Deploy VMware Cloud on AWS Route Based VPN with API

-
Gilles Chekroun
Lead VMware Cloud on AWS Specialist
---
Following my articles on AWS Transit Gateway here and here, I found it quite complex to setup the VPN connection and the 2 tunnels from TGW VPN attachment to VMC route based VPN using the GUI.

AWS VPN Naming and VMC VPN relationship

When creating the AWS TGW VPN attachment, AWS gives the possibility to "download configuration file"

AWS - VMC relationship:

Once this is clear, it's time to map these parameters to our API Calls.

Five API calls 

For properly setting a Route Based VPN to AWS TGW we need 5 API calls:
  • Get the NSX-T Proxy URL
  • Get the SDDC Public IP
  • Set Local AS Number
  • Set BGP Neighbour ID
  • Set VPN Tunnels
Before we can do any API calls into VMC we need a few parameter like "Refresh-Token", "Org-ID", "SDDC-ID". Refer to my earlier post here on how to get them.

Get NSX-T Proxy URL

This API call will get "Org-ID, SDDC-ID and Session-Token" and will return the NSX-T Proxy URL you need in the subsequent calls

def getNSXTproxy(org_id, sddc_id, sessiontoken):
    myHeader = {'csp-auth-token': sessiontoken}
    myURL = "{}/vmc/api/orgs/{}/sddcs/{}".format(strProdURL, org_id, sddc_id)
    response = requests.get(myURL, headers=myHeader)
    json_response = response.json()
    proxy_url = json_response['resource_config']['nsx_api_public_endpoint_url']
    overview_url = (proxy_url + "/cloud-service/api/v1/infra/sddc-user-config")
    return overview_url

Get SDDC Public IP

This API Call will retrieve the SDDC Public IP
def getSDDCpublicIP(proxy_url, sessiontoken):
    myHeader = {'csp-auth-token': sessiontoken}
    myURL = proxy_url
    response = requests.get(myURL, headers=myHeader)
    json_response = response.json()
    pub_IP = json_response['vpn_internet_ips'][0]
    return pub_IP

Set Local AS Number

The default Local ASN is 64512 - you can set ASN between 64512 and 65534
This API call will get "Org-ID, SDDC-ID, Session-Token and ASN Number" and will set it.
def set_bgp_asn(proxy_url, org_id, sddc_id, sessiontoken, vmc_asn):
    myHeader = {
        'csp-auth-token': sessiontoken,        'content-type': 'application/json'    }
    myURL = "{}/api/orgs/{}/sddcs/{}/sks-nsxt-manager/policy/api/v1/infra/tier-0s/
vmc/locale-services/default/bgp".format(proxy_url, org_id, sddc_id)
    payload = {
        "local_as_num": vmc_asn
        }
    response = requests.patch(myURL, json=payload, headers=myHeader)
    json_response = response.json()
    print(json_response)
    return

Set BGP Neighbour ID

This API call will set the proper BGP neighbour ID to use on the next call
def setBGPnb(proxy_url, org_id, sddc_id, sessiontoken,neighbor_id, remote_asn, remote_ip):
    myHeader = {'csp-auth-token': sessiontoken}
    myURL = "{}/api/orgs/{}/sddcs/{}/sks-nsxt-manager/policy/api/v1/infra/tier-0s/
vmc/locale-services/default/bgp/neighbors/{}".format(proxy_url, org_id, 
sddc_id, neighbor_id)
    strRequest = {
        "resource_type": "BgpNeighborConfig",
        "id": neighbor_id,
        "remote_as_num": remote_asn,
        "neighbor_address": remote_ip
    }
    response = requests.put(myURL, json=strRequest, headers=myHeader)
    json_response = response.json()
    if str(response.status_code) != "200":
        print(json_response)
    return

Set VPN Tunnels

This API call will create one VPN Tunnel using the parameters from the AWS side configuration file.
def setVPN(proxy_url, org_id, sddc_id, sessiontoken, name, public_ip, remote_ip, local_ip, 
passw, neighbor_id):
    myHeader = {'csp-auth-token': sessiontoken}
    myURL = "{}/api/orgs/{}/sddcs/{}/sks-nsxt-manager/policy/api/v1/infra/tier-0s/
vmc/locale-services/default/l3vpns/{}".format(proxy_url, org_id, sddc_id, name)
    strRequest = {
        "display_name": name,
        "enabled": "true",
        "local_address": public_ip,
        "remote_private_address": remote_ip,
        "remote_public_address": remote_ip,
        "passphrases": [passw],
        "tunnel_digest_algorithms": ["SHA2_256"],
        "ike_digest_algorithms": ["SHA2_256"],
        "ike_encryption_algorithms": ["AES_256"],
        "enable_perfect_forward_secrecy": "true",
        "dh_groups": ["GROUP14"],
        "ike_version": "IKE_V1",
        "l3vpn_session": {
            "resource_type": "RouteBasedL3VpnSession",
            "tunnel_subnets": [
                {
                    "ip_addresses": [
                        local_ip
                    ],
                    "prefix_length": 30
                }
            ],
            "default_rule_logging": "false",
            "force_whitelisting": "false",
            "routing_config_path": "/infra/tier-0s/vmc/locale-services/default/bgp/neighbors/{}"
.format(neighbor_id)
        },
        "tunnel_encryption_algorithms": ["AES_256"]
    }
    response = requests.put(myURL, json=strRequest, headers=myHeader)
    json_response = response.json()
    if str(response.status_code) != "200":
        print(json_response)
    return

Main procedure for setting up the VPN Tunnels


# --------------------------------------------
# ---------------- Main ----------------------
# --------------------------------------------
session_token = getAccessToken(Refresh_Token)
sddcID = getSDDC_ID(ORG_ID, session_token)
proxy = getNSXTproxy(ORG_ID, sddcID, session_token)
set_bgp_asn(proxy, ORG_ID, sddcID, session_token, VMC_ASN)
Public_IP = getSDDCpublicIP(proxy,session_token)
neighbor_1 = "IPSEC_T1"
neighbor_2 = "IPSEC_T2"
setBGPnb(proxy,ORG_ID, sddcID,session_token, neighbor_1, T1_BGP_remote_ASN, T1_BGP_remote_ip)
print("Tunnel 1 IPsec OK")
setVPN(proxy, ORG_ID, sddcID, session_token, "Tunnel-1", Public_IP, T1_remote_public_ip, T1_BGP_local_ip, T1_pass, neighbor_1)
print("Tunnel 1 route based VPN OK")
setBGPnb(proxy,ORG_ID, sddcID,session_token, neighbor_2, T2_BGP_remote_ASN, T2_BGP_remote_ip)
print("Tunnel 2 IPsec OK")
setVPN(proxy, ORG_ID, sddcID, session_token, "Tunnel-2", Public_IP, T2_remote_public_ip, T2_BGP_local_ip, T2_pass, neighbor_2)
print("Tunnel 2 route based VPN OK")

Results on the VMware Cloud on AWS SDDC GUI

Note:
The following networks are reserved for internal use. The network you specify for BGP Local IP/Prefix Length must not overlap any of them.
169.254.0.2/28
169.254.10.1/24
169.254.11.1/24
169.254.12.1/24
169.254.13.1/24

169.254.101.253/30

THANK YOU !!

Comments

  1. AnonymousMay 7, 2019 at 4:19 PM

    Interesting! I have never thought about using API. This would open a lot of cool things, I would definitely try and let you know. May I ask you a question, please? What's the name of the tool you are using for designing the illustration?

    ReplyDelete
    Replies
    1. Gilles ChekrounMay 7, 2019 at 6:10 PM

      PowerPoint!!

      Delete
    2. AnonymousNovember 17, 2020 at 4:16 PM

      Great stuff, Gilles!
      By any chance, do you have any blog post showing how to set up a policy-based VPN?

      Delete
    3. Gilles ChekrounNovember 17, 2020 at 5:56 PM

      I did the powerCLI module for it. Use the search in the blog. You will find it

      Delete

Post a Comment

Populars

Egress VPC and AWS Transit Gateway (Part1)

-
Image
Gilles Chekroun
 Lead VMware Cloud on AWS Solutions Architect --- Usually my blog posts are customer driven and recently I have been working on a design that would include an Egress VPC and AWS Transit Gateway. This customer is going to use both VMware Managed Transit Gateway and also AWS Transit Gateway. I will split this post in 3 parts: The Egress VPC - this article Adding a VMC SDDC to the Egress VPC here Adding VMware Managed Transit Gateway here Why do we need an Egress VPC? Numerous posts on AWS site  will describe how to build an Egress VPC and the subtleties of the various route tables of the TGW and the Egress VPC itself. The main goal is to have ONE Internet gateway only  that will allow workloads to go out to internet on the Egress VPC. One of the most important point is redundancy and multi-availability zones. Applications usually reside in private subnets, while NAT Gateways reside in a public subnet. NAT Gateways To focus the Internet access to a single point, we can cre
Read more

AWS Transitive routing with Transit Gateways in the same region

-
Image
Gilles Chekroun Lead VMware Cloud on AWS Specialist --- At the AWS Re:invent 2019 conference, the long waited TGW peering functionality was announced and available in a few AWS regions. This is an INTER-REGION peering only meaning that the Transit Gateways need to be in different regions. Hoping that AWS will soon release an INTRA-REGION capability I discussed with a few AWS Solutions Architects in Las Vegas, among them Tom Adamski , about using a VPC as a bridge between two TGWs in the same region. Tom assured me that it is possible opening for the first time the transitive routing capability in AWS networking. Well . . . I needed to test that and see by myself. Test bed For a simple test, I will use 2 TGWs in the same regions with 2 VPCs attached each and another VPC as "bridge" connected to both TGWs. Yes you can connect a VPC up to 5 TGWs . The whole idea is to use this "bridging VPC" and point the default route of the TGWs to it. To do that I c
Read more

Considerations on vTGW to TGW Peering Link

-
Image
   Gilles Chekroun
 Lead VMware Cloud on AWS Solutions Architect --- Recently I was talking with a Customer on designing their VMware Cloud on AWS environment and linking it to their existing AWS infrastructure. The idea was to have 2 SDDCs, Test and Prod, and link them with a VMware Managed TGW and peer it to their existing TGW. The customer requirements were: VMs in each SDDC should have internet access from the SDDC out VMs from Test should be able to talk to VMs in Prod VMs in any SDDC should be able to access their own vCenter but also the other one Some VMs any SDDC should have a Public IP and NAT rule to be accessible from outside VMware traffic should stay within VMware SDDCs Other traffic, like on-prem, should go via the Customer TGW Test Setup Step1 - Create SDDC Group Create an SDDC Group and attach the 2 SDDCs Prod and Test Make sure the proper FireWall rules are open in each SDDC Compute GW. Step 2 - Attach the Customer TGW In the SDDC Groups, under External TGW TAB, add t
Read more