There are two different methods for creating a site-to-site VPN. In this blog post, we take you through the route-based VPN, between VMware Cloud on AWS as the local site and AWS Transit Gateway as the remote site.
There are two different methods for creating a site-to-site VPN:
- a route-based VPN
- a policy-based VPN
This article will describe the route-based VPN between VMware Cloud on AWS as the local site and AWS Transit Gateway as the remote site.
We examined the 5 API calls needed to build a route-based VPN tunnel here. This was using Python code.
Using Power Shell and PowerCLI is simpler.
We built 3 functions:
- Create route-based VPN
- Get route-based VPN info
- Delete route-based VPN
Create Route-Based VPN
Step 2 – Get the Refresh-Token, Org name and SDDC name and assign them to variables.
$RefreshToken = "62c26d4a-xxxx-xxxx-xxxx-913873b1dfe0"
$OrgName = "VMC-SET-EMEA"
$SDDCName = "GC-API-SDDC"
Step 3 – Connect to your VMC environment.
Connect-Vmc -RefreshToken $RefreshToken
Step 4 – Get the NSX-T Proxy URL for all API calls.
Connect-NSXTProxy -RefreshToken $RefreshToken -OrgName $OrgName -SDDCName $SDDCName
Step 5 – Get the VPN Public IP of your SDDC.
On the GUI, the VPN Public IP is displayed here.
The PowerCLI output parameter is called ‘vpn_internet_ips‘, check this blog post for more details.
Step 6 – Prepare and plan the Tunnels IP addresses, BGP AS Numbers, encryption methods, DH Group and password as follows:
- PublicIP This is the VPN Public IP retrieved above
- RemotePublicIP This is the remote site Public IP
- BGPLocalIP This is the BGP Local IP in the 169.254.x.x range
- BGPRemoteIP This is the BGP Remote IP in the 169.254.x.x range
- BGPLocalASN This is the VMC BGP AS Number
- RemoteBGPASN This is the remote BGP AS Number
- BGPNeighborID This is the BGP Neighbor ID (arbitrary)
- TunnelEncryption Tunnel encryption method
- TunnelDigestEncryption Tunnel Encryption Digest
- IKEEncryption Key Exchange encryption method
- IKEDigestEncryption Key Exchange Digest
- DHGroup Diffie Hellman Group
- IKEVersion IKE Version
- PresharedPassword Tunnel password
Step 7 – Choose a name for your VPN tunnel and run the function:
New-NSXTRouteBasedVPN -Name VPN-T1 `
-PublicIP 52.57.x.x `
-RemotePublicIP 18.19.x.x `
-BGPLocalIP 169.254.62.2 `
-BGPRemoteIP 169.254.62.1 `
-BGPlocalASN 65056 `
-RemoteBGPASN 64512 `
-BGPNeighborID 65 `
-TunnelEncryption AES_256 `
-TunnelDigestEncryption SHA2_256 `
-IKEEncryption AES_256 `
-IKEDigestEncryption SHA2_256 `
-DHGroup GROUP14 `
-IKEVersion IKE_V1 `
Successfully created Route-Based VPN.
Get Route-Based VPN info
The following function gets the route-based VPN info and displays the following:
Name : VPN-T1
ID : VPN-T1
Path : /infra/tier-0s/vmc/locale-services/default/l3vpns/VPN-T1
RoutingConfigPath : /infra/tier-0s/vmc/locale-services/default/bgp/neighbors/65
The function can also be used with a tunnel name like:
Delete Route-Based VPN
Remove-NSXTRouteBasedVPN -Name "VPN-T1"
Successfully removed NSX-T IPSEC Tunnel: VPN-T1
Successfully removed NSX-T BGP Neighbor
Download the “Create_RB_VPN.ps1” file here.