Tech Support: Scaling in a Snowstorm

How to get started and maintain a powerful ZTNA architecture

Q: What happens if a lot of my employees suddenly need to work from home? How can I scale up my VPN connections safely and quickly? 

OpenVPN’s Tech Support blog takes common questions our users bring up and walks us through the best possible solution. If you need further technical support, don’t hesitate to contact us. 

It’s an average day at the office. Employees stroll in after their commute, log in to their workstations, and begin their projects. You’ve set them up with a VPN connection to your AWS virtual private cloud where your web team can work on the site on Lightsail. They’re also working on a new project for a static website for a marketing project using Amazon S3. For access, their traffic passes through the VPN gateway on the network router, hits up a DNS Round Robin which connects it to one of the two OpenVPN Access Servers in the VPC. With this VPN server cluster setup, the two servers, sharing one hostname, keep your connections up and running should one server go down.

One of your team members doesn’t work in the same city.

One of your team members doesn’t work in the same city. This web dev works remotely. They connect to the same cluster of VPNs through client devices on their laptop and phone. It all works great.

The next morning, you wake up to the snowstorm you heard mentioned in the forecast last night. Like many in the US are experiencing right now, it’s surprisingly more than you expected. The roads are buried under at least a foot of  fresh snow. You check your phone and notice emails and texts from the office staff. They won’t be making it in today because of the weather.

This is where your network scales to meet the level of snow outside.

OpenVPN Access Server with AWS Autoscaling

With the snowstorm, the team connects from home, and needed VPN connection increases. Rather than on-site employees using a single connection from headquarters, they’re using one or more connections from remote locations. With the increase of VPN connections, you also scale up your VPN servers, adding more nodes to the cluster.

Autoscaling is a way to scale up or down your network resources based on needs at any given time. Cloud computing gives you the ability to automatically scale your server setup.

Previously, using OpenVPN Access Server, you had to purchase another fixed license for each new node, activating at least ten new connections. But you recently switched over to our new licensing model and purchased a subscription. Once activating that key on your two nodes, it shared the VPN connections. After adding the two new nodes, you activate those with the same subscription, sharing all connections across the four servers. But you need just a couple more connections. All it takes is updating that in our billing portal.

Using OpenVPN Access Server with a subscription supports the automated nature of autoscaling. For the snowstorm, you increase your subscription to cover the added VPN connections. Then, once the roads are clear and the team returns to the office, you drop it back down, and shut down the extra nodes in your AWS VPC.

Autoscaling for Increased VPN Clients

From our snowstorm example, you can see in the first diagram the site-to-site VPN network setup with the enterprise network connected to the AWS network using a cluster setup. In addition, a remote worker connects using clients on their laptop and mobile device.

An unforeseen event happens, and all staff must work from home. Perhaps this is very short term, such as during a winter storm, or it could be a long-term situation like we’ve seen with a global pandemic.

When you compare the diagrams, you can see that the employees that once connected from the enterprise network shared a single VPN connection for traffic destined to AWS subnets. The VPN gateway client required only one VPN connection. Then, a remote worker used two more connections from their home network.

When the entire staff switched to remote work, the number of VPN connections ramped up. If we extend this simplified use case out to a larger business, those VPN connections could jump up in the hundreds for a sudden switch to a fully remote business.

Those VPN connections could jump up in the hundreds.

Thankfully, with autoscaling and OpenVPN subscriptions, the ops team can depend on automated support to match the resources to the need.

The chart above provides a visual of the ups and downs a business might experience with VPN uses and the impact on bandwidth. With autoscaling, your resources can reflect the variable needs. To do this, you create virtual machines based on a template. When utilization reaches a certain level, a new machine is added automatically to a pool of servers that handle incoming requests.

Previously, with fixed licenses, this required purchasing a new license key anytime you added another Access Server. These licenses were locked to the hardware, so when you no longer needed that server, you couldn’t reuse the license at a later date without contacting our support team for a manual reissue. And you had to purchase fixed licenses a year at a time.

With subscriptions, one purchased subscription is all you need for all of your servers. Unlike our previous, fixed license model, our subscriptions are suited for cloud installations:

  1. They aren’t tied to hardware.
  2. They’re simple to activate on any instance.
  3. Should you spin up or down instances, you use the same subscription.
  4. All you need to do is purchase the total number of VPN connections needed.

When you need to increase or decrease purchased connections, you simply do so directly in our billing portal. The change proliferates to your servers so you don’t need to do any configuration on your servers or from the Admin Web UI.

For autoscaling, that means you use that same subscription for all servers. Should you reach the limit, you purchase additional connections, but it doesn’t require adding a new license key to any servers. You take care of it from right within the billing portal. Subscriptions are optimally suited for a use case such as AWS Autoscaling, and will improve your experience greatly when you have to adapt to external situations.

We provide two free connections so you can start testing this out for your network today. The following links may be helpful: