Site‑to‑site IPsec VPN for internal access

Perfecto supports a site‑to‑site IPsec VPN to securely connect your private network with the Perfecto cloud. This enables Perfecto devices to access internal or intranet test environments that are not exposed to the public internet.

With a site‑to‑site VPN, traffic between your network and the Perfecto cloud is encrypted and routed through a persistent network‑level tunnel, allowing internal test sites to be accessed as if they were part of the same private network.

Site‑to‑site IPsec VPN is an advanced connectivity option typically used in enterprise environments with strict network and security requirements. If a persistent VPN is not required, Perfecto Connect may be a suitable alternative.

When to use site‑to‑site IPsec VPN

A site‑to‑site IPsec VPN is typically used when:

  • Test environments are not exposed to the internet

  • Security policy does not allow temporary tunnels or local agents (see Perfecto Connect)

  • A persistent, always‑on network connection is required between your network and the Perfecto cloud

Most customers with a Perfecto private cloud already have similar network connectivity in place for other tools. This follows a similar model.

How site‑to‑site VPN works

A site‑to‑site IPsec VPN creates a secure, encrypted tunnel between your network and the Perfecto cloud. Once established, traffic between designated subnets flows through the VPN, allowing Perfecto devices to reach your internal test systems without exposing them publicly.

The following diagram shows a high‑level view of how a site‑to‑site IPsec VPN connects the customer network and the Perfecto Private Cloud.

To establish the tunnel, both Perfecto Support and customer IT, Network, and Security teams must exchange standard IPsec parameters so that the VPN configuration matches on each end. When configuration is complete, connectivity is validated to confirm encrypted traffic flow between the defined networks.

Responsibilities and ownership

Perfecto:

  • Provisions the VPN endpoint on the customer’s dedicated Perfecto private cloud

  • Shares required VPN parameters (such as public IP address, supported cryptographic settings, and tunnel subnets)

  • Validates VPN tunnel connectivity once the tunnel is established

Customer:

  • Configures the IPsec VPN on their firewall or VPN gateway

  • Owns routing, firewall rules, and security policies on their network

  • Ensures internal environments are reachable through the VPN tunnel

  • Notifies Perfecto Support in advance of any changes to VPN configuration, routing, or exposed subnets so the changes can be planned and applied on the Perfecto side.

Validation and connectivity testing

Once both sides complete the configuration:

  • The VPN tunnel status is verified

  • Traffic flow between the agreed subnets is confirmed

  • Access to internal test environments from Perfecto devices is validated

Performance and network considerations

When using a site‑to‑site VPN, keep the following in mind:

  • The VPN affects how applications or websites running on a Perfecto device connect to internal environments (for example, initial page load times or backend requests).

  • The VPN does not affect interactions with Perfecto devices themselves, including device control, UI interactions, or streaming.

  • Network latency or bandwidth limitations on the VPN path may impact how quickly internal applications or URLs load on the device.

  • Firewall inspection, packet shaping, or deep packet inspection on the customer network can introduce additional latency for traffic flowing between the device and internal environments.

Proper network planning is recommended to ensure an optimal testing experience.

Alternative: Perfecto Connect (client‑initiated tunnel)

When a site‑to‑site IPsec VPN cannot be provisioned in a timely manner, use Perfecto Connect as a temporary fallback for accessing internal environments.

Perfecto Connect creates an outbound tunnel initiated from a customer‑managed local machine. While it can be useful for short‑term or limited scenarios, it has several limitations compared to a site‑to‑site IPsec VPN:

  • Higher latency than a site‑to‑site VPN, which can impact application load times

  • Limited scalability because the tunnel is tied to a specific local machine

  • Inherits the local machine’s network configuration, including proxy settings, VPNs, and security restrictions

  • Subject to additional delays caused by local traffic inspection, endpoint security software, or organizational security policies

  • Tunnel stability and availability depend on the machine and user running it, including local network conditions, system restarts, and user activity

Because of these limitations, use a site‑to‑site IPsec VPN to provide reliable, scalable, and long‑term access to internal test environments. Use Perfecto Connect only as a temporary fallback when a site‑to‑site VPN is not yet available or cannot be established.

For long‑term, scalable connectivity, use a site‑to‑site IPsec VPN instead of Perfecto Connect. To learn more, see Perfecto Connect

Get started

To request a site‑to‑site IPsec VPN for your Perfecto private cloud, contact your Customer Success Manager or Perfecto Support to initiate the process and exchange required VPN parameters.