The VMX regularly registers the current public IP address it has in the VPN registry. So the public IP can change and it is not a big deal. When spokes connect they look up this IP address in the VPN registry.
Is there some kind of material that the VMX receives that allows it to do this? Meaning once the instance has registered and the token has expired, what allows the VMX to update it's IP. I think I was assuming that identity was established in the following way
- VMX -> identified by token.
- VMX registers -> identified by (ip, port)
But if the IP can change that must not be it? As part of the keep-alive/heartbeat messages, is some sort of short-lived token being maintained?
The authentication information to the cloud is stored on the instance after it authenticates to the cloud with the token for the first time. I'm not sure where, or in what format, as its impossible to log into being a managed instance.
For the case where the instance is lost (say the AZ is down), is it required to re-register with a token then? I'm assuming the VMX100 appliance doesn't allow for backing up Authentication material directly. Is there any known issue with using EC2 snapshots for this?
Speaking from an azure point of view, (I assume its similar with EC2) being a managed instance, they don't really allow for you to do a whole lot with the instance itself, which, is understandable, it'd be allowing a view into how they are running things, and amplify the potential for attacks. Same thing with the backups, I doubt they allow it because they wouldn't want the backup to be reverse engineered.
If the instance is deleted, then yes, the token would have to be re-entered because however they store the authentication to the cloud would be lost at that point.