Virtual private network (VPN)-as-a-service with load-balanced tunnel endpoints

The invention claimed is: 1. An apparatus operative within a virtual private network (VPN) cluster that comprises a set of machines, comprising: one or more hardware processors; computer memory holding computer program instructions executable by the one or more hardware processors and configured to: establish and maintain a partitioned namespace, each partition in the partitioned namespace having a set of sequence numbers uniquely associated with a given one of the set of machines in the VPN cluster to provide replay protection; receive a set of data flows over a single logical tunnel connected between an external computing entity and the apparatus, the set of data flows including at least one data flow having associated therewith a flow identifier hash value; upon being selected as a leader by a leader election routine executing across the set of machines, implement a load balancing routine with respect to a load presented by the set of data flows over the single logical tunnel, thereby load balancing the data flows over the single logical tunnel such that the load within the single logical tunnel is shared among the set of machines and the replay protection is maintained, the flow identifier hash value determining a particular one of the set of machines in the VPN cluster to receive and process the at least one data flow persistently; and associate a sequence number with a response generated by the particular machine, the sequence number being from the set of sequence numbers uniquely associated with the particular machine; wherein the apparatus is positioned to receive the set of data flows at a content delivery network (CDN) edge region located at an ingress point to the content delivery network, thereby acting as a VPN cluster concentrator with respect to the set of data flows, the apparatus providing at least one CDN-specific Transmission Control Protocol (TCP) optimization and at least one CDN-specific routing optimization together with further transport of the data flows to another CDN edge region across the content delivery network, wherein the at least one TCP optimization is one of: packet loss mitigation, and TCP buffer management. 2. The apparatus as described in claim 1 wherein the computer program instructions are further operative in response to receipt of a new data flow associated with the flow identifier hash value and the sequence number to direct the new data flow back to the particular machine. 3. The apparatus as described in claim 1 wherein the set of data flows in the single logical tunnel are each an Internet Protocol Security (IPsec) data flow. 4. The apparatus as described in claim 3 wherein the partitioned namespace is defined by a set of bits within an IPsec Security Parameter Index (SPI). 5. The apparatus as described in claim 4 wherein associating the sequence number ensures that IPsec replay protection is enabled on the response. 6. The apparatus as described in claim 1 wherein the flow identifier hash value is calculated by applying a given hash function to source and destination information defining the at least one data flow. 7. The apparatus as described in claim 6 wherein the flow identifier hash value is associated in an Encapsulating Security Payload (ESP) payload. 8. The apparatus as described in claim 1 wherein the external computing entity is a network appliance that establishes and manages the single logical tunnel. 9. The apparatus as described in claim 1 wherein the load balancing routine balances the set of data flows across the set of machines to enforce a given load balancing constraint. 10. The apparatus as described in claim 1 wherein the set of machines are physical machines or virtual machines.