Networking Options for Dedicated Region Deployments

In Dedicated Regions, we deploy the Mission Control Agent and event broker services in a region controlled by Solace. If you require private Messaging Connectivity between the event broker services in your Dedicated Region and the virtual private cloud (VPC) where your client applications reside, we offer several networking options supported by your chosen cloud provider.

When deciding on the networking options for your Messaging Connectivity, consider the requirements of your entire estate, including:

  • whether you need bidirectional or unidirectional network connectivity

  • the amount of event broker services you want, or may require in the future

  • bandwidth limitations

  • support for multiple regions

  • support for transitive routing

The tables below show the networking options supported by each of the cloud providers available for Dedicated Regions. They also provide information about the benefits and limitations of each option and links to any related documentation. Each table provides information about a specific cloud provider:

You can see an overview of each networking option, including architectural diagrams, in Overview of Supported Networking Options for Dedicated Regions.

See Supported Networking Options for Dedicated Regions by Cloud Providers Supported by Solace for tables showing the Messaging Connectivity options supported by Solace for each cloud provider.

Overview of Supported Networking Options for Dedicated Regions

The sections below provide an overview and diagram of each of the networking options supported by Solace for Messaging Connectivity for Dedicated Regions.

Virtual Private Cloud (VPC) and Virtual Network (VNet) Peering

With virtual private cloud (VPC) or virtual network (VNet) peering, Solace connects your Dedicated Region region with another Dedicated Region in the same cloud provider, or with your network. Multiple Dedicated Region regions and networks can be connected together this way.

The diagram below provides examples of VPC/VNet peering between two Dedicated Regions and VPC/VNet peering between a Dedicated Region and a customer network.

 

VPC/VNet peering is available for every cloud provider Solace deploys Dedicated Regions to:

Benefits
  • VPC/VNet peering is the simplest network solution for Messaging Connectivity.
Security Considerations
  • Traffic can flow in both directions between the peered Dedicated Region and your network if your routing rules allow it. This can be useful if you want to enable certain features, like REST Delivery Points for your event broker services, which require both outbound and inbound connections.

Drawbacks
  • The CIDR ranges of your Dedicated Regions and networks must be unique. They cannot overlap or match.

  • Transitive peering is only available for Dedicated Regions deployed to Azure Kubernetes Service (AKS). 

Managed Hub-and-Spoke Networking

With managed hub-and-spoke networking, Solace connects your Dedicated Region region to your network transit hub, which connects to other Dedicated Regions, or your virtual private clouds and networks.

The diagram below provides an example of managed hub-and-spoke networking between a Dedicated Region and customer networks through a customer-owned hub.

 

The following managed hub-and-spoke networking options are supported by Solace:

Benefits
  • Connectivity between the networks hosting your event broker services are simplified. You only have to worry about a single connection for each datacenter.

Security Considerations
  • Traffic can flow in both directions between the peered Dedicated Region and your network if your routing rules allow it. This can be useful if you want to enable certain features, like REST Delivery Points for your event broker services, which require both outbound and inbound connections.

Drawbacks
  • Solace recommends using unique CIDR ranges for your Dedicated Region and your networks when using managed hub-and-spoke for Messaging Connectivity.

Unidirectional Endpoints

With unidirectional endpoints, Solace connects the Dedicated Region region to your network by exposing an event broker service endpoint in your network. Traffic flows through the private endpoint, to and from the event broker service.

The following diagram provides an example of unidirectional endpoints, with private endpoints connecting customer networks to the event broker service in your Dedicated Region.

 

The following unidirectional endpoints options are available for connecting your Dedicated Region to your networks:

Benefits
  • It doesn't matter if the CIDR range of your network and your Dedicated Region match, or overlap.

  • Network peering between the Dedicated Region and your network is not possible.

Drawbacks
  • Communication is unidirectional. This means that features like RDP and Kafka Bridge won't work unless the destinations are accessible via the public internet.

  • Setup is done with event broker service creation instead of when the Dedicated Region is created, which complicates manual configuration.

  • Source IPs cannot be preserved, so broker ACLs can’t filter on source and debugging client connections can be complicated

 

Site-to-Site Virtual Private Network (VPN)

With site-to-site virtual private networking (VPN), Solace connects the Dedicated Region with another Dedicated Region, or with your network. Multiple Dedicated Regions and networks can be connected together this way.

Using site-to-site VPN for the Messaging Connectivity for your Dedicated Region is an additional add-on purchase. Contact Solace for information.

This diagram below provides examples of site-to-site VPN network between two Dedicated Regions deployed to different cloud providers, and site-to-site VPN between a Dedicated Region and a customer network.

 

Site-to-site VPN is available for every cloud provider Solace deploys Dedicated Regions to:

Benefits
  • Site-to-site VPN is the only option if your VPC or network is partially or completely on-premises, or if you want to connect multiple Dedicated Regions in different cloud providers (multi-cloud).
Drawbacks
  • Site-to-site VPN is an add-on purchase, and is not included by default for Dedicated Region deployments.

Supported Networking Options for Dedicated Regions by Cloud Providers Supported by Solace

The tables below show the networking options supported by each of the cloud providers available for Dedicated Regions. They also provide information about the benefits and limitations of each option and links to any related documentation. Each table provides information about a specific cloud provider:

Supported Networking Options for Dedicated Regions in Azure Kubernetes Service (AKS)

You can configure the Messaging Connectivity for your Dedicated Region deployment in an AKS cluster with the following networking options:

Azure Kubernetes Service (AKS)
Networking Option Description Benefits and
Drawbacks
Bandwidth
Limits
Multi-Region Transitive
Routing
Further reading
Azure VNET Peering

Allows Messaging Connectivity between different VPCs

Messaging Connectivity can include:
  • Connections between a Dedicated Region and one, or many customer networks.

  • Connections between one or many Dedicated Regions.

Benefits:

  • Peering is the simplest solution in terms of infrastructure setup.

Limitations:

  • The CIDR ranges of your Dedicated Regions and networks must be unique. They cannot overlap or match.

  • Traffic can flow in both directions between the peered Dedicated Region and your network if your routing rules allow it.

None Yes Yes Azure Virtual network peering documentation
Azure Virtual WAN

Azure's version of managed hub-and spoke network connectivity.

The Dedicated Region attaches to your Azure Virtual WAN, which performs all routing, and can optionally include a firewall.

Azure Virtual WAN can also do perform other network activities, such as VPN, ExpressRoute/Direct Connect, etc.

Benefits:

  • Connectivity between the networks hosting your event broker services are simplified. You only have to worry about a single connection for each datacenter.

Limitations:

  • Solace recommends using unique CIDR ranges for your Dedicated Region and your networks when using managed hub-and-spoke for Messaging Connectivity.

  • Traffic can flow in both directions between the peered Dedicated Region and your network if your routing rules allow it.

Up to 50 Gbps for VNET-to-VNET traffic

Up to 20 Gbps for VPN and virtual hub traffic

Attachments must be in the same region.

You can connect Azure Virtual WAN hubs together to connect regions.

Yes Azure Virtual WAN documentation
Azure Private Link

Azure's version of uni-directional endpoints.

Private Link uses a private endpoint to expose an endpoint of your event broker service directly to your network. Messaging traffic travels through the endpoint, over the Microsoft backbone network and is not exposed to the public internet.

Benefits:

  • It doesn't matter if the CIDR range of your network and your Dedicated Region match, or overlap.

  • Network peering between the Dedicated Region and your network is not possible.

Limitations:

  • Communication is unidirectional. This means that features like RDP and Kafka Bridge won't work unless the destinations are accessible via the public internet.

  • Setup is done with event broker service creation instead of when the Dedicated Region is created, which complicates manual configuration.

  • Source IPs cannot be preserved, so broker ACLs can’t filter on source and debugging client connections can be complicated

  • An AKS cluster only supports a single internal load balancer. The load balancer can only support eight Private Link services. This limits the cluster to eight event broker services with Private Link.

None Yes Not applicable Azure Private Link documentation
Site-to-site VPN

Solace uses a VPN to connect your Dedicated Region to one, or many of your networks. The networks can be on premises, in the cloud, or a combination.

or

Solace uses a VPN to connect many of your Dedicated Regions together (multi-cloud).

Benefits:

  • This networking option is cloud-agnostic, and each provider offers a variation of it. Each provider's solution works with the others.

  • This is the only option supported by Solace when your network is partially, or completely on-premises.

Limitations:

  • The costs for this solution are covered by you, the customer. Contact Solace for information.

Depends on the selected solution:

  • Single Availability Zone: Minimum 650 Mbps per gateway

  • Multi-Availability Zone: Minimum 650 Mbps per gateway

Yes Contact Solace for information.  

Supported Networking Options for Dedicated Regions in Amazon Elastic Kubernetes Service (EKS)

You can configure the Messaging Connectivity for your Dedicated Region deployment in an EKS cluster with the following networking options:

Amazon Elastic Kubernetes (EKS)
Networking Option Description Benefits and Limitattions Bandwidth
Limits
Multi-Region Transitive
Routing
Further reading
VPC Peering

Allows Messaging Connectivity between different VPCs.

Messaging Connectivity can include:
  • Connections between a Dedicated Region and one, or many customer networks.

  • Connections between one or many Dedicated Regions.

Benefits:

  • Peering is the simplest solution in terms of infrastructure setup.

Limitations:

  • The CIDR ranges of your Dedicated Regions and networks must be unique. They cannot overlap or match.

  • Traffic can flow in both directions between the peered Dedicated Region and your network if your routing rules allow it.

None Yes Yes AWS VPC Peering documentation
AWS Transit Gateway

Amazon's version of managed hub-and spoke network connectivity.

The Dedicated Region attaches to your AWS Transit Gateway, which performs all routing, and can optionally include a firewall.

AWS Transit Gateway can also perform other network activities, such as VPN, ExpressRoute, Direct Connect, etc.

Benefits:

  • Connectivity between the networks hosting your event broker services are simplified. You only have to worry about a single connection for each datacenter.

Limitations:

  • Solace recommends using unique CIDR ranges for your Dedicated Region and your networks when using managed hub-and-spoke for Messaging Connectivity.

  • Traffic can flow in both directions between the peered Dedicated Region and your network if your routing rules allow it.

Up to 100 Gbps per Availability Zone per attachment.

Attachments must be in the same region.

You can connect AWS Transit Gateway together to connect regions.

Yes, but must be through the Transit Gateway

AWS Transit Gateway documentation

Site-to-site VPN

Solace uses a VPN to connect your Dedicated Region to one, or many of your networks. The networks can be on premises, in the cloud, or a combination.

or

Solace uses a VPN to connect many of your Dedicated Regions together (multi-cloud).

Benefits:

  • This networking option is cloud-agnostic, and each provider offers a variation of it. Each provider's solution works with the others.

  • This is the only option supported by Solace when your network is partially, or completely on-premises.

Limitations:

  • The costs for this solution are covered by you, the customer. Contact Solace for information.

1.25 Gbps per VPN tunnel (two tunnels are required per connection) Yes Contact Solace for information.  

Supported Networking Options for Dedicated Regions in Google Kuberenetes Engine (GKE)

You can configure the Messaging Connectivity for your Dedicated Region deployment in an GKE cluster with the following networking options:

Google Kubernetes Engine (GKE)
Networking Option Description Benefits and Limitattions Bandwidth
Limits
Multi-Region Transitive
Routing
Further reading
VPC Peering

Allows Messaging Connectivity between different VPCs .

Messaging Connectivity can include:
  • Connections between a Dedicated Region and one, or many customer networks.

  • Connections between one or many Dedicated Regions.

Benefits:

  • Peering is the simplest solution in terms of infrastructure setup.

Limitations:

  • The CIDR ranges of your Dedicated Regions and networks must be unique. They cannot overlap or match.

  • Traffic can flow in both directions between the peered Dedicated Region and your network if your routing rules allow it.

None Yes No GCP VPC Peering documentation
Private Service Connect

Google's version of uni-directional endpoints.

Private Service Connect uses a private endpoint to expose an endpoint of the event broker service directly to your network. Messaging traffic travels through the endpoint, over the Google Cloud, and is not exposed to the public internet.

 

Benefits:

  • It doesn't matter if the CIDR range of your network and your Dedicated Region match, or overlap.

  • Network peering between the Dedicated Region and your network is not possible.

Limitations:

  • Communication is unidirectional. This means that features like RDP and Kafka Bridge won't work unless the destinations are accessible via the public internet.

  • Setup is done with event broker service creation instead of when the Dedicated Region is created, which complicates manual configuration.

  • Source IPs cannot be preserved, so broker ACLs can’t filter on source and debugging client connections can be complicated

None Yes Not applicable GCP Private Service Connect documentation
Site-to-site VPN

Solace uses a VPN to connect your Dedicated Region to one, or many of your networks. The networks can be on premises, in the cloud, or a combination.

or

Solace uses a VPN to connect many of your Dedicated Regions together (multi-cloud).

Benefits:

  • This networking option is cloud-agnostic, and each provider offers a variation of it. Each provider's solution works with the others.

  • This is the only option supported by Solace when your network is partially, or completely on-premises.

Limitations:

  • The costs for this solution are covered by you, the customer. Contact Solace for information.

250,000 packets per second. Equivalent to approximately 1-3 Gbps, depending on packet size. Yes Contact Solace for information.