5.2. VPN Connectivity

VPN Connectivity provides a connection to Arcstar Universal One Service (NTT Communications VPN service). The function of plan change and routing setting and Ping is available on the Customer Portal the service released Data Center.

5.2.1. Available Features

The following features are available for VPN Connectivity.
Feature Overview
VPN Gateway A gateway feature (called “VPN Gateway” below) that connects Arcstar Universal One Service to vFirewall or Integrated Network Appliance.
VPN Routing Settings A feature that sets up routing to enable communication between Arcstar Universal One Service and vFirewall or Integrated Network Appliance.
Ping Ping function in VPN Gateway
* Arcstar IP-VPN Service can be available via Universal One using “Arcster Universal One Connectivity Service”.

5.2.2. VPN Gateway

The VPN Connectivity GW is a gateway that connects Arcstar Universal One Service to vFirewall or Integrated Network Appliance.
You can choose from the following connection plans to match your required transmission speed.
Connection Plan Overview
100 Mbps Best Effort Transmission speed: Provides maximum uplink speed of 100 Mbps and maximum downlink speed of 100 Mbps.
Guaranteed
Provides guaranteed transmission speed with the specified bandwidth (uplink/downlink) as the upper limit.
You can specify any of the following bandwidths.
  • 100 Mbps
  • 200 Mbps
  • 1 Gbps

Important

  • The Best Effort Type is a best effort type service that changes the transmission speed according to your system environment and line congestion. The actual transmission speed varies according to the usage of other customers and infrastructure status. The service does not guarantee transmission speed.
  • The Guaranteed type does not provide transmission speed higher than the specified bandwidth.

Note

  • The VPN Gateway is constructed of redundant physical devices (equipment and lines).
  • It supports Internet protocol version IPv4.

5.2.3. VPN Routing Settings

You can set up routing for communication between Enterprise Cloud IP Addresses and Customer location or another Enterprise Cloud Data Center or other application services via VPN.

Note

  • Routing can be set up for a maximum of 128 routes (other than the default routes). But 24 routes are a maximum in Customer Portal available VPN Connectivity.

5.2.4. Enterprise Cloud and VPN Routing Design

When you order the service, you must specify the following VPN Connectivity settings.
Item Overview Prefix Length of IP Address Blocks
Cloud-GW connection segment settings(*1) Sets the Server Segments (called “Cloud-GW connection segments” below) used for connecting between the VPN Gateway and the Cloud gateway (called “Cloud-GW” below). /27
VPN Transit settings Sets the Server Segments (called “VPN Transit” below) used for connecting between the VPN Gateway and vFirewall or Integrated Network Appliance. /29 to /24
Routing settings Sets up routing to enable communication between Arcstar Universal One Service and vFirewall or Integrated Network Appliance. /29 to /8 (*2)
*1 It is not necessary in Customer Portal available VPN Connectivity.
*2 For each route, any one of them is specified.

../../_images/image150.png
Cloud-GW Connection Segment
  • Your VPN IP Address block (called “Cloud-GW connection segment IP address block” below) can be allocated to Cloud-GW connection segments.
  • NTT Communications selects and sets the IP addresses that are allocated to VPN Gateway and Cloud-GW from the Cloud-GW connection segment IP address block.
VPN Transit
  • Your VPN IP Address block (called “IP address block for VPN transit” below) will be allocated to VPN transit.
  • NTT Communications selects and sets the IP addresses that are allocated to VPN Gateway and vFirewall or Integrated Network Appliance from the VPN Transit IP address block.
Routing Settings
  • In order to communicate from your VPN to vFirewall or Integrated Network Appliance, routing is set with vFirewall or Integrated Network Appliance as the destination.
  • IP address block not used in Customers VPN is allocated to the destination network address that is set in the routing settings.
  • The network used by Enterprise Cloud service cannot be specified as a default route of VPN service (Arcstar Universal One) side.
  • Customer will be able to set routing setting for in Customer Portal available VPN Connectivity. However, the part of IP address cannot be set due to the specification of Enterprise Cloud and VPN Service (Arcstar Universal One). Please confirm IP address listed below.
IP address Routing Advertisement
Broadcast Address not available
Multicast Address not available
Unicast Address Private Address Reserved in each Enterprise Cloud Data Center not available
Private addressof the other above available(Default)
Global Address(*) 1.The address Customeracquiredlegally available(by Order)
2.The address which was bought from ISP available(by Order)
Global address of the other above(Illegal address) not available
Unicast address of the other above(*) not available
* IP address provided by Internet Connectivity of Enterprise Cloud cannot be set. Also if, Customer use Arcstar Universal One at the same time, global IP address cannot be set. Please refer to the Arcstar Universal One service description for details of IP address restrictions.

Important

  • You cannot change the IP addresses that are used for VPN transit and Cloud-GW connection segment after you have started using VPN Connectivity.

5.2.5. Important Points

  • The Guaranteed type only guarantees the communication bands that pass through the VPN Gateway. In order to guarantee the communication bandwidth that the vFirewall and vLoad Balancer pass through, it is necessary to have separate contracts for a suitable number of firewall resources and load balancer resources.
  • NTT Communications may change VPN settings for maintenance and monitoring. You cannot change or delete the settings that are set by NTT Communications.
  • Communication interruptions might occur when VPN Connectivity settings are changed.
  • There are IP Address blocks which cannot be set or included in the IP address block for Cloud-GW connection segment, IP address block for VPN Transit, or routing IP address block for vFirewall. Be aware that the IP address bands that cannot be specified differ according to Data Center.
  • Also, if the IP Addresses in the IP Address bands are used for private network lines, communications between the Data Center that is in use and those IP addresses via vFirewall will not be possible.

Important

  • For details about Non-duplicable IP Address blocks, refer to separate volume “Functional Description (IP Address)”.
  • If you use the Internet Connectivity and VPN Connectivity in combination, direct back and forth communication between the Internet and VPN via vFirewall or Integrated Network Appliance will not be possible.
  • If you started using the VPN Connectivity at Yokohama No.1 Data Center on or before November 15, 2013 and have not carried out lease construction for changing bandwidth, you should pay attention to the following points.
    • To be Customer Portal available
      • VPN Connectivity service termination and new order is needed.
    • Change bandwidth
      • Lease construction is necessary for changing bandwidth. Please specify a construction date of at least 17 business days after the date you order it. Also, on the date of construction there might be multiple communication interruptions that last up to several tens of minutes each.
      • If you are connected to a VPN other than Arcstar Universal One Service when the above-mentioned leased construction takes place, you will need to transfer to Arcstar Universal One.
      • Prefix Length of IP Address Blocks /29-/8 are available.
  • If you started using the VPN Connectivity at Yokohama No.1 Data Center after November 15, 2013, you should pay attention to the following points.
    • To be Customer Portal Available
      • VPN Connectivity service termination and new order is needed.
    • Change bandwidth in order form
      • Lease construction is not necessary. 17 business days is needed to change.
  • Cloud-GW Connectivity segment setting is not necessary in Customer Portal available VPN Connectivity. Moreover,1Gbps Guaranteed plan is not available.
  • IP address blocks listed below will be sent out to VPN service as route advertisement regardless of customer’s setting.
    • VPN transit
    • Cloud-GW connection segment
  • When adding the Customer Portal supported VPN Connectivity, the IP address assigned to VPN transit must be one of the unused IP in VPN Network. It cannot overlap nor include the connected IP of VPN site (including Cloud-GW) and LAN address.
  • In routing settings in Customer Portal supported VPN Connectivity, order form is needed in order to set Global IP address for routing. Without the order form, setting by Customer Portal will not be available. Please contact each NTT Communications affiliate.