Configurations Page

The Configurations page lets you set up InterSystems Network Connect, a hub you can use to connect your corporate network and your InterSystems cloud service deployments. First you attach your deployments to the hub. Then you attach one or more VPN connections or Direct Connect connections, which go from your corporate gateway devices to the hub.

Note:

If you ever want to delete a Network Connect deployment, you must detach any InterSystems cloud service deployments, VPN connections, or Direct Connect connections before proceeding.

You cannot delete a InterSystems cloud service deployment that is attached to Network Connect. You must detach it before proceeding.

Manage Deployment Attachments

The Deployment Attachments section of the Configurations page displays a list of any InterSystems cloud service deployments currently attached to the hub.

To attach additional InterSystems cloud service deployments to the hub:

On the Configurations page, in the Deployment Attachments section, click Attach Deployments.
On the Available Deployment Attachments dialog, select the InterSystems cloud service deployments you want to attach to the hub, and then click Attach.

Note:

The deployments must be in the same AWS region as Network Connect.
You cannot attach a deployment that has a private network address range that conflicts with that of a deployment already attached to Network Connect.

The deployment is added to the list of active deployment attachments with a status of COMPLETE. This may take a few minutes.

To detach a deployment from the hub, in the Actions column in the row for that deployment, click the Detach VPC icon.

Note:

You cannot detach an InterSystems cloud service deployment from the hub if it has any private firewall rules defined for the private network. You must delete the rules from the Health Connect Cloud or InterSystems IRIS Cloud Managed Service Firewall page first.

Manage VPN Connections

The VPN Connections section of the Configurations page displays a list of any VPN gateway devices currently attached to the hub. Each entry in the list includes information such as:

Device Name
Routing Type (static or dynamic)
Device IP address
Tunnel IP addresses
Status information

To attach an additional VPN gateway device to the hub:

On the Configurations page, in the VPN Connections section, click Create VPN.
On the VPN Gateway Device dialog, choose the Routing Type of your VPN, either static or dynamic.
In the Name field, type a name for this VPN gateway device.
In the Gateway Device IP Address field, type the IP address of your VPN gateway device.
This can be a public IP address or behind a NAT.
For VPNs using dynamic routing, in the BGP ASN field, type a Border Gateway Protocol (BGP) Autonomous System Number (ASN).
This ASN is used for routing purposes and must be unique in the network you are creating. See the on-screen hint for guidance on what range of ASNs to use.
Click Create.

The VPN connection is added to the list of active deployment attachments. Creation of a connection can take a few minutes. When the connection is ready, the State field changes from CREATING to COMPLETE.

Next, you need to complete the setup process on the corporate network side by configuring your gateway device:

In the VPN Connections section, in the Actions column for your VPN connection, click the Download Configuration for this Connection icon.
In the Gateway Device dialog box:
1. Enter the Vendor, Platform, Software, and Ike Version of your device.
  The list of gateway devices is provided by AWS. If you do not see your exact device, choose the one most similar to your model.
2. Click Download to download configuration instructions specific to your device and the settings you provided.
Follow the instructions in the document you just downloaded to configure the gateway device on the corporate network side.
After you have configured your gateway device, go back to the Configurations page and confirm that the Tunnel 1 Status and Tunnel 2 Status of your VPN connection appear with check marks.
This may take a few minutes. You may also have to click Refresh on the Configurations page to see the updated tunnel statuses.

To detach a VPN connection from the hub, in the Actions column in the row for that VPN connection, click the Delete VPN icon.

Manage Direct Connect Connections

Please contact InterSystemsOpens in a new tab if you would like to set up a Direct Connect connection or remove an existing Direct Connect connection.

Once a Direct Connect connection has been set up, it will automatically appear in the Direct Connect Connections section of the Configurations page. The Connection Status column for your Direct Connect connection should show a green check mark.

Note:

A green check mark means that the physical connection is online, but it does not mean that traffic is flowing. If your connection is not yet configured or is misconfigured, you will still see the check mark.

Next, you need to complete the setup process on the corporate network side by configuring your gateway device:

In the Direct Connect Connections section, in the Actions column for your connection, click the Download Configuration for this Connection icon.
In the Gateway Device dialog box:
1. Enter the Vendor, Platform, and Software of your device.
  The list of gateway devices is provided by AWS. If you do not see your exact device, choose the one most similar to your model.
2. Click Download to download configuration instructions specific to your device and software version.
Follow the instructions in the document you just downloaded to configure the gateway device on the corporate network side.

Route Table Configuration

After you attach a VPN, the deployment route tables need to be populated so that the attached InterSystems cloud service deployments can communicate with your corporate network over the VPN.

If your route tables get too large, Network Connect may use route summarization to bring the number of routes under the maximum number allowed. This aggregates routes by combining multiple CIDR blocks into larger CIDR blocks, thereby reducing the total number of routes.

Static VPNs

The case of static VPNs, a manual configuration step is required to populate the deployment route tables. Please contact InterSystemsOpens in a new tab for assistance.

Dynamic VPNs

In the case of dynamic VPNs, routing information is automatically synchronized between your VPN and Network Connect when you attach your VPN gateway device to Network Connect. For this reason, you should make sure that your VPN gateway device advertises its routes over BGP before you attach it to Network Connect.

Then, to synchronize the routing information from Network Connect to a deployment’s route table, click the Sync Routes icon in the Actions column for that deployment.

The diagram below illustrates this two-step process:

Automatic synchronization of routes from your VPN gateway device to Network Connect when you attach the dynamic VPN.
Manual synchronization of routes from Network Connect to a deployment when you click the Sync Routes icon.

Diagram showing auto sync from VPN gateway to Network Connect and manual sync from Network Connect to three deployments.

Note:

Route tables are also synchronized from Network Connect to an attached InterSystems cloud service deployment when you create a new private firewall rule in the deployment.

Communicate with a InterSystems Cloud Service Deployment Using Network Connect

Once you have attached a InterSystems cloud service deployment and a attached a VPN connection or a Direct Connect connection to Network Connect, you can communicate with the InterSystems cloud service deployment over the connection by using the deployment’s Virtual IP address. This address can be found on the Overview page of the Health Connect Cloud or InterSystems IRIS Cloud Managed Service deployment. If the InterSystems cloud service deployment was configured with the High Availability option, this Virtual IP address will continue to work no matter which mirror member is the primary member.