Connecting Through VPN

Last updated on Jun 03, 2024

Hevo provides you with the option of connecting through a Virtual Private Network (VPN), whether a physical device or virtual VPN, to your Source and or Destination database that is hosted on-premise, on a cloud other than AWS, or in a hybrid setup. This option is available only under a business plan.

As seen in the image below, to establish a connection through a VPN between the Hevo platform and your database, Hevo:

VPN Connection Architecture

  • Creates an intermediate VPC and a tunnel instance within it or uses an existing setup.

  • Creates a virtual router, such as an AWS Transit Gateway, that routes network traffic from Hevo’s VPC through a site-to-site VPN.

  • Communicates with your database through the established Internet Protocol Security (IPSec) tunnel.

The following image illustrates the steps for connecting your Source or Destination database through a VPN connection. The steps are also described in the sections below.

VPN Process Flow

Initiate VPN Connection Request

To set up an IPSec VPN, you must contact Hevo Support with the following details obtained from your VPN device:

  • Classless Inter-Domain Routing (CIDR) Range: The IP address range of your network in CIDR format. For example,

  • Platform: The type of environment or infrastructure where your database is stored and managed, whether in a non-AWS cloud provider or on-premise. Hevo requires this information to generate a configuration file specific to your platform.

  • VPN Device and Public IP: The type of your VPN device and its public IP address(es). For example, Google Cloud’s High Availability (HA) VPN and its public IP address(es).

  • Autonomous System Number (ASN): The unique identifier you assigned to your VPN device. The ASN, which is required for dynamic routing of traffic over the internet, should be any unused value within the range 64512 - 65534 or 4200000000 - 4294967294.

Based on these details, Hevo Support creates an AWS Customer Gateway (CGW) to represent your VPN device in Hevo’s AWS account logically. The AWS CGW contains information about your public IP and ASN. Once the gateway is created, you are provided with the following:

  • Public IP: The public IP address(es) of Hevo’s AWS Customer Gateway(s). You need to add this IP address to your VPN gateway interface to allow traffic from Hevo.

  • ASN: The unique identifier assigned to Hevo’s virtual router. You require this ASN if you want to configure dynamic routing. Refer to your VPN documentation for the steps to set it up.

    Note: AWS supports dynamic routing through the Border Gateway Protocol (BGP).

  • Classless Inter-Domain Routing (CIDR) Range: The IP address range of Hevo’s network in CIDR format. For example, You must add this IP address range to your security policies or firewall rules to allow traffic between your database and Hevo’s VPC. Refer to your VPN documentation for the steps to do this.

  • Pre-shared Key: The password shared between you and Hevo to authenticate the VPN gateways and establish a secure connection. The pre-shared key is included in the configuration file you receive from Hevo.

  • Configuration File(s): These are platform-specific files generated by Hevo to help you configure VPN tunnels in your VPN gateway interface(s). The configuration file contains information such as the Internet Key Exchange (IKE) version, the authentication method and the associated pre-shared key. Refer to the Example for a sample configuration file.

Configure your Virtual Private Network

Once you receive the platform-specific configuration file from Hevo, perform the following steps in your Virtual Private Network (VPN):

Note: You should refer to your VPN documentation for the detailed configuration steps.

  1. Log in to the management console of your VPN device.

  2. Create a peer VPN interface to facilitate secure communication between your database and the Hevo application.

  3. (Optional) If you want to use dynamic routing between your and Hevo’s gateways, configure the routing options, such as Border Gateway Protocol (BGP) sessions, for each interface. For this, you require Hevo’s ASN obtained in Step 1.

    Note: AWS supports BGP for dynamic routing, which allows your network to exchange routing information with AWS dynamically.

  4. Set up VPN tunnels for each VPN interface using the information, such as the Internet Key Exchange (IKE) version and the pre-shared key, from the corresponding configuration file.

  5. Add Hevo’s CIDR range to firewall rules or security policies to allow traffic between your database and Hevo’s VPC.

Once you perform the steps above, you can configure your database as a Source or Destination in Hevo.


The following is a VPN vendor-independent sample configuration file:

Your VPN Connection ID               : vpn-genericvpn
Your Virtual Private Gateway ID      :
Your Customer Gateway ID             : cgw-0011hevocgw

IPSec Tunnel #1
#1: Internet Key Exchange Configuration
  - IKE version                     : IKEv1 *
  - Authentication Method           : Pre-Shared Key
  - Pre-Shared Key                  : XyaV.tfhijsjdbkgjdfjkfkj *
  - Authentication Algorithm        : sha1
  - Encryption Algorithm            : aes-128-cbc
  - Lifetime                        : 28800 seconds
  - Phase 1 Negotiation Mode        : main
  - Diffie-Hellman                  : Group 2

#2: IPSec Configuration

Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
  - Protocol                        : esp
  - Authentication Algorithm        : hmac-sha1-96
  - Encryption Algorithm            : aes-128-cbc
  - Lifetime                        : 3600 seconds
  - Mode                            : tunnel
  - Perfect Forward Secrecy         : Diffie-Hellman Group 2

IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We
recommend configuring DPD on your endpoint as follows:
  - DPD Interval                    : 10
  - DPD Retries                     : 3
  - TCP MSS Adjustment              : 1379 bytes
  - Clear Don't Fragment Bit        : enabled
  - Fragmentation                   : Before encryption

#3: Tunnel Interface Configuration

Outside IP Addresses:
  - Customer Gateway                :
  - Virtual Private Gateway         : *

Inside IP Addresses
  - Customer Gateway                : *
  - Virtual Private Gateway         : *

Configure your tunnel to fragment at the optimal size:
  - Tunnel interface MTU            : 1436 bytes

#4: Border Gateway Protocol (BGP) Configuration:
  - Customer Gateway ASN            : 65000
  - Virtual Private Gateway ASN     : 65531 *
  - Neighbor IP Address             :
  - Neighbor Hold Time              : 30

Note: The parameters required for configuring your VPN device are marked with an asterisk, and the provided values are only for reference.

Revision History

Refer to the following table for the list of key updates made to this page:

Date Release Description of Change
May-20-2024 2.23.3 New document.

Tell us what went wrong