Technical VMware Cloud on AWS

Use PowerCLI to set your SDDC Route Based VPN

code {
font-family: monospace, monospace;
font-size: 1em;
background-color: #eee;
display: block;
padding: 20px;

There are two different methods for creating a site-to-site VPN. In this blog post, we take you through the route-based VPN, between VMware Cloud on AWS as the local site and AWS Transit Gateway as the remote site.

There are two different methods for creating a site-to-site VPN:

  • a route-based VPN
  • a policy-based VPN

This article will describe the route-based VPN between VMware Cloud on AWS as the local site and AWS Transit Gateway as the remote site.

Following up on my previous article on building SDDC Firewall rules using PowerCLI, William and I did more work to build new functions related to VMware Cloud on AWS Route based VPN.

VPN diagram


We examined the 5 API calls needed to build a route-based VPN tunnel here. This was using Python code.

PowerCLI functions

Using Power Shell and PowerCLI is simpler.

We built 3 functions:

  • Create route-based VPN
  • Get route-based VPN info
  • Delete route-based VPN

Create Route-Based VPN

Step 1 – Get the NSX-T and VMC PowerShell modules. Download and import VMware.VMC.NSXT and VMware.VMC.

Import-Module ./VMware.VMC.NSXT.psd1
Import-Module ./VMware.VMC.psd1

Step 2 – Get the Refresh-Token, Org name and SDDC name and assign them to variables.

$RefreshToken = "62c26d4a-xxxx-xxxx-xxxx-913873b1dfe0"
$OrgName = "VMC-SET-EMEA"

Step 3 – Connect to your VMC environment.

Connect-Vmc -RefreshToken $RefreshToken

Step 4 – Get the NSX-T Proxy URL for all API calls.

Connect-NSXTProxy -RefreshToken $RefreshToken -OrgName $OrgName -SDDCName $SDDCName

Step 5 – Get the VPN Public IP of your SDDC.


On the GUI, the VPN Public IP is displayed here.

SDDC image


The PowerCLI output parameter is called ‘vpn_internet_ips‘, check this blog post for more details.

Step 6 – Prepare and plan the Tunnels IP addresses, BGP AS Numbers, encryption methods, DH Group and password as follows:

- PublicIP This is the VPN Public IP retrieved above
- RemotePublicIP This is the remote site Public IP
- BGPLocalIP This is the BGP Local IP in the 169.254.x.x range
- BGPRemoteIP This is the BGP Remote IP in the 169.254.x.x range
- BGPLocalASN This is the VMC BGP AS Number
- RemoteBGPASN This is the remote BGP AS Number
- BGPNeighborID This is the BGP Neighbor ID (arbitrary)
- TunnelEncryption Tunnel encryption method
- TunnelDigestEncryption Tunnel Encryption Digest
- IKEEncryption Key Exchange encryption method
- IKEDigestEncryption Key Exchange Digest
- DHGroup Diffie Hellman Group
- IKEVersion IKE Version
- PresharedPassword Tunnel password

SDDC image


Step 7 – Choose a name for your VPN tunnel and run the function:

New-NSXTRouteBasedVPN -Name VPN-T1 `
-PublicIP 52.57.x.x `
-RemotePublicIP 18.19.x.x `
-BGPLocalIP `
-BGPRemoteIP `
-BGPlocalASN 65056 `
-RemoteBGPASN 64512 `
-BGPNeighborID 65 `
-TunnelEncryption AES_256 `
-TunnelDigestEncryption SHA2_256 `
-IKEEncryption AES_256 `
-IKEDigestEncryption SHA2_256 `
-DHGroup GROUP14 `
-IKEVersion IKE_V1 `
-PresharedPassword xxxxx

Successfully created Route-Based VPN.

VPN info example

Get Route-Based VPN info

The following function gets the route-based VPN info and displays the following:

Name : VPN-T1
Path : /infra/tier-0s/vmc/locale-services/default/l3vpns/VPN-T1
RoutingConfigPath : /infra/tier-0s/vmc/locale-services/default/bgp/neighbors/65

The function can also be used with a tunnel name like:

VPN config image


Delete Route-Based VPN

Remove-NSXTRouteBasedVPN -Name "VPN-T1"
Successfully removed NSX-T IPSEC Tunnel: VPN-T1
Successfully removed NSX-T BGP Neighbor

VP config image

Download the “Create_RB_VPN.ps1” file here.


APIs PowerCLI PowerShell Route Based VPN SDDC VMware Cloud on AWS


Leave a Reply

Your email address will not be published. Required fields are marked *