We’re seeking guidance on selecting the most appropriate Virtual Appliance (VA) configuration for our environment. We’d like to gain a deeper understanding of the key factors influencing this decision.
To help us confidently advise our client, we’d appreciate insights on the following:
Decision-Making Criteria: What are the critical considerations when choosing between Standard and Network Tunnel VAs? Are there specific use cases that favor one configuration over the other?
Performance Implications: Are there any anticipated performance differences between Standard and Network Tunnel VA configurations?
Management Overhead: How does the ongoing management complexity differ between Standard and Network Tunnel VAs?
Additionally, if there are any best practices or general recommendations you can share regarding VA selection, we’d be grateful to learn from your experience.
Here are some key considerations when choosing between Standard and Network Tunnel Virtual Appliances (VAs) in SailPoint IdentityNow:
Decision-Making Criteria:
Standard VA: Use a Standard VA when you need to provision/aggregate from on-premises sources that can be directly accessed by the VA without requiring a VPN or network tunnel. Standard VAs are generally easier to set up and manage.
Network Tunnel VA: Choose a Network Tunnel VA when the sources reside in a restricted network or require VPN access. The Network Tunnel VA allows you to establish a secure tunnel between your network and the IdentityNow tenant. Use cases that require traversing firewalls or connecting to sources on an internal network often favor Network Tunnel VAs.
Performance Implications:
There are generally no significant performance differences between Standard and Network Tunnel VA configurations. The primary factor affecting performance is the sizing of the VA based on the number of sources and load.
However, if the network tunnel introduces substantial latency or bandwidth constraints, it could potentially impact the performance of provisioning and aggregation tasks. Ensure the network tunnel is properly configured and has sufficient bandwidth.
Management Overhead:
Standard VA: Managing a Standard VA is relatively straightforward. You need to ensure the VA has network connectivity to the sources and configure the necessary firewall rules. Updates and patches are automatically handled by SailPoint.
Network Tunnel VA: Managing a Network Tunnel VA involves additional steps. You need to set up and maintain the network tunnel configuration, which may require coordination with network and security teams. Ensure the tunnel is stable, secure, and properly maintained. Additionally, you may need to manage routing and firewall rules specific to the tunnel setup.
Best Practices and Recommendations:
Assess your network topology and source accessibility requirements to determine whether a Standard or Network Tunnel VA is more suitable.
If possible, use a Standard VA for simplicity and ease of management, unless your network architecture or security policies dictate the need for a Network Tunnel VA.
Properly size the VA based on the number of sources, concurrent aggregations, and expected load. Consult SailPoint documentation or engage with SailPoint support for sizing guidance.
Regularly monitor the health and performance of the VA, including CPU, memory, and network utilization. Scale the VA if necessary to ensure optimal performance.
Keep the VA up to date with the latest patches and updates provided by SailPoint.
Implement proper security measures, such as strong authentication and access controls, to protect the VA and the connected sources.
Establish a maintenance and support plan for the VA, including monitoring, troubleshooting, and incident response procedures.
Remember, the choice between Standard and Network Tunnel VAs depends on your specific network architecture, security requirements, and source accessibility needs. It’s recommended to consult with SailPoint support or professional services for tailored guidance based on your unique environment.
Decision-Making Criteria
When choosing between Standard and Network Tunnel VAs, consider the following critical factors:
Connectivity Requirements:
Standard VA: Connects directly to target systems through pre-configured firewall rules. Best suited for environments where secure and direct network access to target systems can be configured and maintained.
Network Tunnel VA: Establishes a secure tunnel between the IdentityNow cloud and the on-premise network. Ideal for environments where direct access through firewalls is restricted or where additional layers of security are required.
Security Considerations:
Standard VA: May require multiple firewall openings for each target system, increasing the surface area for potential vulnerabilities.
Network Tunnel VA: Provides enhanced security by reducing the number of firewall configurations needed and encapsulating communication through a single secure tunnel.
Use Cases:
Standard VA: Suitable for simpler network architectures with fewer firewalls or when connecting to external systems directly.
Network Tunnel VA: Preferable in highly regulated industries (e.g., finance, healthcare) where stringent compliance requirements necessitate secure and centralized tunneling.
Scalability:
Standard VA: May require additional configuration for each new target system.
Network Tunnel VA: Simplifies scalability by providing a single tunneling endpoint for multiple systems.
Performance Implications
Latency:
Standard VA: Direct access to target systems generally results in lower latency, as there is no intermediate tunneling mechanism.
Network Tunnel VA: May introduce slight latency due to encryption and tunneling overhead, but this is typically negligible if the network is optimized.
Throughput:
Standard VA: Offers high throughput since communication occurs without the additional encapsulation of a tunnel.
Network Tunnel VA: Throughput may be slightly reduced depending on the complexity of the network and the number of systems being accessed through the tunnel.
Resource Utilization:
Both configurations require proper resource allocation (CPU, memory, etc.) for the VA. Network Tunnel VAs might need additional resources for encryption and tunneling.
Management Overhead
Standard VA:
Pros:
Easier to configure in environments with minimal firewall restrictions.
Fewer moving parts compared to tunneling configurations.
Cons:
Requires individual firewall rules for each target system, increasing administrative overhead.
May complicate configurations in environments with dynamic network topologies.
Network Tunnel VA:
Pros:
Centralized configuration simplifies firewall management by reducing the number of openings needed.
Easier to manage in dynamic or complex network environments.
Cons:
Slightly higher initial setup complexity due to tunneling configuration.
Requires ongoing monitoring of the tunnel’s health and encryption settings.
Recommendations:
Standard VA:
Best for small to medium-sized environments with straightforward network access requirements.
Suitable when low latency and high throughput are critical, and firewall configurations are manageable.
Network Tunnel VA:
Ideal for large, complex environments with stringent security and compliance needs.
Recommended for use cases involving multiple target systems across diverse or restrictive networks.
By assessing your environment’s connectivity, security, scalability, and management needs, you can make an informed choice between Standard and Network Tunnel VAs in SailPoint IdentityNow.