VPN Setup
Learn the cooperative process for setting up VPN connectivity with Titan Cloud.
Written by Jess Hamilton
Updated at August 15th, 2024
Table of Contents
For the most secure and reliable ATG connectivity, we strongly recommend using a business-to-business VPN tunnel, managed by the client.
As the client has ownership of all network security and routing for their VPN, connectivity setup in Titan Cloud requires coordination between the client's IT department and our Operations team.
Note: Please direct customers requiring assistance with VPN-related issues to email ITNetworkOps@titancloud.com.
Networking diagram depicting the requested VPN solution, if required by the client's IT department: Diagram PDF
Steps for Setting up VPN
Step 1: Client Completes Worksheet
Titan provides the client with a copy of this VPN worksheet.
Tip: If a client has questions or concerns with the worksheet, Titan Cloud should set up an introduction call with their IT department.
The client must complete all yellow highlighted fields in the worksheet (C12, C13, B/C15) before returning it to Titan.
These fields are described below.
| Cell | Field | Explanation |
|---|---|---|
| C12 | Tunnel endpoint IP address | This is the client's Peer IP. The client can provide 1 or 2 Peer IPs. 2 Peer IPs is used for redundancy on the client's side. |
| For every 1 Peer IP the client provides, Titan will provide 2 Peer IPs for redundancy on the AWS side. | ||
| A fully redundant VPN setup will consist of 4 tunnels. | ||
| The client is only required to implement 1 tunnel, if they are unable or uninterested in redundancy. | ||
| AWS treats all tunnels as Active-Active. If the customer's network cannot properly route traffic based on all active tunnels, the customer should only implement 1 active tunnel. | ||
| C13 | Remote Accessible Networks | This is the network(s) the ATGs reside in. |
| B/C15 | Routing | The option to choose here is controlled entirely by the customers network setup, however Routed IPSec or BGP is preferred over Policy based if available. |
| IPSec or BGP will allow for redundant tunnels typically. Policy based typically will not allow for redundancy. | ||
| If BPG, the client must provide the ASN. | ||
| C17 | BGP ASN | This field is required if “Dynamic (BGP, Routed IPSEC)” is selected in cell B/C15. |
The IPSec Parameters section, cells BC22-35 have default values populated based on our preferred configuration. The client must read these carefully and either accept the defaults or use the drop-down menus in the cells to choose from our supported parameters.
Step 2: Provision Resources
Once the worksheet is returned to Titan Cloud, we will provision the VPN resources in AWS.
Additionally, the application will have the appropriate VPN options added for the customer.
Step 3: Titan Cloud Completes Worksheet
Once the VPN resources are provisioned, Titan Cloud will complete the remaining items on the worksheet and return it to the client.
Step 4: Standup and Testing
At this point, the client can standup the VPN at any time.
We can schedule a call for this, or the customer can communicate via email. Additionally, testing the VPN requires at least one IP and Port for an ATG.
Tip: Many VPNs are setup via email, however larger clients can involve multiple stakeholders and red tape, so one or more setup calls may be required. Even if these are at odd hours, we can accommodate as needed.
Port Access
In order to access the ATG over the VPN, we need to sure the following default ports**** are open to Titan. We ask that all of these ports are allowed on all ATGs, to prevent issues with incorrectly identified ATGs.
The ATG is usually configured with one of these ports for Serial Console access:
- 10001 - Required for all Veeder Root ATGs and most ATGs running in a Veeder Root emulation mode.
- 8001 - Required for all Franklin Fuel ATGs
- 22 - Required for Veeder Root TLS-450 Plus
The ATG is usually configured for either port 80 or 443 for API and Web Connect, depending on the age of the device and the firmware version:
- 443 - Required for Franklin Fuel TS550 and EVOs, Veeder Root TLS-450
- 80 - Required for Franklin Fuel TS550 and EVOs, Veeder Root TLS-450
**** It is possible that the customer has changed the default ports on the ATGs. If this is the case, the customer will need to provide access to the configured ports instead.