What is a hybrid VPN?
Hybrid IPsec and MPLS VPN defined
A hybrid VPN combines Multiprotocol Label Switching (MPLS)- and Internet protocol security (IPsec)-based VPNs. Typically, you’d use an IPsec VPN at certain sites and MPLS VPNs at others, but it’s also possible to use both at the same site, with the IPsec VPNs as a backup to your MPLS VPN.
IPsec VPNs are CPE-based, meaning some piece of equipment on the customer premise—typically a router or multipurpose security appliance—is used to encrypt data and form the VPN tunnel. MPLS VPNs, on the other hand, are provided by a carrier, using equipment in the carrier’s network.
To connect the two, you need a gateway that terminates the IPsec tunnel on one side and maps it to the MPLS VPN on the other while maintaining the security that VPNs are intended to provide.
MPLS VPNs are provided by a carrier, using equipment in the carrier’s network.
When to use IPsec and hybrid VPNs
Organizations use hybrid VPNs because they have sites where MPLS just doesn’t make sense for them. MPLS has a number of advantages over public Internet connections, but it is more expensive. Using MPLS at some sites, such as small branch or home offices with limited bandwidth requirements, may not make financial sense.
The key to making a hybrid VPN setup manageable is to use a hub-and-spoke configuration in which the remote sites connect only to one central site. If your remote branches need to connect directly with one another, you’re likely better off with MPLS; with a hybrid VPN, managing all the required IPsec tunnels would soon get unwieldy. MPLS has that mesh networking capability built in.
There are some instances in which a public Internet connection is “good enough,” but security is still a concern. An IPsec VPN could provide the security you need at relatively low cost.
There are many times when the hub-and-spoke design works well—for example, a fast food restaurant or retail store chain that may need only occasional connectivity to headquarters. IPsec is also suitable for individual mobile users, who can install a software client to enable an IPsec VPN that securely connects them to the corporate network.