Use PowerCLI to set your SDDC Route Based VPN

-
Gilles Chekroun
Lead VMware Cloud on AWS Specialist
---
To Create a Site-to-Site VPN, there are basically 2 methods:
- a route based VPN
- a policy based VPN
This article will describe the route based VPN between VMware Cloud on AWS as local site and AWS Transit Gateway as remote site.
Following up on my previous article on building SDDC Firewall rules using PowerCLI, William and I did more work to build new functions related to VMware Cloud on AWS Route based VPN.
We examined the 5 API calls needed to build a route based VPN tunnel here. This was using Python code.

PowerCLI functions

Using Power Shell and PowerCLI is more simple.
We built 3 functions:

    - Create Route Based VPN
    - Get Route Based VPN info
    - Delete Route Based VPN

Create Route Base VPN

Step 1 - Get the NSX-T and VMC PowerShell modules. Download and import VMware.VMC.NSXT and VMware.VMC.
    Import-Module ./VMware.VMC.NSXT.psd1
    Import-Module ./VMware.VMC.psd1     
Step 2 - Get the Refresh-Token, Org name and SDDC name and assign them to variables
    $RefreshToken   = "62c26d4a-xxxx-xxxx-xxxx-913873b1dfe0"
    $OrgName        = "VMC-SET-EMEA"
    $SDDCName       = "GC-API-SDDC" 
Step 3 - Connect to your VMC environment
    Connect-Vmc -RefreshToken $RefreshToken
Step 4 - Get the NSX-T Proxy URL for all API calls
    Connect-NSXTProxy -RefreshToken $RefreshToken -OrgName $OrgName -SDDCName $SDDCName
Step 5 - Get the VPN Public IP of your SDDC
    Get-NSXTOverviewInfo
On the GUI, the VPN Public IP is displayed here
The PowerCLI output parameter is called vpn_internet_ips check this blog post for more details.
Refer to VMware documentation about Route based VPN here.
Step 6 - Prepare and plan the Tunnels IP addresses, BGP AS Numbers, encryption methods, DH Group and password as follow:
    -PublicIP This is the VPN Public IP retrieved above
    -RemotePublicIP This is the remote site Public IP
    -BGPLocalIP This is the BGP Local IP in the 169.254.x.x range
    -BGPRemoteIP This is the BGP Remote IP in the 169.254.x.x range
    -BGPLocalASN This is the VMC BGP AS Number
    -RemoteBGPASN This is the remote BGP AS Number
    -BGPNeighborID This is the BGP Neighbor ID (arbitrary)
    -TunnelEncryption Tunnel encryption method
    -TunnelDigestEncryption Tunnel Encryption Digest
    -IKEEncryption Key Exchange encryption method
    -IKEDigestEncryption Key Exchange Digest
    -DHGroup Diffie Hellman Group
    -IKEVersion IKE Version
    -PresharedPassword Tunnel password

Step 7 - Choose a Name for your VPN tunnel and run the function:
New-NSXTRouteBasedVPN -Name VPN-T1 `
    -PublicIP 52.57.x.x `
    -RemotePublicIP 18.19.x.x `
    -BGPLocalIP 169.254.62.2 `
    -BGPRemoteIP 169.254.62.1 `
    -BGPlocalASN 65056 `
    -RemoteBGPASN 64512 `
    -BGPNeighborID 65 `
    -TunnelEncryption AES_256 `
    -TunnelDigestEncryption SHA2_256 `
    -IKEEncryption AES_256 `
    -IKEDigestEncryption SHA2_256 `
    -DHGroup GROUP14 `
    -IKEVersion IKE_V1 `
    -PresharedPassword xxxxx
    Successfully created Route Based VPN 

Get route based VPN info

The following function gets the Route based VPNs info and displays the following:
Get-NSXTRouteBasedVPN
Name              : VPN-T1
ID                : VPN-T1
Path              : /infra/tier-0s/vmc/locale-services/default/l3vpns/VPN-T1
RoutingConfigPath : /infra/tier-0s/vmc/locale-services/default/bgp/neighbors/65
The function can also be used with a tunnel name like:
Get-NSXTRouteBasedVPN -Name "VPN-T1"

Delete Route Based VPN

The delete function must apply to a tunnel name like:
Remove-NSXTRouteBasedVPN -Name "VPN-T1"
    Successfully removed NSX-T IPSEC Tunnel: VPN-T1
    Successfully removed NSX-T BGP Neighbor 
Download the "Create_RB_VPN.ps1" file here

Thanks.

Comments

Post a Comment

Populars

Egress VPC and AWS Transit Gateway (Part1)

-
Image
Gilles Chekroun
 Lead VMware Cloud on AWS Solutions Architect --- Usually my blog posts are customer driven and recently I have been working on a design that would include an Egress VPC and AWS Transit Gateway. This customer is going to use both VMware Managed Transit Gateway and also AWS Transit Gateway. I will split this post in 3 parts: The Egress VPC - this article Adding a VMC SDDC to the Egress VPC here Adding VMware Managed Transit Gateway here Why do we need an Egress VPC? Numerous posts on AWS site  will describe how to build an Egress VPC and the subtleties of the various route tables of the TGW and the Egress VPC itself. The main goal is to have ONE Internet gateway only  that will allow workloads to go out to internet on the Egress VPC. One of the most important point is redundancy and multi-availability zones. Applications usually reside in private subnets, while NAT Gateways reside in a public subnet. NAT Gateways To focus the Internet access to a single point, we can cre
Read more

Build a VMware Cloud on AWS Content Library using AWS S3

-
Image
Gilles Chekroun Lead NSX Systems Engineer - VMware Europe --- What is a Content Library? DISCLAIMER: External content libraries are not supported by VMware GSS ! vSphere Content Library is a repository where you can store VM templates, vApp templates and other kind of files like ISO.  Administrators can use the templates to deploy VMs and vApps. Each item library can contain multiple files. The basis is  .ovf   together with the description files like .mf and .vmdk If you have .ova files, you can simply un-compress them using the linux command:  tar -xvf SomeFile.ova There are two kind of Libraries: Local and Subscribed. Local Library Local Library stores items in a single vCenter. VM and vApp templates are stored as OVF file format. Subscribed Library You can create a Subscribed Library in the same vCenter and to ensure the content is up-to-date, the library can automatically sync with the source on a regular basis. You can also use the option to download co
Read more

AWS Transitive routing with Transit Gateways in the same region

-
Image
Gilles Chekroun Lead VMware Cloud on AWS Specialist --- At the AWS Re:invent 2019 conference, the long waited TGW peering functionality was announced and available in a few AWS regions. This is an INTER-REGION peering only meaning that the Transit Gateways need to be in different regions. Hoping that AWS will soon release an INTRA-REGION capability I discussed with a few AWS Solutions Architects in Las Vegas, among them Tom Adamski , about using a VPC as a bridge between two TGWs in the same region. Tom assured me that it is possible opening for the first time the transitive routing capability in AWS networking. Well . . . I needed to test that and see by myself. Test bed For a simple test, I will use 2 TGWs in the same regions with 2 VPCs attached each and another VPC as "bridge" connected to both TGWs. Yes you can connect a VPC up to 5 TGWs . The whole idea is to use this "bridging VPC" and point the default route of the TGWs to it. To do that I c
Read more