VPN Gateway Topology
Understand Full-Tunnel and Split-Tunnel VPC host configurations and their network connectivity patterns.
Overview
VPN Gateway supports two primary network configurations that determine how VPC hosts connect to the internet and handle network traffic:
- Full-Tunnel: VPC hosts route ALL traffic through the VPN Gateway (no direct internet access)
- Split-Tunnel: VPC hosts have dual connectivity - direct internet access AND VPN Gateway access
Important: VPN clients always receive only the pushed routes configured by the administrator. The tunnel type refers to how VPC hosts are configured, not the client-side VPN configuration.
Full-Tunnel Configuration (VPC Host Perspective)
What is Full-Tunnel for VPC Hosts?
In a Full-Tunnel configuration, VPC hosts have NO direct internet access. All network traffic from VPC hosts must flow through the VPN Gateway, which acts as the default gateway and internet proxy.
NAT Gateway Functionality
The VPN Gateway acts as a NAT Gateway for all VPC hosts in Full-Tunnel mode:
┌─────────────────────────────────────────────────────────────┐
│ VPC Hosts (Private IPs only) │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ Host 1 │ │ Host 2 │ │ Host 3 │ │
│ │ 10.0.1.10 │ │ 10.0.1.11 │ │ 10.0.1.12 │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ │
│ │ │ │ │
│ └─────────────────┼─────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────┐ │
│ │ VPN Gateway │ │
│ │ (NAT Function) │ │
│ │ │ │
│ │ Private: 10.0.1.1 │ │
│ │ Public: 203.0.113.5 │ │
│ └─────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
│
▼
Internet sees all traffic
coming from 203.0.113.5
NAT Translation Example:
- Host 10.0.1.10 makes HTTP request to google.com
- VPN Gateway translates:
10.0.1.10:45678 → 203.0.113.5:12345 - Internet sees request from
203.0.113.5:12345 - Response comes back to
203.0.113.5:12345 - VPN Gateway translates back:
203.0.113.5:12345 → 10.0.1.10:45678
Network Architecture
┌─────────────────────────────────────────────────────────────────────────────┐
│ VPC Network │
│ │
│ ┌─────────────────────┐ ┌─────────────────────┐ ┌─────────────────┐ │
│ │ VPC Host 1 │ │ VPC Host 2 │ │ VPC Host 3 │ │
│ │ │ │ │ │ │ │
│ │ ┌─────────────────┐ │ │ ┌─────────────────┐ │ │ ┌─────────────┐ │ │
│ │ │ Private Interface│ │ │ │ Private Interface│ │ │ │Private Intf │ │ │
│ │ │ 10.0.1.10 │ │ │ │ 10.0.1.11 │ │ │ │ 10.0.1.12 │ │ │
│ │ └─────────────────┘ │ │ └─────────────────┘ │ │ └─────────────┘ │ │
│ │ │ │ │ │ │ │
│ │ ❌ Public Interface │ │ ❌ Public Interface │ │❌ Public Intf │ │
│ │ (DISABLED) │ │ (DISABLED) │ │ (DISABLED) │ │
│ └─────────────────────┘ └─────────────────────┘ └─────────────────┘ │
│ │ │ │ │
│ └───────────────┬───────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────┐ │
│ │ VPN Gateway │ │
│ │ (Default GW) │ │
│ │ 10.0.1.1 │ │
│ └─────────────────────┘ │
│ │ │
└──────────────────────────────┼─────────────────────────────────────────────┘
│
▼
┌─────────────────────┐
│ Internet │
│ │
└─────────────────────┘
▲
│
┌─────────────────────┐
│ VPN Clients │
│ (Remote Users) │
└─────────────────────┘
VPC Host Configuration
# VPC Host Network Configuration (Full-Tunnel)
# /etc/netplan/01-netcfg.yaml
network:
version: 2
ethernets:
# Private interface only - no public interface
eth0:
addresses:
- 10.0.1.10/24
gateway4: 10.0.1.1 # VPN Gateway as default gateway
nameservers:
addresses:
- 10.0.1.1 # DNS through VPN Gateway
- 8.8.8.8 # Backup DNS
routes:
- to: 0.0.0.0/0
via: 10.0.1.1 # All traffic via VPN Gateway
Use Cases for Full-Tunnel
🔒 Maximum Security Environments
- Financial Services: Trading platforms requiring complete traffic oversight
- Healthcare: HIPAA-compliant applications with strict data controls
- Government: Classified systems with mandatory traffic inspection
- Corporate Compliance: Environments requiring complete audit trails
🏢 Private Application Hosting
- Internal APIs: Backend services not meant for public access
- Database Servers: Secure database access only through VPN
- Development Environments: Isolated development and testing
- Legacy Applications: Modernizing without exposing to internet
Advantages
- ✅ Complete Security: No direct internet exposure
- ✅ Centralized Control: All traffic monitored and controlled
- ✅ Simplified Firewall: Single point of internet access
- ✅ Audit Compliance: Complete traffic logging and inspection
- ✅ Data Loss Prevention: No unauthorized outbound connections
Disadvantages
- ❌ Single Point of Failure: VPN Gateway failure affects all internet access
- ❌ Performance Bottleneck: All traffic through single gateway
- ❌ Higher Costs: Requires high-capacity VPN Gateway
- ❌ Complex Updates: OS updates and patches require VPN connectivity
Split-Tunnel Configuration (VPC Host Perspective)
What is Split-Tunnel for VPC Hosts?
In a Split-Tunnel configuration, VPC hosts have dual network interfaces: a public interface for direct internet access and a private interface for VPC-internal communication and VPN client access.
Network Architecture
┌─────────────────────────────────────────────────────────────────────────────┐
│ VPC Network │
│ │
│ ┌─────────────────────┐ ┌─────────────────────┐ ┌─────────────────┐ │
│ │ VPC Host 1 │ │ VPC Host 2 │ │ VPC Host 3 │ │
│ │ │ │ │ │ │ │
│ │ ┌─────────────────┐ │ │ ┌─────────────────┐ │ │ ┌─────────────┐ │ │
│ │ │ Public Interface│ │ │ │ Public Interface│ │ │ │Public Intf │ │ │
│ │ │ 203.0.113.10 │ │ │ │ 203.0.113.11 │ │ │ │203.0.113.12 │ │ │
│ │ └─────────────────┘ │ │ └─────────────────┘ │ │ └─────────────┘ │ │
│ │ │ │ │ │ │ │ │ │ │
│ │ ┌─────────────────┐ │ │ ┌─────────────────┐ │ │ ┌─────────────┐ │ │
│ │ │ Private Interface│ │ │ │ Private Interface│ │ │ │Private Intf │ │ │
│ │ │ 10.0.1.10 │ │ │ │ 10.0.1.11 │ │ │ │ 10.0.1.12 │ │ │
│ │ └─────────────────┘ │ │ └─────────────────┘ │ │ └─────────────┘ │ │
│ └─────────────────────┘ └─────────────────────┘ └─────────────────┘ │
│ │ │ │ │
│ └───────────────┬───────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────┐ │
│ │ VPN Gateway │ │
│ │ (Private Access) │ │
│ │ 10.0.1.1 │ │
│ └─────────────────────┘ │
│ │ │
└──────────────────────────────┼─────────────────────────────────────────────┘
│
▼
┌─────────────────────┐
│ VPN Clients │
│ (Remote Users) │
└─────────────────────┘
┌─────────────────────┐
│ Internet │ ◄─── Direct Access from Public Interfaces
│ │
└─────────────────────┘
VPC Host Configuration
# VPC Host Network Configuration (Split-Tunnel)
# /etc/netplan/01-netcfg.yaml
network:
version: 2
ethernets:
# Public interface for direct internet access
eth0:
addresses:
- 203.0.113.10/24
gateway4: 203.0.113.1 # Internet Gateway
nameservers:
addresses:
- 8.8.8.8
- 1.1.1.1
routes:
- to: 0.0.0.0/0
via: 203.0.113.1 # Default route to internet
metric: 100
# Private interface for VPC and VPN access
eth1:
addresses:
- 10.0.1.10/24
nameservers:
addresses:
- 10.0.1.1 # VPN Gateway DNS
routes:
- to: 10.0.0.0/16 # VPC internal traffic
via: 10.0.1.1
metric: 50
- to: 192.168.0.0/16 # VPN client networks
via: 10.0.1.1
metric: 50
Use Cases for Split-Tunnel
🌐 Hybrid Web Applications
Perfect for applications that need both public and private access:
┌─────────────────────────────────────────────────────────────┐
│ Web Application Host │
│ │
│ Public Interface (203.0.113.10) Private Interface │
│ ├── Website (Port 80/443) ├── Admin API (8081) │
│ ├── Public API (Port 8080) ├── Database (5432) │
│ ├── CDN Integration ├── Internal Services │
│ └── Payment Processing └── VPN-only Access │
│ │
│ Internet Users ──────────┐ ┌────────── VPN Clients │
│ ▼ ▼ │
│ [Load Balancer] │
└─────────────────────────────────────────────────────────────┘
🏗️ Development and Staging Environments
- Public Staging: Accessible for client demos and testing
- Private Development: Secure access for developers via VPN
- CI/CD Integration: Build systems access via private interface
- Monitoring: External monitoring via public, internal via private
📊 SaaS Applications with Admin Access
- Customer Portal: Public web interface for end users
- Admin Dashboard: Private interface accessible only via VPN
- API Endpoints: Public API for integrations, private for admin
- Database Access: Secure database connections via private network
Advantages
- ✅ High Performance: Direct internet access for public services
- ✅ Flexibility: Mix of public and private services
- ✅ Cost Effective: Reduced VPN Gateway bandwidth requirements
- ✅ Scalability: Public services can scale independently
- ✅ Redundancy: Multiple paths for connectivity
Disadvantages
- ❌ Complex Configuration: Dual interface management
- ❌ Security Considerations: Public interface exposure
- ❌ Routing Complexity: Application-specific routing rules
- ❌ Monitoring Overhead: Multiple interfaces to monitor
Comparison Table
| Aspect | Full-Tunnel | Split-Tunnel |
|---|---|---|
| VPC Host Internet Access | Via VPN Gateway only | Direct via public interface |
| VPC Host Interfaces | Private only | Public + Private |
| Default Gateway | VPN Gateway (10.0.1.1) | Internet Gateway (public) |
| VPN Client Access | Via pushed routes | Via pushed routes (private subnet only) |
| Public Services | Not possible | Supported on public interface |
| Security Level | Maximum (no direct exposure) | Moderate (public interface exposed) |
| Performance | Limited by VPN Gateway | High (direct internet) |
| Configuration Complexity | Simple | Complex (dual interface) |
| Use Case | Private/secure applications | Hybrid public/private applications |
Recommendation: Choose Full-Tunnel for maximum security and compliance requirements. Choose Split-Tunnel for hybrid applications requiring both public accessibility and private administration.