VPN Access Gateway Selection by Geolocation of User


If you have a global workforce that needs to access the cloud with the best user experience, building a cloud network with Geo VPN access capability is the right solution for you.

The geolocation VPN feature combines the Aviatrix scale out VPN solution with latency based routing to dynamically route VPN users to the nearest VPN access gateway based on the latency between the user and the gateways.

VPN Access Details

An example deployment in AWS is shown below. In this configuration, there are two VPN access gateways: one in us-west-2 and another in eu-central-1. Each VPN access gateway is fronted by a load balancer in AWS.


Let’s look at the difference between a standard VPN access service and VPN access service with the Geolocation feature enabled:

Standard VPN Service (without geolocation feature enabled)

Without the Geolocation feature enabled, when a user connects to the VPN service, they will connect to one of the two regions’ VPN gateway. Each gateway is independently administered, meaning users need a separate configuration profile for each region they will access.

In this configuration, an EU-based user would be given a configuration profile for the eu-central-1 load balancer. And, a US-based user will be provided with a us-west-2 configuration profile. If either user relocates or travels to the opposite region, they will need a separate configuration profile in that region and they will need to manually switch the active configuration profile.


Geolocation VPN Service

With the Geolocation feature enabled, when a user connects to the VPN service, they are directed to a Route 53 or Azure DNS entry that uses a latency-based routing policy to choose between the available regions.

In this configuration, both the EU-based user and the US-based user would be given the same configuration profile. This configuration profile will select the closest region automatically using a latency-based routing policy defined on the DNS record.


Configuration Workflow

  1. Create a VPN gateway in each region


    Enable ELB on each gateway that will be associated with the Geo VPN feature.


    You must create at least one gateway to enable Geo VPN. You can add more gateways to the pool at any time.

  2. Once you have at least one VPN gateway created with ELB enabled, you are ready to proceed to the enable Geo VPN feature. Click on OpenVPN in the navigation menu and select Advanced.

  3. Click on the Geo VPN tab.

  4. Select the Cloud Type and click on the Disabled status to Enable the Geo VPN feature.


  5. Populate the fields:

    Field Description
    Account Name Select the cloud account where the DNS domain is hosted.
    Domain Name

    The hosted domain name.


    This domain name must be hosted by AWS Route53 or Azure DNS in the selected account.

    VPN Service Name The hostname that users will connect to. A DNS record will be created for this name in the specified domain name.
    ELB DNS Name Select the first ELB name to attach to this Geo VPN name. You can add others after this feature is enabled.


  6. Click OK



    If enabling Geo VPN fails, make sure the Domain Name you enter is a registered name under AWS Route 53 in a public hosted zone. In addition, this Domain name must be hosted in the account that you have access privilege. If the domain name is hosted by another account, you will not be able to add DNS record.

  7. For each additional region, repeat these steps:

    1. Click + Add New
    2. Select the ELB DNS Name
    3. Click OK



Add encrypted peering to connect regions.

Add Users

Once you have Geo VPN enabled, you can add users. Follow these steps to add users:

  1. Click the OpenVPN navigation menu item

  2. Click VPN Users

  3. Click the + Add New button

  4. In the VPC ID / DNS Name drop down, select the Geo VPN VPN service name created in the previous steps

  5. Populate the User Name and optionally the User Email

  6. Click OK


OpenVPN is a registered trademark of OpenVPN Inc.