for each VPN tunnel) when you set up an Accelerated VPN connection. This managed service aspect means less overhead for your IT teams, as there is no need to monitor or tweak these accelerators manually.
Considerations and Limitations
- Selective Application: Acceleration is only available for Site-to-Site VPN connections that are attached to a transit gateway. It is not supported if you’re using virtual private gateways or AWS Direct Connect public virtual interfaces.
- Setup Requirements: When setting up, acceleration must be enabled at the creation of a new Site-to-Site VPN attachment on a transit gateway. It’s not possible to toggle acceleration on or off for an existing connection, which means planning ahead is crucial.
- Compatibility: There are specific compatibility considerations, such as the requirement for NAT-traversal and restrictions with certificate-based authentication. If your setup uses certificate-based authentication, ensure that your customer gateway supports IKE fragmentation to avoid issues with packet fragmentation in Global Accelerator.
Figure below notes the recommend deployment model provide by AWS.
Best Practice Summary
If you’re experiencing slow VPN performance, consider reaching out to Converge an AWS Well Architected Partner for support or check whether Accelerated VPN is enabled. To activate Accelerated VPN, begin by setting up a new Site-to-Site VPN with acceleration during the initial setup. AWS allows you to use the existing customer gateway. It’s crucial to configure the gateway device to use this new VPN connection and carefully transition away from the old one to prevent any service interruptions.