VPN

Site-to-site VPN securely connects your local-area network (LAN) to Bloomreach Engagement through an encrypted Cloud VPN tunnel. This feature protects your instance access and adds a security layer for data imports and API communications.

Prerequisites

Site-to-site VPN requires a Single Tenant or Exclusive instance.

What is site-to-site VPN?

Site-to-site VPN creates a secure connection between multiple LAN networks across different locations using Google Cloud's managed VPN service. The VPN tunnel encrypts data traveling between your network and Bloomreach Engagement's Google Cloud Platform (GCP) Virtual Private Cloud (VPC) network through an IPsec VPN connection.

Internet Protocol Security (IPsec) encrypts the entire IP traffic before transferring packets from source to destination. It authenticates the identities of both nodes before communication begins, ensuring data protection as it travels over the internet.

Site-to-site VPN benefits

Site-to-site VPN provides enhanced security compared to remote access VPN solutions:

• Access protection: Prevents unauthorized access to single-tenant Bloomreach Engagement instances by securing application logins.
• Simplified management: Eliminates the need for VPN client software on individual devices.
• Scalability: Scales as your network grows without configuring additional client endpoints.
• Performance: Delivers lower network latency compared to remote access VPN configurations.
• Data security: Protects sensitive data during imports, exports, and API communications.

How site-to-site VPN works

Cloud VPN connects your LAN networks to Bloomreach Engagement's GCP VPC network through the following process:

1. Your network traffic enters the VPN tunnel through your VPN gateway.
2. The gateway encrypts all data packets using IPsec protocol.
3. Encrypted packets travel securely over the internet to Bloomreach Engagement's VPN gateway.
4. Bloomreach Engagement's gateway decrypts the packets within the secure VPC environment.
5. Traffic flows bidirectionally, with the same encryption and decryption process protecting data in both directions.

Site-to-site VPN use cases

Site-to-site VPN enables two primary connection types between Bloomreach Engagement and your internal network:

• Data source integration: Import and export data from sources on your internal network through a secured VPN tunnel, connecting Bloomreach Engagement to your on-premise data warehouse.
• Internal API communication: Call API endpoints on your internal network from Bloomreach Engagement campaigns and scenarios.

VPN integration capabilities

Webhooks

Scenarios can send requests to both external API endpoints and internal endpoints when VPN is configured. Learn more about webhooks.

Requirements for internal API endpoint webhooks:

• Static IPs must be enabled.
• HTTPS endpoint required (HTTP endpoints are unsupported).
• SSL certificate must be issued by publicly trusted certificate authorities.
• Domain name must resolve from either a public DNS or static domain-IP mapping provided during VPN setup.
• Internal firewall can be configured to allow requests from Static IP addresses.

Webhook limitations:

• IPv4 and IPv6 endpoints without domain names (for example, https://34.76.115.106/api.php) are unsupported.
• Unencrypted HTTP endpoints (for example, http://my.example.com/api.php) are unsupported.
• SSL certificates signed by custom certificate authorities are unsupported.

Data imports

Import capabilities:

• SFTP imports: Connect to SFTP servers on public domains. Can't connect to the intranet SFTP servers due to a lack of Static IP support.
• PostgreSQL and MySQL imports: Use Static IPs to connect to the intranet database servers.
• MS SQL imports: Secure connections through VPN tunnel. Can't connect to the intranet MS SQL servers due to a lack of Static IP support.

Network configuration

VPN technology:

Bloomreach Engagement uses Google Cloud VPN (IPsec compatible), available in two configurations:

• Classic VPN: Standard IPsec VPN connectivity.
• HA VPN: High-availability configuration with 99.99% service availability.

Multi-gateway support:

Google Cloud VPN supports multiple gateway connections, allowing you to connect multiple client-side networks simultaneously (office network, data warehouse network, ESB network).

Ingress configuration:

When Intranet VPN login is enabled, Bloomreach Engagement uses a dedicated internal load balancer. You must provide a custom certificate and internal domain name for this configuration.

Egress configuration:

All outbound requests from Bloomreach Engagement (imports, exports, webhooks, monitoring pings) originate from a proxy with Static IP addresses. Configure allow rules on your firewalls for these addresses.

Monitoring:

Bloomreach Engagement can monitor VPN tunnel uptime using ICMP probes. These probes regularly check network availability if you provide a server that responds to ping requests. Monitoring probe requests originate from internal IP addresses.

Access site-to-site VPN

Site-to-site VPN is available for Single Tenant and Exclusive instances. Bloomreach supports one Cloud VPN configuration per Bloomreach Engagement instance.

🚧

Support access limitation

When VPN is enabled, Bloomreach support agents can't directly access your application. Support teams will work from screenshots you provide and guide you through troubleshooting steps. If issues persist, screen-sharing sessions can be arranged, though scheduling depends on support team capacity.

Limitations

Tracking and data API limitations

Bloomreach Engagement APIs (public tracking API, private Customers API, and private Catalogs API) remain available on the public internet domain.

Unsupported API configurations:

• IP allow lists for private Customers API.
• VPN intranet with exclusive access to private Customers API.

Network limitations

Unsupported configurations: Cloud VPN with multiple gateways can't be configured when IP ranges on client networks overlap with each other.