Connecting Anypoint VPC to Customer On-Premise

Written by:
Published on November 18, 2019

Connecting Anypoint VPC to Customer On-Premise

This is part three of the three blog series on Anypoint VPC. You can checkout other blogs about What is Anypoint VPC(Virtual Private Cloud)? and Sizing of Anypoint VPC.

All organizations have an on-premise network in some form or the other. These group of private networks/servers run a lot of internal and legacy applications. These on-premise servers can be a Data Center owned by the customer, a private server hosted by any cloud provider(AWS, GCP etc.) etc.

With modern technologies and products becoming more cloud centric. There are numerous instances where an organization would want to connect their on-premise applications to external cloud. This is a common issue that almost every organization faces. There are many reasons why one would want to connect to these on-premise servers like:

  • Integrating an on-premise service to a cloud service(Internal). e.g. connecting SAP Event Management to Salesforce cloud.
  • Exposing completely or part of an on-premise service to outside world due to business needs. e.g. an airline exposing their pricing API running on on-premise to cloud so that developer can build applications on top of it.
  • Integrating an on-premise service to a external cloud server(other vendors). e.g. when a new external cloud based product is procured by the organization which needs to get data from on-premise servers.

There are multiple ways of solving this problem.

The Generic Approach

A lot of organization have an API Gateway setup on their on-premise servers which is exposed to external world. This API Gateway serves as a single entry point for all the communication coming from external world to on-premise servers.

This API Gateway ensures security and directs requests using a reverse proxy. The biggest disadvantage with such a solution is that it needs to be done for every new application/instance. While this solution is very high on security, it is not very efficient and has its own latency due the request passing multiple security barriers and networks.

Not to forget numerous extra change requests one has to raise to make any change to these configurations.

What Changes with Anypoint VPC?

Anypoint VPC keeps all the mule applications in a single contained network. This opens up several options of connecting the networks(Anypoint VPC to On-prem) instead of connecting applications on one to one basis.

Network to network connectivity removes latency and is a smart way of exposing on-premise applications to cloud in a highly secure fashion.

Are there any types of such connections?

These connections can be either unidirectional or bidirectional. Decision and approval for the type of connection usually differs from organization to organization.

Unidirectional connections allow network traffic to flow only in one direction(either VPC to on-prem or otherwise). Bidirectional connections allow network traffic to flow in both directions.

Unidirectional connections should only be made when its definite that there is no instance for data to flow in the opposite direction. If there is any such requirement which needs data to flow in both directions, bidirectional connection should be used.

Different Types of Connections with Anypoint VPC

For any kind of connection of Anypoint VPC to customer Data Center(On-Premise), there should be a clear segregation of IPs used by in the Anypoint VPC to that used in customer DC. If there is an overlap of IPs, such connections cannot be created as in a network, every IP should be unique. This clearance should be taken at the time of VPC creation to allow for future connections of this nature.

1. IP Secure VPN Tunnel

IP Sec VPN tunnel is a one-to-one VPN tunnel between the VPC and on-premise network. This means that once established, all VPC applications would have access to on-premise servers. This is equivalent of all the applications(VPC apps and on-premise) running in the same network.

When to use it? An IP Sec VPN tunnel should be used when there are multiple integrations involving on-premise applications to be exposed/integrated to external world/Cloudhub.

Advantages: This kind of tunnel once established would not need any further configuration. Any new integration can be developed without bothering about the networks. Since it is a tunnel between VPC to on-premise network only, it is highly secure.

Disadvantages: Since it is a one-to-one connection, there needs to be a separate VPN tunnel for every VPC to every on-premise network(Data Center).

2. Transient VPC with Multiple IP Secure VPNs

In the case where multiple VPCs need to be connected to Multiple Data Centers, it is not ideal to have a lot of one-to-one connections.

Transient VPC acts as a central hub for all VPC to VPC or VPC to data center connections. This is achieved by having one to one connections to all other VPCs and Data centers which need to connect to each other.

Following diagram shows working of transient VPC:

When to use it? A transient VPC should be used when an organization has multiple VPCs and multiple data centers. e.g. some organizations end up creating a Anypoint VPC per region to ensure faster connectivity. In such cases a transient VPC would act as a single junction for all the network traffic instead of having millions of one-to-one connections.

Advantages: All networks are connected with minimum number of possible connections. Transient VPCs are easier to maintain as there is only one hub responsible for all communication.

Disadvantages: Since all the request go through a single hub, once this hub goes down, the entire system is affected as no communication can happen until it comes back up again.

3. Amazon Web Services VPC Peering(Only for AWS Customers)

For customers who have their corporate networks on AWS, CloudHub VPC can be connected directly to their corporate AWS VPCs using AWS VPC peering. This is currently possible as MuleSoft uses AWS for all its infrastructure needs.

When to use it? AWS VPC peering can be used when customer VPC(corporate network) is hosted on AWS. This can be used when high speed and low latency is needed between networks.

Advantages: Such connections are very fast and secure since everything is on AWS(from customer VPC to Anypoint VPC).

Disadvantages: Can only be used when the customer organization is using AWS VPC for the non-mule servers. Since MuleSoft used AWS for its infrastructure, similar functionality cannot be achieved with other cloud providers.

4. Direct Connect

Direct connect as it sounds is connecting Anypoint VPC(hosted in some AWS Data center) to customer organizations Data center using a physical fiber optic cable.

When to use it? Direct connect should only be used when there is a need to transfer huge data across networks and very high data transfer rate is expected.

Advantages: The fastest option available to link Anypoint VPC to customer Data center. Since all the data transfer happens over a dedicated physical cable, it is also very secure.

Disadvantages: Since it requires digging up the ground and laying cables, the cost to do something like this is sky-rocketing.

It should be duly noted that all the above methods are not provided by MuleSoft as a functionality i.e. MuleSoft will not help customers establish such connections end to end. MuleSoft will only help in opening the ports and firewall in VPC but rest of the work has to be done by customer on its own.


We hope you found this article insightful. Please drop us a comment and do share our article with fellow enthusiasts.

Also, If you are interested in learning more about an exciting new code quality and review tool that reduces your Mule project costs by 79%, follow the below link :

Quantifying benefits of IZ Analyzer for Mule Projects

One Reply to “Connecting Anypoint VPC to Customer On-Premise”

Leave a Reply

Your email address will not be published. Required fields are marked *

Other Blog Posts

Other Blog Posts

MuleSoft Runtime Code Scanning – Why Do You Need It?

One of the most frequently asked questions is if we have static code analysis and a well defined DevOps process, why would we need run time code analysis? In this article, let’s explore the differences between the two and why you might want to have runtime code analysis (and IZ Runtime Analyzer) even if you have …

Read more

Ensuring Software Quality in Healthcare: Leveraging IZ Analyzer for MuleSoft Code Scanning 🏥💻

Ensuring software quality in the healthcare industry is a top priority, with direct implications for patient safety, data security, and regulatory compliance. Healthcare software development requires adherence to specific rules and best practices to meet the unique challenges of the industry. In this blog post, we will explore essential software quality rules specific to healthcare …

Read more

Mule OWASAP API Security Top 10 – Broken Object Level Authorization

In Mule, Object-Level Authorization refers to the process of controlling access to specific objects or resources within an application based on the permissions of the authenticated user. It ensures that users can only perform operations on objects for which they have appropriate authorization. To demonstrate a broken Object-Level Authorization example in Mule, let’s consider a …

Read more

How KongZap Revolutionises Kong Gateway Deployment

In a rapidly evolving digital landscape, businesses face numerous challenges. Faster time to market is the only option business can choose. When it comes end to end Kong Gateway life cycle from deploying to managing Kong Gateway, every one of these challenges is applicable. However, KongZap, a groundbreaking solution is a game-changer by addressing some …

Read more