Today we're excited to announce Site-to-Site Virtual Private Network (VPN) support for Heroku Private Spaces. Heroku customers can now establish secure, site-to-site IPsec connections between Private Spaces on Heroku and their offices, datacenters and deployments on non-AWS clouds.
VPN is a powerful, proven and widely-adopted technology for securely combining multiple networks (or adding individual hosts to a network) over encrypted links that span the public Internet. VPN is well-understood and in use by most enterprise IT departments, and is supported on all major cloud providers and by a range of hardware and software-based systems.
VPN support complements Private Space VPC Peering and makes it simpler to securely build and maintain apps with dependencies that span Heroku, AWS, on-prem, Google Cloud Platform and other clouds. VPN and VPC Peering are examples of new features that are making Heroku easier for sysadmins and network engineers to integrate into existing infrastructure. We’re calling it "Better Together": For enterprises with large investments in legacy systems, we know that moving everything to the cloud in one fell swoop is not an option, and we're committed to letting you move gradually by making it simple and easy to build secure and reliable systems that straddle Heroku and existing infrastructure.
Internal Routing
Internal Routing is a companion feature for building microservices-based architectures on Heroku that we’re launching in conjunction with VPN support. You can now run multiple apps in a Private Space, for example a web front-end and an API back-end, and only publish the web front-end to the Internet. The front-end app has secure and performant access to the internally-published API, without traffic flowing over the public internet. API requests still transit the full Heroku HTTP stack so you don’t lose any Heroku features such as logging, load balancing or autoscaling. Check out the companion blog post on Private Spaces Internal Routing for details.
Cabinet Secretariat: Internal Routing with Access Secured by VPN
Cabinet Secretariat is an agency of the Japanese government that's building apps on Heroku. By using Heroku, Cabinet Secretariat can continuously improve apps and launch new ones to meet expanding requirements without worrying about setting up or maintaining infrastructure. One of Cabinet Secretariat's new apps is going to handle sensitive data and it’s a requirement that it only be accessed in an intranet-like fashion by government workers from secured networks and endpoints over VPN, as an additional security precaution.
VPN combined with Internal Routing is what makes that work, because Heroku apps can now be published on an endpoint that's only accessible within the Private Space and from VPC-peered or VPN-connected networks. By combining Heroku's new VPN and Internal Routing features, Cabinet Secretariat is getting the best of both worlds: Intranet apps can be built and deployed quickly and updated frequently, and access is strictly limited because apps are only available to users that are on a private network connected to the Heroku Private Space via VPN.
Hybrid and Multi-Cloud Architectures
Configuring Private Space VPN is simple and to give you an idea of how the feature can be used to build Heroku apps that securely interact with services that are on-prem or in non-AWS clouds, we’ve built examples that show how to configure a Heroku to Google Cloud Platform VPN link. Check out the Dev Center guide for both manual setup instructions and an automated Terraform template.
Summary
Heroku Private Space VPN support is a powerful new tool for network engineers and admins to integrate Heroku apps with existing systems running on-prem and on non-AWS clouds. Combined with Heroku VPC Peering for AWS VPCs, it’s now possible to build secure hybrid cloud setups that span AWS, GCP, on-prem and Heroku. We can’t wait to see how Heroku customers use these new features to build and run great apps that interact with data sources and services that were not previously accessible securely from Heroku. For more information on Private Space VPN, see the Dev Center article, or contact Heroku.