What is STACKIT VPN?
STACKIT VPN is a managed VPN gateway service that establishes encrypted IPsec site-to-site tunnels between on-premise networks and the STACKIT Cloud. The service uses the standard IPsec protocol with IKEv2 and connects external networks to your cloud resources through a STACKIT Network Area (SNA). STACKIT VPN solves the problem of connecting local data centers and branch sites to a sovereign EU cloud securely and without dedicated hardware appliances.
The service consists of two components: the VPN gateway as the access point into the SNA, and the VPN connections, which are the actual encrypted tunnels. The gateway is built internally as an active-active architecture with two instances that provide parallel, resilient tunnels. A separate tunnel interface is created per availability zone, so the connection stays available even if one zone fails.
Core features
- IPsec tunnels with IKEv2: Encrypted, industry-standard site-to-site connections between on-premise and the STACKIT Cloud.
- Active-active high availability: The gateway internally consists of two instances that provide parallel tunnels; a separate tunnel interface is created per availability zone.
- Three routing modes: policy-based (with local and remote subnets), static route-based via a Virtual Tunnel Interface, and BGP route-based for dynamic routing.
- Bandwidth by plan: Select guaranteed bandwidth via plan or SKU, ranging from 100 Mbit/s to 1,000 Mbit/s per the release notes, with configurable IKE rekey times.
Typical use cases
Hybrid cloud connectivity: Connect an existing data center to the STACKIT Cloud over encrypted tunnels and run workloads across sites without routing traffic over the open internet.
Multi-site connectivity: Use BGP route-based routing to connect several branch sites dynamically to the STACKIT Network Area and exchange routes automatically.
Multi-cloud networking: Establish IPsec tunnels between STACKIT and other environments to connect distributed architectures in a sovereign, encrypted way.
Benefits
- Managed service without your own VPN hardware or manual appliance operation
- Resilient active-active architecture with one tunnel interface per availability zone
- EU-sovereign operation in the Schwarz Group cloud (region eu01)
Integration with innFactory
As an official STACKIT Partner, innFactory supports you with the adoption and operation of this service.
Typical Use Cases
Frequently Asked Questions
What is STACKIT VPN?
STACKIT VPN is a managed IPsec gateway service that establishes encrypted site-to-site tunnels between on-premise networks and the STACKIT Cloud. The service uses IKEv2 and connects external sites to a STACKIT Network Area (SNA). An active-active architecture provides parallel, resilient tunnels.
When should I use STACKIT VPN?
Use STACKIT VPN when you need to connect data centers or branch sites securely to the STACKIT Cloud, for example for hybrid architectures, data migration, or accessing cloud workloads from your own network. For multiple sites or dynamic topologies, the service supports routing via BGP.
How much does STACKIT VPN cost?
Billing is plan- or SKU-based per VPN gateway and tiered by bandwidth. During the current beta phase the service is free of charge. The exact bandwidth and the number of included connections depend on the selected plan. For binding prices, refer to the official STACKIT pricing overview.
Which routing modes and limits does STACKIT VPN support?
The service supports three routing modes: policy-based (with local and remote subnets), static route-based via a Virtual Tunnel Interface (VTI), and BGP route-based for dynamic routing. IKE rekey times are configurable: Phase 1 between 900 and 28800 seconds, Phase 2 between 900 and 3600 seconds. Per the release notes, bandwidth ranges from 100 Mbit/s to 1,000 Mbit/s. STACKIT VPN requires an existing STACKIT Network Area.
