Use PowerCLI to set your SDDC Route Based VPN
Gilles Chekroun
Lead VMware Cloud on AWS Specialist
---
To Create a Site-to-Site VPN, there are basically 2 methods:
- a route based VPN
- a policy based VPN
This article will describe the route based VPN between VMware Cloud on AWS as local site and AWS Transit Gateway as remote site.
Following up on my previous article on building SDDC Firewall rules using PowerCLI, William and I did more work to build new functions related to VMware Cloud on AWS Route based VPN.
We examined the 5 API calls needed to build a route based VPN tunnel here. This was using Python code.
We built 3 functions:
- Create Route Based VPN
- Get Route Based VPN info
- Delete Route Based VPN
The PowerCLI output parameter is called vpn_internet_ips check this blog post for more details.
Refer to VMware documentation about Route based VPN here.
Step 6 - Prepare and plan the Tunnels IP addresses, BGP AS Numbers, encryption methods, DH Group and password as follow:
-PublicIP This is the VPN Public IP retrieved above
-RemotePublicIP This is the remote site Public IP
-BGPLocalIP This is the BGP Local IP in the 169.254.x.x range
-BGPRemoteIP This is the BGP Remote IP in the 169.254.x.x range
-BGPLocalASN This is the VMC BGP AS Number
-RemoteBGPASN This is the remote BGP AS Number
-BGPNeighborID This is the BGP Neighbor ID (arbitrary)
-TunnelEncryption Tunnel encryption method
-TunnelDigestEncryption Tunnel Encryption Digest
-IKEEncryption Key Exchange encryption method
-IKEDigestEncryption Key Exchange Digest
-DHGroup Diffie Hellman Group
-IKEVersion IKE Version
-PresharedPassword Tunnel password
Step 7 - Choose a Name for your VPN tunnel and run the function:
Successfully removed NSX-T BGP Neighbor
Download the "Create_RB_VPN.ps1" file here
Thanks.
Lead VMware Cloud on AWS Specialist
---
To Create a Site-to-Site VPN, there are basically 2 methods:
- a route based VPN
- a policy based VPN
This article will describe the route based VPN between VMware Cloud on AWS as local site and AWS Transit Gateway as remote site.
Following up on my previous article on building SDDC Firewall rules using PowerCLI, William and I did more work to build new functions related to VMware Cloud on AWS Route based VPN.
We examined the 5 API calls needed to build a route based VPN tunnel here. This was using Python code.
PowerCLI functions
Using Power Shell and PowerCLI is more simple.We built 3 functions:
- Create Route Based VPN
- Get Route Based VPN info
- Delete Route Based VPN
Create Route Base VPN
Step 1 - Get the NSX-T and VMC PowerShell modules. Download and import VMware.VMC.NSXT and VMware.VMC. Import-Module ./VMware.VMC.NSXT.psd1
Import-Module ./VMware.VMC.psd1
Step 2 - Get the Refresh-Token, Org name and SDDC name and assign them to variables $RefreshToken = "62c26d4a-xxxx-xxxx-xxxx-913873b1dfe0"
$OrgName = "VMC-SET-EMEA"
$SDDCName = "GC-API-SDDC"
Step 3 - Connect to your VMC environment Connect-Vmc -RefreshToken $RefreshToken
Step 4 - Get the NSX-T Proxy URL for all API calls Connect-NSXTProxy -RefreshToken $RefreshToken -OrgName $OrgName -SDDCName $SDDCName
Step 5 - Get the VPN Public IP of your SDDC Get-NSXTOverviewInfo
On the GUI, the VPN Public IP is displayed hereThe PowerCLI output parameter is called vpn_internet_ips check this blog post for more details.
Refer to VMware documentation about Route based VPN here.
Step 6 - Prepare and plan the Tunnels IP addresses, BGP AS Numbers, encryption methods, DH Group and password as follow:
-PublicIP This is the VPN Public IP retrieved above
-RemotePublicIP This is the remote site Public IP
-BGPLocalIP This is the BGP Local IP in the 169.254.x.x range
-BGPRemoteIP This is the BGP Remote IP in the 169.254.x.x range
-BGPLocalASN This is the VMC BGP AS Number
-RemoteBGPASN This is the remote BGP AS Number
-BGPNeighborID This is the BGP Neighbor ID (arbitrary)
-TunnelEncryption Tunnel encryption method
-TunnelDigestEncryption Tunnel Encryption Digest
-IKEEncryption Key Exchange encryption method
-IKEDigestEncryption Key Exchange Digest
-DHGroup Diffie Hellman Group
-IKEVersion IKE Version
-PresharedPassword Tunnel password
Step 7 - Choose a Name for your VPN tunnel and run the function:
New-NSXTRouteBasedVPN -Name VPN-T1 `
-PublicIP 52.57.x.x `
-RemotePublicIP 18.19.x.x `
-BGPLocalIP 169.254.62.2 `
-BGPRemoteIP 169.254.62.1 `
-BGPlocalASN 65056 `
-RemoteBGPASN 64512 `
-BGPNeighborID 65 `
-TunnelEncryption AES_256 `
-TunnelDigestEncryption SHA2_256 `
-IKEEncryption AES_256 `
-IKEDigestEncryption SHA2_256 `
-DHGroup GROUP14 `
-IKEVersion IKE_V1 `
-PresharedPassword xxxxx
Successfully created Route Based VPN Get route based VPN info
The following function gets the Route based VPNs info and displays the following:The function can also be used with a tunnel name like:Get-NSXTRouteBasedVPN
Name : VPN-T1
ID : VPN-T1 Path : /infra/tier-0s/vmc/locale-services/default/l3vpns/VPN-T1 RoutingConfigPath : /infra/tier-0s/vmc/locale-services/default/bgp/neighbors/65
Get-NSXTRouteBasedVPN -Name "VPN-T1"
Delete Route Based VPN
The delete function must apply to a tunnel name like:Remove-NSXTRouteBasedVPN -Name "VPN-T1"
Successfully removed NSX-T IPSEC Tunnel: VPN-T1Successfully removed NSX-T BGP Neighbor
Thanks.
Very Good Gilles!
ReplyDelete-Rasik