code {
font-family: monospace, monospace;
font-size: 1em;
background-color: #eee;
display: block;
padding: 20px;
}
There are two different methods for creating a site-to-site VPN. In this blog post, we take you through the route-based VPN, between VMware Cloud on AWS as the local site and AWS Transit Gateway as the remote site.
There are two different methods for creating a site-to-site VPN:
- a route-based VPN
- a policy-based VPN
This article will describe the route-based VPN between VMware Cloud on AWS as the local site and AWS Transit Gateway as the remote site.
Following up on my previous article on building SDDC Firewall rules using PowerCLI, William and I did more work to build new functions related to VMware Cloud on AWS Route based VPN.
We examined the 5 API calls needed to build a route-based VPN tunnel here. This was using Python code.
PowerCLI functions
Using Power Shell and PowerCLI is simpler.
We built 3 functions:
- Create route-based VPN
- Get route-based VPN info
- Delete route-based VPN
Create Route-Based VPN
Step 1 – Get the NSX-T and VMC PowerShell modules. Download and import VMware.VMC.NSXT and VMware.VMC.
Import-Module ./VMware.VMC.NSXT.psd1<br>
Import-Module ./VMware.VMC.psd1
Step 2 – Get the Refresh-Token, Org name and SDDC name and assign them to variables.
$RefreshToken = "62c26d4a-xxxx-xxxx-xxxx-913873b1dfe0"<br>
$OrgName = "VMC-SET-EMEA"<br>
$SDDCName = "GC-API-SDDC"<br>
Step 3 – Connect to your VMC environment.
Connect-Vmc -RefreshToken $RefreshToken
Step 4 – Get the NSX-T Proxy URL for all API calls.
Connect-NSXTProxy -RefreshToken $RefreshToken -OrgName $OrgName -SDDCName $SDDCName
Step 5 – Get the VPN Public IP of your SDDC.
Get-NSXTOverviewInfo
On the GUI, the VPN Public IP is displayed here.
The PowerCLI output parameter is called ‘vpn_internet_ips‘, check this blog post for more details.
Step 6 – Prepare and plan the Tunnels IP addresses, BGP AS Numbers, encryption methods, DH Group and password as follows:
- <strong>PublicIP</strong> This is the VPN Public IP retrieved above<br>
- <strong>RemotePublicIP</strong> This is the remote site Public IP<br>
- <strong>BGPLocalIP</strong> This is the BGP Local IP in the 169.254.x.x range<br>
- <strong>BGPRemoteIP</strong> This is the BGP Remote IP in the 169.254.x.x range<br>
- <strong>BGPLocalASN</strong> This is the VMC BGP AS Number<br>
- <strong>RemoteBGPASN</strong> This is the remote BGP AS Number<br>
- <strong>BGPNeighborID</strong> This is the BGP Neighbor ID (arbitrary)<br>
- <strong>TunnelEncryption</strong> Tunnel encryption method<br>
- <strong>TunnelDigestEncryption</strong> Tunnel Encryption Digest<br>
- <strong>IKEEncryption</strong> Key Exchange encryption method<br>
- <strong>IKEDigestEncryption</strong> Key Exchange Digest<br>
- <strong>DHGroup</strong> Diffie Hellman Group<br>
- <strong>IKEVersion</strong> IKE Version<br>
- <strong>PresharedPassword</strong> Tunnel password
</ul>
Step 7 – Choose a name for your VPN tunnel and run the function:
New-NSXTRouteBasedVPN -Name VPN-T1 `<br>
-PublicIP 52.57.x.x `<br>
-RemotePublicIP 18.19.x.x `<br>
-BGPLocalIP 169.254.62.2 `<br>
-BGPRemoteIP 169.254.62.1 `<br>
-BGPlocalASN 65056 `<br>
-RemoteBGPASN 64512 `<br>
-BGPNeighborID 65 `<br>
-TunnelEncryption AES_256 `<br>
-TunnelDigestEncryption SHA2_256 `<br>
-IKEEncryption AES_256 `<br>
-IKEDigestEncryption SHA2_256 `<br>
-DHGroup GROUP14 `<br>
-IKEVersion IKE_V1 `<br>
-PresharedPassword xxxxx
Successfully created Route-Based VPN.
Get Route-Based VPN info
The following function gets the route-based VPN info and displays the following:
<span style="color:blue">Get-NSXTRouteBasedVPN</span><br>
Name : VPN-T1<br>
ID : VPN-T1<br>
Path : /infra/tier-0s/vmc/locale-services/default/l3vpns/VPN-T1<br>
RoutingConfigPath : /infra/tier-0s/vmc/locale-services/default/bgp/neighbors/65
The function can also be used with a tunnel name like:
Delete Route-Based VPN
<span style="color:blue">Remove-NSXTRouteBasedVPN -Name "VPN-T1"</span>
Successfully removed NSX-T IPSEC Tunnel: VPN-T1
Successfully removed NSX-T BGP Neighbor
Download the “Create_RB_VPN.ps1” file here.
Thanks.
APIs PowerCLI PowerShell Route Based VPN SDDC VMware Cloud on AWS
