Use PowerCLI to set your SDDC Route Based VPN

There are two different methods for creating a site-to-site VPN. In this blog post, we take you through the route-based VPN, between VMware Cloud on AWS as the local site and AWS Transit Gateway as the remote site.

There are two different methods for creating a site-to-site VPN:

  • a route-based VPN
  • a policy-based VPN

This article will describe the route-based VPN between VMware Cloud on AWS as the local site and AWS Transit Gateway as the remote site.

Following up on my previous article on building SDDC Firewall rules using PowerCLI, William and I did more work to build new functions related to VMware Cloud on AWS Route based VPN.

VPN diagram

 

We examined the 5 API calls needed to build a route-based VPN tunnel here. This was using Python code.

PowerCLI functions

Using Power Shell and PowerCLI is simpler.

We built 3 functions:

  • Create route-based VPN
  • Get route-based VPN info
  • Delete route-based VPN

Create Route-Based VPN

Step 1 – Get the NSX-T and VMC PowerShell modules. Download and import VMware.VMC.NSXT and VMware.VMC.

Import-Module ./VMware.VMC.NSXT.psd1
Import-Module ./VMware.VMC.psd1

Step 2 – Get the Refresh-Token, Org name and SDDC name and assign them to variables.

$RefreshToken = "62c26d4a-xxxx-xxxx-xxxx-913873b1dfe0"
$OrgName = "VMC-SET-EMEA"
$SDDCName = "GC-API-SDDC"

Step 3 – Connect to your VMC environment.

Connect-Vmc -RefreshToken $RefreshToken

Step 4 – Get the NSX-T Proxy URL for all API calls.

Connect-NSXTProxy -RefreshToken $RefreshToken -OrgName $OrgName -SDDCName $SDDCName

Step 5 – Get the VPN Public IP of your SDDC.

Get-NSXTOverviewInfo

On the GUI, the VPN Public IP is displayed here.

SDDC image

 

The PowerCLI output parameter is called ‘vpn_internet_ips‘, check this blog post for more details.

Step 6 – Prepare and plan the Tunnels IP addresses, BGP AS Numbers, encryption methods, DH Group and password as follows:

- PublicIP This is the VPN Public IP retrieved above
- RemotePublicIP This is the remote site Public IP
- BGPLocalIP This is the BGP Local IP in the 169.254.x.x range
- BGPRemoteIP This is the BGP Remote IP in the 169.254.x.x range
- BGPLocalASN This is the VMC BGP AS Number
- RemoteBGPASN This is the remote BGP AS Number
- BGPNeighborID This is the BGP Neighbor ID (arbitrary)
- TunnelEncryption Tunnel encryption method
- TunnelDigestEncryption Tunnel Encryption Digest
- IKEEncryption Key Exchange encryption method
- IKEDigestEncryption Key Exchange Digest
- DHGroup Diffie Hellman Group
- IKEVersion IKE Version
- PresharedPassword Tunnel password

SDDC image

 

Step 7 – Choose a name for your VPN tunnel and run the function:

New-NSXTRouteBasedVPN -Name VPN-T1 `
-PublicIP 52.57.x.x `
-RemotePublicIP 18.19.x.x `
-BGPLocalIP 169.254.62.2 `
-BGPRemoteIP 169.254.62.1 `
-BGPlocalASN 65056 `
-RemoteBGPASN 64512 `
-BGPNeighborID 65 `
-TunnelEncryption AES_256 `
-TunnelDigestEncryption SHA2_256 `
-IKEEncryption AES_256 `
-IKEDigestEncryption SHA2_256 `
-DHGroup GROUP14 `
-IKEVersion IKE_V1 `
-PresharedPassword xxxxx

Successfully created Route-Based VPN.

VPN info example

Get Route-Based VPN info

The following function gets the route-based VPN info and displays the following:

Get-NSXTRouteBasedVPN
Name : VPN-T1
ID : VPN-T1
Path : /infra/tier-0s/vmc/locale-services/default/l3vpns/VPN-T1
RoutingConfigPath : /infra/tier-0s/vmc/locale-services/default/bgp/neighbors/65

The function can also be used with a tunnel name like:

VPN config image

 

Delete Route-Based VPN

Remove-NSXTRouteBasedVPN -Name "VPN-T1"
Successfully removed NSX-T IPSEC Tunnel: VPN-T1
Successfully removed NSX-T BGP Neighbor

VP config image

Download the “Create_RB_VPN.ps1” file here.

Thanks.

APIs PowerCLI PowerShell Route Based VPN SDDC VMware Cloud on AWS

About the Authors

Gilles Chekroun

Senior NSX Specialist SE at VMware

Gilles Chekroun is Lead VMware Cloud on AWS Solutions Architect in the European team. He joined VMware in 2015 after spending 20 years at Cisco in the Data Centre Network and Virtualisation team. He has a strong background in Networking and Storage. Gilles started in the VMware NSX European team and quickly moved to Software Defined Data Centre in the cloud with VMware Cloud on AWS technologies. He works closely with VMware customers and partners in designing, building and implementing their move to the hybrid cloud model helping them in their Digital transformation. Gilles is VCP6-NV certified and also AWS Solution Architect

Leave a Reply

Your email address will not be published. Required fields are marked *