5 reasons VPNs suck in the cloud

VPNs-Suck-in-the-Cloud-LargeIf you’ve been around the block a few times, you’re probably wondering why the title of this post isn’t, 50 Reasons VPNs Suck in the Cloud.

VPNs have long been the bane of both administrators and users (and lets not forget, support). They’re clunky, complex, and costly, and the same is true when they’re deployed to secure cloud access.

Today, VPNs are increasingly used to connect to cloud computing resources. Either by routing traffic back through the corporate network or direct to the cloud provider, VPNs offer authentication and transport-layer encryption to keep the bad guys out and sensitive information secure. But at what cost?

Both VPN configurations (corporate and provider) are complex to set up, require client agents with loads of support, and can be expensive to maintain. Arguably, there’s room for – and exists – a better approach to securing access to cloud servers.

We’ll get to what that is in a coming post, but for now we thought we’d share a few reasons why VPNs suck in the cloud, in reverse order (for effect).

5 Reasons why VPNs suck in the cloud

#5: Cloud VPNs don’t scale

Is your cloud spread across multiple regions? Get ready to spin up multiple VPN servers (for HA) in each. The larger, more distributed your cloud is, the more backend infrastructure, complexity, and cost you’ll have just to support VPN.

#4: Local VPN clients never work

OS updates, routing and NAT complexities, and frequent VPN client updates make client-side VPN apps a real hassle. How many times have you been at a conference or in a hotel, and your VPN client can’t connect? Well, the same is true for your peers, and your support team feels the pain every time they pick up the phone.


#3: No audit records

When a user VPNs directly to the provider, you might be able to get some audit details showing when they connected, for how long, etc., but only when you retrieve this info manually from your VPN service. Alternatively, if you’re VPN’ing back through corporate, you won’t have an audit trail to see who’s accessed your cloud server, when, from where, and for how long. It’ll all just look like corporate network traffic. So, if ever there’s an incident, you’re likely left high and dry.

Screen Shot 2013-02-14 at 9.17.26 AM

#2: VPNs don’t work the way you do

You don’t have one device; you’ve got many. You work from home, you work on the road, you use your mobile, etc. Does your VPN? Is your VPN client supported on all your devices? Does it let you connect from your in-law’s machine when all hell breaks out during the holidays? Probably not.

#1: VPNs don’t do much

You spin up a VPN to secure your cloud resources, but the truth is VPNs are redundant and often over expose your cloud servers.

Anyone that authenticates via VPN has unfettered access to all of the services in your cloud. Hence, cloud VPNs overly expose your resources. Even with a VPN, you still need to manage your firewall policy, which can be used to more efficiently augment/replace VPN, since your protocols are encrypted anyway.

What’s worse, VPNs don’t really do much to secure your cloud infrastructure. They don’t manage or work in combination with your firewall policy, encrypt the data on your server, or audit for compliance – they’re merely a method of transport-layer protection to encrypt what’s typically an already encrypted tunnel (e.g., SSL, SSH, etc.). See our post: Why VPNs Clients are Dead in the Cloud. So with VPNs, you’re basically just protecting something that’s already secured.

So, if VPNs suck and just about everyone hates them, then why are they so popular? Well, VPNs are what most people know from traditional IT. Your probably, however, haven’t had experience with new, innovative technologies like Dome9. But that’s why you’re here, reading this post, and we invite you to try our service free, for 30 days.

In the words of the great Doctor, Dr. Seuss, “Try them! Try them! And you may. Try them and you may I say.”

Want to add your thoughts? Visit the comments section below, and stay tuned for more posts on this topic.
Related Stories

Leave a comment


This will only be used to quickly provide signup information and will not allow us to post to your account or appear on your timeline.