Add a GRE Tunnel Connection

Save PDF

Feedback

Last UpdatedApr 28, 2025
6 minute read

This topic describes how to add a GRE tunnel connection to your Imperva DDoS Protection for Networks configuration.

Note: This process is currently available for the GRE-Tunnel connection type only. Other connection types must be configured by the Imperva team.

For an overview of the DDoS Protection for Networks onboarding process, see Onboarding: DDoS Protection for Networks.

Overview

After you are onboarded to the DDoS Protection for Networks service, you may want to edit or add new connections. For example, if you change ISP or want to create new GRE tunnels.

To configure a new connection:

Add your ASN
Define connection settings
Configure routing options

Open the Connectivity Settings

Log into your my.imperva.com account.

On the top menu bar, click Network.
On the sidebar, click Network Protection > Connectivity Settings.

Add your ASN

Your autonomous system number is required for communication between the Imperva network and your origin network.

Note:

If your ASN is already registered in Imperva, you can skip this step and continue to Define origin connectivity.
If you are using a transit AS, make sure to add the ASN here.

A unique autonomous system number (ASN) is allocated to each autonomous system by the Internet Assigned Numbers Authority (IANA), for use in BGP routing.

We register the AS-SET object, which enables us to group AS numbers in a single object. It indicates to our upstream providers that we are now eligible to announce the ASNs that are listed within the AS-SET object.

When you start the onboarding process, your ASN is added to our AS-SET object, and our system registers your ASN on each registrar.

Leased IP ranges: If you are leasing an IP range from a 3rd party vendor such as an ISP, you will need to provide a letter of agreement (LOA) from the owner of the IP range. The range will be announced to Imperva using a private ASN, and Imperva will announce the route with its own ASN.

To add your ASN

Under ASNs, click Add, enter your ASN number, and save.

Note: It can take up to 48 hours for the ASN to be fully registered in our system.

In the ASN table, you can expand the ASN row and view the registries and their registration status. The following indicators reflect the registration status of the ASN in the specified registry:

Registered

Pending registration

Not registered

Example:

For status details, click the check box next to a registry row and click Check Status.

Define origin connectivity

Configure the tunnel connection between Imperva's network and your origin network. This connection is used for clean traffic and BGP announcements.

Prerequisite: Make sure that your network range has already been defined by the Imperva team and is listed on the Protection Settings page.

Guidelines:

For redundancy purposes, configure a minimum of two connections for each GRE tunnel (each tunnel public IP).
For each connection, select a different Imperva data center.

For example:

Connection 1, Data Center 1
Connection 2, Data Center 2

To learn more about Imperva's guidelines and recommendations to maximize service availability, performance, and functionality, see Recommended Topology: DDoS Protection for Networks.

Add a connection:

Under Origin Connectivity, click Add, and fill in the following fields:

Search:

Field	Description

Type	The connection type. Self-service onboarding is currently supported for the GRE-Tunnel type only.
Connection Name	It is recommended to give the connection a meaningful name to help you easily identify it. This can include the ISP or data center vendor, the connection type, and the location of the Imperva data center that you select for this connection. For example, Equinix-GRE-TOR.
Tunnel Public IP	Enter the public IP address of your network device (router/firewall).
Imperva Data Center	Select an Imperva data center to use for this connection. Set up a minimum of two connections between your origin data center and Imperva's global network to ensure resiliency and failover. For the first connection, select one of the following Imperva data centers, according to your origin data center's region: US: LAX, MIA, IAD EU: FRA, LON, AMS APAC: HKG, SIN, TKO For other connections, it is recommended to select the Imperva data center closest to your origin data center. Note: You can also select several data centers from the list above for your connections if they are the closest to your origin data center.
Imperva Data Center Endpoint	(View-only.) Each Imperva data center contains two tunnel endpoints (external routers) for optimal resilience and failover. In some cases, a second connection to a second router in the same Imperva PoP may be useful. It can be configured for your account by Imperva Support. For more details, see Recommended Topology: DDoS Protection for Networks. Endpoint 1 is used for your primary connection to the data center and Endpoint 2 is used for your secondary/backup connection.
Source Range	Select one of the private address ranges provided by Imperva to use for this GRE connection.
BGP Peer Monitoring	Enables Imperva to monitor the connection and report on the connection status. Connection status is displayed on the Network Settings page for each connection. In addition, notifications on connection up/down status are sent to your account notification list. For details, see Notifications. This option is enabled by default.
Performance Monitoring	Gain visibility into the performance of the connections between Imperva data centers and your origin network. For details, see Connectivity Monitoring.

Configure routing options

In this step, you set up the BGP peering sessions for routing traffic between Imperva and your origin.

Configure one policy for each connection you defined in the Origin Connectivity section.

Under Routing Options, click Add, and fill in the following fields:

Search:

Field	Description

Connection Name	Select one of the connections that you defined under Origin Connectivity.
ASN	Select the ASN associated with the connection you selected.
Hold Time	Specifies how long a router waits for incoming BGP messages before it assumes the neighbor is not available. Default: 30 seconds Permitted values: 0-300
Authentication Key	(Recommended) Select the authentication method to use for securing your BGP sessions with Imperva. If you define an authentication key here, it must also be configured on your edge router. None MD5 In the Key field, enter any string to use for authentication of this BGP peer connection. TCP-AO Provides enhanced security over MD5. To provide your keychain details, download the CSV template file, configure it as follows, and then upload it here. ID: The unique key identifier. Must be in the range of 0-63. Secret: The secret key password. Must be between 1 and 126 characters. StartTime: The exact time the key becomes activated. Must be unique, and in the following format: YYYY-MM-DD.HH:MM

Connections API

You can also retrieve connection details and configure settings using the API.

For instructions on using the Connection API, see DDoS Protection for Networks: Connections API Definition.

The definition file presents a full, formatted, and interactive version of the Connection API that you can use to learn about the APIs, or test them using your API ID and key.

Cloud Application and Network Security

Filters

Source Type

Application Security

Data Security

Network Security

Application Performance

Product Versions

Hypervisor Installation

Document Type

Access

Product Area