I'm working on a multi-tenant SaaS app that integrates with customer on-prem systems over Minimal Lower Layer Protocol on TCP/IP. As the name suggests, MLLP does not support any encryption, so typically security is implemented by configuring a VPN between the hosts.
The SaaS App runs on an EC2 instance and provisions a new listening port for each new tenant. The connection is bidirectional, so the SaaS App listens/receives messages from the customer on-prem system, as well as sends messages to the customer on-prem API endpoint.
+-----------------+
VPN-1 /---------------------\ | SaaS App Server |
| | | |
[Customer1 on-prem API]==========|====[] <-> []====|========== :3001 |
| | | |
\---------------------/ | |
| |
VPN-2 /---------------------\ | |
| | | |
[Customer2 on-prem API]==========|====[] <-> []====|========== :3002 |
| | | |
\---------------------/ | |
| |
VPN-N /---------------------\ | |
| | | |
[CustomerN on-prem API]==========|====[] <-> []====|========== :N |
| | | |
\---------------------/ | |
+-----------------+
Is it possible to configure multiple VPNs to a single host or service, so that customers have secure, isolated connections and I can run a single App Server / service?
All of the examples I have found for multiple VPNs (eg Site-to-Site VPN single and multiple connection examples) are for the classic use case of pooling VPNs withing the same organization (ie New York office, LA office, etc).
I am open to using anything in the AWS toolkit (VPCs, Nat Gateways, Network Load Balancers, etc) and can configure services dynamically as I provision new customers.
If the answer is: No, it's more trouble than it's worth, you are better just running one EC2 per Customer that would be good to know too.
