Use PowerCLI to set your SDDC Route Based VPN

Gilles Chekroun
Lead VMware Cloud on AWS Specialist
To Create a Site-to-Site VPN, there are basically 2 methods:
- a route based VPN
- a policy based VPN
This article will describe the route based VPN between VMware Cloud on AWS as local site and AWS Transit Gateway as remote site.
Following up on my previous article on building SDDC Firewall rules using PowerCLI, William and I did more work to build new functions related to VMware Cloud on AWS Route based VPN.
We examined the 5 API calls needed to build a route based VPN tunnel here. This was using Python code.
PowerCLI functionsUsing Power Shell and PowerCLI is more simple.
We built 3 functions:

    - Create Route Based VPN
    - Get Route Based VPN info
    - Delete Route Based VPN

Create Route Base VPNStep 1 - Get the NSX-T and VMC PowerShell modules. Download and import VMware.VMC.NSXT and VMware.VMC.
    Import-Module ./VMware.VMC.NSXT.psd1     Import-Module ./VMware.VMC.psd1     Step 2 - Get the Refresh-Token, Org name and SDDC name and a…

Use PowerCLI to set your SDDC Firewall rules

Gilles Chekroun
Lead VMware Cloud on AWS Specialist
One thing I really like about VMware is the team spirit of that company. People are always here to help you, sharing their experiences and knowledge. We have our EPIC2 values and one guy in particular stands out for Passion and Community.
It's William Lam
He is well known in our community for his "virtuallyGhetto" blog and the 1000+ posts he wrote over many subjects and technologies. Recently, I asked him what API should i use to retrieve the VMC SDDC Public IP address and he replied to me with a blog post !! Amazing.
William wrote many PowerShell modules and in particular the ones for NSX-T and VMC.
Download and import VMware.VMC.NSXT and VMware.VMC PowerShell modules. We will need them later.
This article will describe how to automate tasks after SDDC deployment like creating logical segments, setting up Firewall rules on MGW (the Management Gateway) and most importantly on CGW (the Compute Gateway).

PowerShell Install o…

Deploy VMware Cloud on AWS Route Based VPN with API

Gilles Chekroun
Lead VMware Cloud on AWS Specialist
Following my articles on AWS Transit Gateway here and here, I found it quite complex to setup the VPN connection and the 2 tunnels from TGW VPN attachment to VMC route based VPN using the GUI.

AWS VPN Naming and VMC VPN relationshipWhen creating the AWS TGW VPN attachment, AWS gives the possibility to "download configuration file"
AWS - VMC relationship: Once this is clear, it's time to map these parameters to our API Calls.
Five API calls For properly setting a Route Based VPN to AWS TGW we need 5 API calls:
Get the NSX-T Proxy URLGet the SDDC Public IPSet Local AS NumberSet BGP Neighbour IDSet VPN TunnelsBefore we can do any API calls into VMC we need a few parameter like "Refresh-Token", "Org-ID", "SDDC-ID". Refer to my earlier post here on how to get them.
Get NSX-T Proxy URLThis API call will get "Org-ID, SDDC-ID and Session-Token" and will return the NSX-T Proxy URL you need in t…

AWS Transit Gateway and Multiple Accounts

Gilles Chekroun
Lead VMware Cloud on AWS Specialist

Many Customers start to use AWS transit Gateway and want to be able to attach VPCs un multiple accounts.
Often AWS organisations are split by departments and have separate accounts.
This blog post will go through the detailed setup for the TGW and how to connect VPCs in separate accounts.
For a complete description of VMware Cloud on AWS and TGW, please refer to here.
AWS Shared Resource ManagerLogin to the main account where the TGW was created and create a resource share
Name your share and select the TGW  Add the other account and create the share Verify the share creation Log into the account we just added and look for an invitation Accept the invitation For the purpose of the tests we can use an existing VPC or create a new one. I am using VPC4 with CIDR in the added account. Create a TGW attachment for this new VPC At this stage, we will get a "pending acceptance" status. Go back to the main account and accept Check a…

AWS Transit Gateway and VMware Cloud on AWS

Gilles Chekroun
Lead VMware Cloud on AWS Specialist

With the release of AWS transit Gateway, connecting VPCs to VMware Cloud on AWS became much more easy.
This blog post will go through the detailed setup for the TGW and Firewall rules on VMC.
NSX-T SDDC and the Transit GatewaySince November 2018, all new SDDCs deployed will be NSX-T based.
I am assuming that the reader is familiar with that deployment and will have an SDDC ready.
The goal of the AWS Transit Gateway is to allow easy, scalable and performant connectivity between multiple VPCs.
Our lab setup will be something like the schema below.
Lab SetupOn VMware Cloud on AWS side we have two Logical segments ( and .2.0/24). On segment 1, a small Linux machine (.9) and ubuntu machine (.17). On segment 2 just a small Linux machine (.2) so we can do ping tests.
On the side AWS side, I deployed two VPCs (VPC2 and VPC3) with CIDR of and
In each one I have a small EC2 instance (.159 on VPC2 and .174 …