My current project contains multiple heterogeneous TCP servers, but our IT guys have clearly declared that they will give me only one 443 port, which is fair enough.
Two options are on the table now. One is VPN. We can set up a VPN server inside our cooperation and implement the access control. The other one is to implement some kind of software switch, which peeks the recognizable features of any (S) packet and then route the connection to responsible service. Our IT guys are neutral to both approaches for now before any evidence shows that one is superior than the other.
The pros of VPN are that it is a well-established technology and widely used in practice. In our scenario, it ensures sensitive information to be encrypted. The cons are the effort we will need to implement access control policies and mechanisms. The number of services will possibly grow, and the service will go multi-tenant, so it will become more complex.
The pros of the software switch are that it is simple to implement because the features/protocols of the sub-services are well known to us. The cons are that no such practices are heard before (I might be ignorant here), and we are not so confident if exposing such an in-house solution to the Internet is a good idea.
If you were me, what approach do you prefer? Why? Details can be clarified if needed and allowed.
I really appreciate any comments and answers.