HomeEngagementOther resources
Guides

Site-to-site VPN

Suggest Edits

This guide explains what site-to-site VPN is, how it works, and how to configure it for your environment. Use it to understand the connection types, network requirements, and limitations before implementation.

What is site-to-site VPN?

Site-to-site VPN creates a secure connection between multiple LAN networks across different locations. It uses Cloud VPN to establish this connection.

Access site-to-site VPN

Prerequisites

Site-to-site VPN is a restricted feature. It requires a Single Tenant or Exclusive instance. The platform supports one Cloud VPN configuration per instance. Contact your Customer Success Manager to discuss setup, availability, and purchase options before implementation.

📘

Note

When VPN is enabled, Bloomreach Support agents can't directly access your application. Support teams work from screenshots you provide and guide you through troubleshooting steps. If issues persist, screen-sharing sessions can be arranged. Scheduling depends on support team availability.

How site-to-site VPN works

Cloud VPN connects your LAN networks to the Virtual Private Cloud (VPC) network through the following process:

  1. Your network traffic enters the VPN tunnel through your VPN gateway.
  2. The gateway encrypts all data packets using the Internet Protocol Security (IPsec) protocol.
  3. Encrypted packets travel securely over the internet to the Cloud VPN gateway.
  4. The Cloud VPN gateway decrypts the packets within the secure VPC network.
  5. The same process applies in reverse. Data traveling from the platform to your network is encrypted at the Cloud VPN gateway and decrypted at your VPN gateway.
Site-to-site VPN diagram

Caption: Site-to-site VPN tunnel connecting Site A and Site B through the internet via a VPN Site-to-Site Form.

Site-to-site VPN benefits

Site-to-site VPN offers stronger security than remote access VPN solutions:

  • Access protection: Prevents unauthorized access to single-tenant instances by securing application logins.
  • Simplified management: Eliminates the need for VPN client software on individual devices.
  • Scalability: Scales as your network grows without requiring additional client endpoint configuration.
  • Performance: Delivers lower network latency than remote access VPN configurations.
  • Data security: Protects sensitive data during imports, exports, and API communications.

Site-to-site VPN use cases

Site-to-site VPN supports two primary connection types between the platform and your internal network:

  • Data source integration: Import and export data from your internal network through a secured VPN tunnel. This connects the platform to your on-premise data warehouse.
  • Internal API communication: Call API endpoints on your internal network directly from Campaigns and Scenarios.

Network configuration

The platform uses Cloud VPN, which is IPsec compatible and available in two configurations:

  • Classic VPN: Standard IPsec VPN connectivity.
  • HA VPN: High-availability configuration with 99.99% service availability. See the Cloud VPN SLA for details.

Multi-gateway support

Cloud VPN supports multiple gateway connections. This lets you connect several client-side networks at the same time — for example, your office network, data warehouse network, and ESB network.

Monitoring

The platform can monitor VPN tunnel uptime using ICMP probes. These probes check network availability regularly. To use this feature, provide a server that responds to ping requests. Monitoring probe requests originate from internal IP addresses.

Webhook support

When VPN is configured, scenarios can send requests to both external API endpoints and internal endpoints. Learn more about webhook integrations.

Webhook requirements

  • Use HTTPS endpoints only.
  • Use SSL certificates issued by a publicly trusted certificate authority.
  • Ensure your domain name resolves from a public DNS. Alternatively, provide a static domain-to-IP mapping during VPN setup.

Webhook limitations

The following webhook configurations aren't supported:

  • IPv4 and IPv6 endpoints without domain names — for example, https://34.76.115.106/api.php.
  • Unencrypted HTTP endpoints — for example, http://my.example.com/api.php.
  • SSL certificates signed by custom certificate authorities.

Data imports and exports

Imports and exports can use the VPN intranet connection. Availability depends on the import or export type and version.

Limitations

Tracking and data API limitations

Platform APIs — including the Tracking API, Customers API, and Catalogs API — remain available on the public internet domain.

The following API configurations are not supported:

  • IP allow lists for the private Customers API.
  • VPN intranet with exclusive access to the private Customers API.

Network limitations

Cloud VPN with multiple gateways requires non-overlapping IP ranges across client networks.

Updated about 20 hours ago