Use PowerCLI to set your SDDC Policy Based VPN

Gilles Chekroun
Lead VMware Cloud on AWS Specialist
---
In the previous post, we talked about using PowerCLI to setup a route-based VPN. This post will show how to setup a policy based VPN.
For that I will use a new AWS VPC and a Customer Gateway with a Virtual Gateway in AWS natively.
This sets up 2 VPN tunnels with static routes compared to the BGP routes with the route-based VPN.


PowerCLI Functions

  • New-NSXTPolicyBasedVPN
  • Get-NSXTPolicyBasedVPN
  • Remove-NSXTPolicyBasedVPN

JSON and PSObjects

In this post I want to go a bit deeper on the relation between JSON and the PowerShell Objects. To set the VPN Tunnels, we use API calls and with that we need to pass a payload that will carry our multiple parameters like IP addresses, passwords, IKE and Tunnel encryption digest / algorithms.

The Java Script Object Notation (JSON) is mostly used with APIs and our NSX-T Policy APIs are not any exception. When we write a PowerCLI function we need to map the JSON notation to PowerShell.
For example, [...] in JSON will be represented by @{...} in PowerShell. The ":" will be "=" and an array will be represented by @(...).
Let's take a simple example. The PowerShell below . . . 
@{
    display_name = "name";
    enabled = "true";
    local_address = "public_ip";
    remote_private_address = "169.254.60.5";
    remote_public_address = "52.58.160.117";
}
. . . is converted to JSON with the "ConverTo-Json" function and gives the output:
{
  "display_name": "name",
  "enabled": "true",
  "local_address": "public_ip",
  "remote_private_address": "169.254.60.5",
  "remote_public_address": "52.58.160.117"
}
That's a simple mapping. Let's go a bit more in depth:
@{
    tunnel_digest_algorithms = @("SHA2_256");
    tunnel_encryption_algorithms =@("AES_256");
    ike_digest_algorithms =@("SHA2_256");
    ike_encryption_algorithms = @("AES_256");
}
is converted to:
{
  "tunnel_digest_algorithms": [
    "SHA2_256"
  ],
  "tunnel_encryption_algorithms": [
    "AES_256"
  ],
  "ike_digest_algorithms": [
    "SHA2_256"
  ],
  "ike_encryption_algorithms": [
    "AES_256"
  ]
}
We are getting there. Let's check about the subnets.
The following PS notation . . .
@{
    l3vpn_session = @{
        resource_type = "PolicyBasedL3VpnSession";
        rules = @(
            @{
            id = "policy-1";
            display_name = "policy-1";
            sequence_number = 0;
            sources = @(
                @{ subnet = "1.1.1.1";},
                @{ subnet = "2.2.2.2";}
            )
            destinations = @(
                @{ subnet = "8.8.8.8";},
                @{ subnet = "9.9.9.9";}
            )
            }
        ) 
    }
}
. . . is converted to JSON as:
{
  "l3vpn_session": {
    "resource_type": "PolicyBasedL3VpnSession",
    "rules": [
      {
        "id": "policy-1",
        "display_name": "policy-1",
        "sequence_number": 0,
        "sources": [
          {
            "subnet": "1.1.1.1"
          },
          {
            "subnet": "2.2.2.2"
          }
        ],
        "destinations": [
          {
            "subnet": "8.8.8.8"
          },
          {
            "subnet": "9.9.9.9"
          }
        ]
      }
    ]
  }
}
This is now almost matching the payload of our API call.

Create Policy Base VPN

Step 1 - Get the NSX-T and VMC PowerShell modules. Download and import VMware.VMC.NSXT and VMware.VMC.
    Import-Module ./VMware.VMC.NSXT.psd1
    Import-Module ./VMware.VMC.psd1     
Step 2 - Get the Refresh-Token, Org name and SDDC name and assign them to variables
    $RefreshToken   = "62c26d4a-xxxx-xxxx-xxxx-913873b1dfe0"
    $OrgName        = "VMC-SET-EMEA"
    $SDDCName       = "GC-API-SDDC" 
Step 3 - Connect to your VMC environment
    Connect-Vmc -RefreshToken $RefreshToken
Step 4 - Get the NSX-T Proxy URL for all API calls
    Connect-NSXTProxy -RefreshToken $RefreshToken -OrgName $OrgName -SDDCName $SDDCName
Step 5 - Get the VPN Public IP of your SDDC
    Get-NSXTOverviewInfo
On the GUI, the VPN Public IP is displayed below:
Step 6 - Prepare and plan the Tunnels IP addresses, encryption methods, DH Group and password as follow:
    -PublicIP  This is the VPN Public IP retrieved above
    -RemotePublicIP  This is the remote site Public IP
    -RemotePrivateIP This is the tunnel private IP
    -TunnelEncryption  Tunnel encryption method
    -TunnelDigestEncryption  Tunnel Encryption Digest
    -IKEEncryption  Key Exchange encryption method
    -IKEDigestEncryption Key Exchange Digest
    -DHGroup  Diffie Hellman Group
    -IKEVersion  IKE Version
    -PresharedPassword  Tunnel password
Step 7 - Choose a name for the Tunnel and run the function
New-NSXTPolicyBasedVPN -Name Policy1 `
    -LocalIP 18.197.x.x `
    -RemotePublicIP 52.58.x.x `
    -RemotePrivateIP 169.254.90.1 `
    -SequenceNumber 0 `
    -SourceIPs @("192.168.5.0/24", "192.168.6.0/24") `
    -DestinationIPs @("172.204.10.0/24", "172.204.20.0/24") `
    -TunnelEncryption AES_256 `
    -TunnelDigestEncryption SHA2_256 `
    -IKEEncryption AES_256 `
    -IKEDigestEncryption SHA2_256 `
    -DHGroup GROUP14 `
    -IKEVersion IKE_V1 `
    -PresharedPassword xxxx `
    -Troubleshoot
Successfully created Policy Based VPN

Get Policy Based VPN info

The following function gets the Policy based VPNs info and displays the following:
Get-NSXTPolicyBasedVPN

Delete Policy Based VPN

The delete function must apply to a tunnel name like:
Remove-NSXTPolicyBasedVPN -Name "Policy1"
Successfully removed NSX-T VPN Tunnel: Policy1
Thanks.

Comments

Populars

AWS Transit Gateway and Multiple Accounts

Understanding VMware Cloud on AWS Account Structure and Data Charges

Deploy VMware Cloud on AWS Route Based VPN with API