By Victor Bona, Senior Software Engineer at Valari

Summary

The article explores the challenges and solutions involved in integrating financial institutions with service providers that require secure VPN connections. At Valari, we have developed a Dynamic VPN System to automate and manage these connections efficiently for our customers. By leveraging StrongSwan for VPN management, custom proxies for traffic routing, and AWS infrastructure, we ensure scalability and reliability. This system allows financial institutions to securely connect with service providers like STP, which require dedicated VPN connections for real-time bank transfers while maintaining high availability and compliance with security standards.

In this blog post, we’ll delve into the architecture of Valari’s Dynamic VPN System, the technical challenges we faced, and how we’ve ensured reliability and scalability in our solution.

Background

At Valari, we empower financial institutions to create engaging digital banking experiences for their customers. Our headless banking platform includes a customizable white-label web and mobile application, allowing clients to tailor services for individuals, sole proprietors, and businesses. A key feature of our platform is its composability, offering a comprehensive marketplace with pre-built integrations from top service providers. These providers specialize in areas such as bank transfers, identity and government verification, and card issuing.

Integrating with service providers varies; some offer simple APIs accessible via HTTPS for authentication, sending requests, and receiving inbound requests through a webhook endpoint. However, when handling financial transactions, providers often demand higher security and compliance standards. Most require private network connections via VPNs to ensure data confidentiality and meet strict security requirements. As a multi-tenant platform, Valari must dynamically manage these VPN connections. This presents an infrastructure challenge, as we must ensure reliability, efficiency, and personalization while keeping costs low and maintaining quality and sustainability.

To address this, we were tasked to develop a custom toolset that allows Tenants us to launch a dynamic VPN connection for each Tenant (Customer) to a Service Provider. Our infrastructure is built on top of StrongSwan for VPN tunnels, a custom proxy tool used to middleware the integration, and custom infrastructure resources for IP pools and compute resources.

Goals

Our goal was to create a scalable and reliable system that:

• Automates VPN Setup: Dynamically establishes VPN connections when needed.

• Assigns Unique IPs: Provides each Tenant with a unique IP address for integration.

• Partially creates and lend new infrastructure: Provides each Tenant with custom infrastructure to handle the connection.

• Handles Diverse Configurations: Supports various VPN configurations required by different service providers.

• Ensures Reliability: Maintains high availability and recovers gracefully from failures.

Use Cases

Our main market is Mexico, so we needed a user-friendly solution for clients to connect with a service provider directly linked to the Bank of Mexico. This connection allows real-time bank transfers through the SPEI payment rail. STP is a popular provider, but integrating with them requires each tenant to set up a private VPN connection, whitelist a single IP, and configure specific attributes. STP facilitates SPEI transfers between financial institutions, making secure and private connections essential due to the sensitive nature of financial data and transactions.

Valari provides a composable digital banking platform, which allows our customers (Tenants) to select the service providers they want to work with, and we manage the integration, infrastructure and operation of their digital service offering. To deliver this, we have created the first Integration Marketplace, so our goal was to allow every Tenant to select STP from this list and configure their own direct connection in 5 minutes by only setting up their credentials.

Requirements

Automates VPN Setup

We needed a solution that could dynamically establish VPN connections whenever required. Manual setup of VPNs is time-consuming and error-prone, especially when dealing with multiple service providers and users. By automating the VPN setup, we ensure that new connections are established swiftly and consistently, reducing the time to onboard new users and minimizing the risk of misconfiguration. This automation is crucial for maintaining agility in a competitive fintech market where rapid integration can be a significant advantage.

Assigns Unique IPs

Providing each tenant with a unique IP address for integration is essential for both security and compliance. Unique IPs enable precise access control and monitoring, allowing service providers to whitelist specific IPs and track activity on a per-tenant basis. This isolation prevents potential conflicts and ensures that the actions of one tenant do not impact others. Additionally, it simplifies troubleshooting by making it easier to identify and resolve issues specific to a tenant’s connection.

Partially Creates and Lends New Infrastructure

Our system must provision custom infrastructure for each tenant to handle their connection. This involves allocating compute resources, network interfaces, and other necessary components tailored to the tenant’s needs. By partially creating and lending this infrastructure, we optimize resource utilization—allocating resources when needed and reclaiming them when not. This approach offers scalability and cost-effectiveness, ensuring that we can support a growing number of tenants without unnecessary overhead.

Creating dedicated infrastructure per tenant also enhances security and performance. It allows us to apply tenant-specific configurations and policies, ensuring compliance with varying service provider requirements. Moreover, it isolates tenants from one another, preventing potential security breaches from propagating across the system.

Handles Diverse Configurations

Service providers often have unique VPN configuration requirements, including specific encryption protocols, authentication methods, and network settings. Supporting this diversity is vital for seamless integration. Our system must be flexible enough to accommodate these variations without requiring extensive manual reconfiguration for each new service provider.

By handling diverse configurations, we expand our ability to partner with a wide range of service providers, offering our users more options and capabilities. It also future-proofs our system against new or evolving standards in VPN technology, ensuring long-term compatibility and relevance.

Ensures Reliability

In the fintech industry, reliability is a must. Downtime or interruptions can lead to financial losses and damage to reputation. Our system must maintain high availability, automatically recovering from failures with minimal impact on users.

We achieve reliability through redundancy and intelligent failover mechanisms. By monitoring the health of VPN connections and compute instances, our system can proactively detect issues. In case of a failure, it can re-establish connections in different availability zones, ensuring continuous operation. Additionally, by queuing transactions during interruptions, we prevent data loss and ensure that operations resume smoothly once the connection is restored.

Ensuring reliability not only meets the expectations of our users but also complies with regulatory requirements for uptime and data integrity in financial services.

Architecture

To address the challenges of dynamically establishing secure VPN connections for each Tenant, we designed a robust architecture that leverages StrongSwan for VPN management, custom proxies for traffic routing, and AWS infrastructure for scalability and reliability.

StrongSwan VPN Connections

At the core of our VPN management is StrongSwan, an open-source IPSec-based VPN solution. For each Tenant that configures a service provider requiring a VPN (such as STP), we establish a new VPN connection by generating a custom StrongSwan configuration.

The process involves:

1. Configuration Generation: Using templating tools like Nunjucks, we dynamically generate the StrongSwan configuration file tailored to the Tenant’s requirements and the service provider’s specifications.

2. Configuration Deployment: The updated configuration file is securely deployed to the StrongSwan service running on an AWS EC2 instance.

3. Service Restart: After deploying the new configuration, the StrongSwan service is restarted to apply the changes.

During the brief period when the service restarts, transaction targeting that service provider using the VPN are paused to prevent any data loss or errors. This minimal downtime is acceptable for ensuring the correct configuration is applied and guarantee no data is lost or customer trust is harmed.

In case of any issues with StrongSwan, automated restoration processes kick in. Transactions are queued during downtimes, ensuring that no data is lost and operations resume smoothly once the service is back online.

Elastic IP Allocation and Proxy Setup

For each Tenant, we allocate a unique static IP from a designated IP pool within a private subnet. This IP serves as the identifiable endpoint for the Tenant’s VPN connection and is whitelisted by service providers like STP.

The steps involved are:

1. Elastic IP Leasing: A new IP is “leased” and associated with the Tenant.

2. Network Interface Attachment: The IP is attached to a network interface on the EC2 instance running the proxy.

3. Proxy Deployment: A custom containerized proxy application is deployed, binding to the IP/Network Interface and handling traffic for the Tenant.

4. Endpoint Configuration: The proxy binds an I/O location to the leased IP under a path specific to the Tenant (e.g., /<tenantKey>), providing a unique address for the Tenant to share with the service provider.

DNS and Routing

We utilize a private DNS to create specific hostnames for each Tenant, accessible only within the private Tenant STP subnet. StrongSwan handles DNS resolution, ensuring that all requests from and to the service provider use the leased IP and the Tenant-specific domain to route traffic through the VPN connection.

This setup ensures that traffic is correctly directed and that the isolation between Tenants is maintained.

Scalability Considerations

Given the limitations on the number of network interfaces and IPs that can be attached to a single EC2 instance, we have designed the system to scale both horizontally and vertically.

Horizontal Scaling

When we reach the limit of network interfaces or IPs on an instance, we provision a new EC2 instance to handle additional VPN connections. For example, an EC2 instance type m5.xlarge can handle up to 4 network interfaces, each supporting up to 15 IPs, allowing for 60 private VPN connections per instance.

Vertical Scaling

Alternatively, we can scale vertically by selecting instance types that support a higher number of network interfaces, increasing the capacity for VPN connections on a single instance. This flexibility ensures we can accommodate growth without significant architectural changes.

Reliability and Failover Mechanisms

Reliability is achieved through automated monitoring and recovery processes.

Automatic Restoration

In the event of issues with the StrongSwan service, automated restoration processes are initiated. During downtimes, transactions are queued, preventing data loss and ensuring that operations resume smoothly once the service is back online.

Lambda Functions for Failover

We use AWS Lambda functions to perform EC2 network interface reassignment in case of prolonged downtimes. These functions monitor the health of the VPN connections and can quickly reassign resources to healthy instances on different availability zones, minimizing downtime.

Retry Policies and Queueing

Our system implements robust retry policies. If a transaction fails due to a connectivity issue, it is retried according to predefined intervals. Transactions are kept in a queue during any service interruptions, ensuring consistency and reliability without overloading the system upon recovery.

End-to-End Workflow

1. Tenant Requests Integration: A Tenant configures a service provider that requires a VPN connection, providing all required configuration parameters and configurations.

2. Elastic IP Allocation: The system leases a unique static IP for the Tenant and attaches it to a network interface on an EC2 instance.

3. Configuration Generation: Tenant-specific configurations for StrongSwan and the proxy are generated using templating tools.

4. Deployment and Service Restart: Configurations are deployed, and the StrongSwan service is restarted to apply the new VPN connection.

5. Proxy Setup: The custom proxy binds to the leased static IP and is configured to handle traffic for the Tenant, providing a unique endpoint.

6. DNS Configuration: A private DNS entry is created for the Tenant, facilitating proper routing of traffic through the VPN.

7. Operational Monitoring: The system continuously monitors the health of the VPN connections and associated infrastructure.

8. Handling Downtimes: In case of any issues, transactions are queued, and automated recovery mechanisms initiate failover processes.

By following this workflow, we ensure that each Tenant has a dedicated and secure VPN connection, with minimal manual intervention and downtime.

Security Considerations

Security is paramount in our architecture.

• Isolated Environment: Each Tenant operates within an isolated environment, preventing unauthorised access and ensuring data integrity.

• Secure Access: Management access to EC2 instances is secured using SSH keys and restricted to specific IP addresses and security groups.

• Encrypted Communication: All communications between the Tenant, Valari, and the service provider are encrypted using industry-standard protocols.

• Compliance: The architecture complies with regulatory requirements, including data protection and financial services regulations.

Conclusion

The development of Valari’s Dynamic VPN System marks a significant leap forward in real-time payment capabilities for Financial Institutions that historically have been excluded from the system for lacking the infrastructure and team to deliver a fully digital experience to their customers.

By automating VPN setup, assigning unique IP addresses to each Tenant, and provisioning custom infrastructure, we’ve built a solution that is both scalable and reliable. Our architecture effectively addresses the complexities of integrating with service providers like STP, which demand dedicated VPN connections and stringent security measures.

Valari’s Dynamic VPN System empowers leading tech companies and financial institutions to launch digital solutions fast with confidence. It exemplifies our dedication to innovation, security, and excellence in service delivery. As we look to the future, we remain focused on refining this system, expanding its capabilities, and exploring new ways to support our users in an ever-evolving fintech landscape.