Lobster Cloud exclusively supports site-to-site VPN connections for secure communication between your on-premise network and your Lobster Cloud environment. This page covers the available VPN options, use cases, technical requirements, and important limitations.
What is included
Item | Details |
|---|---|
Included VPN connections | 2× site-to-site VPN connections per customer environment |
Maximum VPN connections | 5 per customer environment (VPC) |
Additional VPN connections | Available at extra cost. Please contact your Lobster Sales representative. |
Supported connection types
Lobster exclusively offers the following AWS connection services for cloud hosting:
Connection type | Status |
|---|---|
Site-to-Site VPN (IPsec/IKE) | Supported |
VPC Peering (between two AWS accounts) | Available in exceptional cases. Must be initiated by the customer. |
Transit Gateway | Not supported |
AWS PrivateLink | Not supported |
AWS Direct Connect | Not supported |
Client VPN | Not supported |
Important
All other AWS network connection services not listed above are not part of the Lobster Cloud offering and are not supported.
When you need a VPN
A VPN connection is required when your Lobster Cloud system needs to communicate with resources inside your private on-premise network. Typical use cases include:
Scenario | Description |
|---|---|
Local database integration | Connecting to a database located within your internal network (for example, SQL Server, Oracle, or MySQL). |
SAP connectivity | Integrating with SAP systems running in your on-premise environment. |
SMB/NFS file share access | Accessing shared folders on your local network. Ensure Port 445 is open for SMB connections. |
ERP system integration | Connecting to ERP or other enterprise systems that are not publicly accessible. |
When you do not need a VPN
A VPN connection is not required for the following scenarios:
Scenario | Description |
|---|---|
Accessing the Lobster Data Platform | The platform is publicly accessible via HTTPS. No VPN is needed to log in and work with your system. |
External partner integrations | Connecting with external partners via AS2, HTTPS, SFTP, or other standard protocols does not require a VPN. |
Cloud-to-cloud integrations | Connecting to other cloud-based services or APIs that are accessible via the internet. |
Technical requirements
To establish a Site-to-Site VPN connection, your on-premise network must meet the following requirements:
Requirement | Details |
|---|---|
Firewall compatibility | Your firewall must support IPsec/IKE protocols. |
Static public IP | Your firewall must have a static public IP address. Dynamic IP addresses are not supported. |
Network range | Your internal network range must not overlap with the network range selected for your Lobster Cloud environment during the pre call. |
Customer-side configuration | Lobster is only responsible for the VPN configuration on the AWS side. You are responsible for the configuration on your on-premise firewall. |
Network range planning
The VPN connection routes traffic between your on-premise network and your Lobster Cloud VPC. The network ranges on both sides must not overlap. During the Pre-Call, you select one of three private network ranges for your Lobster Cloud environment:
Option | Network range |
|---|---|
Option 1 | 10.248.249.0/24 |
Option 2 | 172.16.249.0/24 |
Option 3 | 192.168.249.0/24 |
The network range cannot be changed after provisioning. If you already use one of these ranges in your on-premise network, select one of the other options to avoid conflicts. Lobster will discuss the optimal choice with you during the Pre-Call to avoid the need for NAT routing.
NAT routing
Important
NAT routing is not available on the Lobster Cloud side. If NAT routing is required for your setup, this must be implemented on your on-premise firewall. Lobster works with you during the Pre-Call to find a suitable network range that avoids the need for NAT routing wherever possible.
Latency
Latency is an important factor when deciding between cloud hosting with VPN and an on-premise deployment. The following values provide guidance for typical scenarios:
Connection type | Typical latency | Best for |
|---|---|---|
VPN Site-to-Site | 20 to 50 ms | Standard business integrations, batch processing, EDI |
VPN setup process
Step | Description |
|---|---|
1 | Lobster provides you with a VPN Connection Sheet containing all required configuration details for your on-premise firewall. |
2 | Lobster configures the VPN on the Lobster side (Virtual Private Gateway, Customer Gateway, VPN tunnel). |
3 | You configure the VPN on your on-premise firewall using the details from the VPN Connection Sheet. |
4 | Both sides verify connectivity. The VPN tunnel is encrypted, and all traffic between your network and the Lobster Cloud VPC is secured without traversing the public internet. |
Info
The VPN can be set up separately after your system has been installed. It does not need to be configured at the same time as the initial provisioning.
Responsibilities
Area | Lobster | Customer |
|---|---|---|
VPN configuration (Lobster side) | Full responsibility | No action required |
VPN configuration (customer side) | Not managed by Lobster | Full responsibility |
Firewall configuration | AWS Security Groups only | Your on-premise firewall |
Troubleshooting | AWS-side diagnostics | Customer-side diagnostics |
Important
You have a duty to cooperate in setting up the VPN. Timely communication and accurate configuration on your side help keep the setup process efficient and within reasonable cost limits.
VPN configuration details
During the VPN setup, the following information is exchanged between Lobster and the customer.
Important notes
AWS VPN is limited to one unique security association (SA) pair per tunnel (one inbound and one outbound) in Phase 2.
NAT routing is not possible on the AWS side.
For several subnets, NAT routing must be set up on the customer side, CIDR blocks combined, or separate VPNs built.
The pre shared key must be exchanged separately (e.g. via Teams Meeting).
AWS reference: https://docs.aws.amazon.com/vpn/latest/s2svpn/CGRequirements.html
Contact and device information
Lobster Data GmbH | Customer | |
|---|---|---|
Device type | Lobster Site-to-Site VPN | |
Device Public IP | ||
Local network range |
Routing option
Routing type | Details |
|---|---|
Static | Local network of the customer |
Dynamic (BGP) | Autonomous System Number (ASN) |
AWS VPN tunnel parameters
Parameters | Phase 1 – IKE | Phase 2 – IPsec |
|---|---|---|
IKE version | 2 | 2 |
Default Mode | Main | – |
Authentication method | Pre-shared key (PSK) | – |
Encryption algorithms | AES256 | AES256 |
Integrity algorithms | SHA2-256 | SHA2-256 |
Perfect Forward Secrecy | DH Group 14 | DH Group 14 |
Lifetime (seconds) | 28800s | 3600s |
Default startup action | Add | – |
VPN availability
Each AWS Site-to-Site VPN connection includes two tunnels, each terminating in a separate AWS Availability Zone. If one tunnel or Availability Zone becomes unavailable, traffic is automatically routed through the second tunnel. No changes are required on your side in this scenario.
Default tunnel configuration
By default, Lobster configures one tunnel per VPN connection. This covers the majority of use cases and keeps the required configuration on your firewall straightforward. If your firewall supports dual-tunnel operation and you wish to enable the second tunnel for additional resilience, please raise this with the Lobster team during the VPN setup process.
Important
If both tunnels are configured on your on-premise firewall, both must be active. A VPN connection with only one configured tunnel provides no tunnel-level redundancy.
Routing and failover behavior
The failover behavior between tunnels depends on the routing type configured for your VPN connection.
With dynamic routing (BGP), failover is fully automatic. BGP continuously exchanges routing information between your firewall and the AWS-side gateway. If a tunnel becomes unavailable, BGP detects this automatically and reroutes traffic through the remaining tunnel without manual intervention.
With static routing, the AWS side will route traffic to the available tunnel automatically. However, your on-premise firewall must be configured to actively monitor both tunnels and switch to the available tunnel in the event of a failure. The exact configuration depends on your firewall and vendor. We recommend verifying this capability with your firewall vendor or administrator.
Included VPN connections
Your Lobster Cloud environment includes two VPN connections, which are available independently of each other. In the default setup, each connection is used for a separate network segment or site. If you require connection-level redundancy—meaning two separate VPN connections, each terminating on a dedicated on-premise firewall—both included connections would be used for this purpose. This requires two separate on-premise firewall devices, each with a static public IP address.
Regional scope
The VPN connection is scoped to the AWS region in which your Lobster Cloud environment is hosted. Redundancy applies within that region across multiple Availability Zones. In the event of a complete regional AWS outage, the Virtual Private Gateway is region-bound and does not automatically follow a workload to a different region. Recovery in such a scenario requires a coordinated process including VPN reconfiguration.
For standard operations and Availability Zone-level failures, your VPN connectivity is maintained automatically.
Routing limits
Both static and dynamic routing (BGP) are subject to a maximum of 100 routes per VPN connection when using a Virtual Private Gateway. For static routing, no more than 100 static routes can be configured. For BGP, the BGP session resets if more than 100 routes are advertised from your customer gateway device. If your on-premise network contains a large number of subnets, we recommend consolidating them using route summarization to stay within this limit.
Responsibilities
Area | Lobster | Customer |
|---|---|---|
VPN configuration (Lobster side) | Full responsibility | No action required |
VPN configuration (customer side) | Not managed by Lobster | Full responsibility |
Firewall configuration | AWS Security Groups only | Your on-premise firewall |
Troubleshooting | Lobster-side diagnostics | Customer-side diagnostics |
Important
Your cooperation in the VPN setup process is strictly required. Timely responses and correct configuration on your end are necessary to ensure a smooth setup process and controlled use of resources.