Use PowerCLI to set your SDDC Policy Based VPN

Gilles Chekroun
Lead VMware Cloud on AWS Specialist
In the previous post, we talked about using PowerCLI to setup a route-based VPN. This post will show how to setup a policy based VPN.
For that I will use a new AWS VPC and a Customer Gateway with a Virtual Gateway in AWS natively.
This sets up 2 VPN tunnels with static routes compared to the BGP routes with the route-based VPN.

PowerCLI Functions

  • New-NSXTPolicyBasedVPN
  • Get-NSXTPolicyBasedVPN
  • Remove-NSXTPolicyBasedVPN

JSON and PSObjects

In this post I want to go a bit deeper on the relation between JSON and the PowerShell Objects. To set the VPN Tunnels, we use API calls and with that we need to pass a payload that will carry our multiple parameters like IP addresses, passwords, IKE and Tunnel encryption digest / algorithms.

The Java Script Object Notation (JSON) is mostly used with APIs and our NSX-T Policy APIs are not any exception. When we write a PowerCLI function we need to map the JSON notation to PowerShell.
For example, [...] in JSON will be represented by @{...} in PowerShell. The ":" will be "=" and an array will be represented by @(...).
Let's take a simple example. The PowerShell below . . . 
    display_name = "name";
    enabled = "true";
    local_address = "public_ip";
    remote_private_address = "";
    remote_public_address = "";
. . . is converted to JSON with the "ConverTo-Json" function and gives the output:
  "display_name": "name",
  "enabled": "true",
  "local_address": "public_ip",
  "remote_private_address": "",
  "remote_public_address": ""
That's a simple mapping. Let's go a bit more in depth:
    tunnel_digest_algorithms = @("SHA2_256");
    tunnel_encryption_algorithms =@("AES_256");
    ike_digest_algorithms =@("SHA2_256");
    ike_encryption_algorithms = @("AES_256");
is converted to:
  "tunnel_digest_algorithms": [
  "tunnel_encryption_algorithms": [
  "ike_digest_algorithms": [
  "ike_encryption_algorithms": [
We are getting there. Let's check about the subnets.
The following PS notation . . .
    l3vpn_session = @{
        resource_type = "PolicyBasedL3VpnSession";
        rules = @(
            id = "policy-1";
            display_name = "policy-1";
            sequence_number = 0;
            sources = @(
                @{ subnet = "";},
                @{ subnet = "";}
            destinations = @(
                @{ subnet = "";},
                @{ subnet = "";}
. . . is converted to JSON as:
  "l3vpn_session": {
    "resource_type": "PolicyBasedL3VpnSession",
    "rules": [
        "id": "policy-1",
        "display_name": "policy-1",
        "sequence_number": 0,
        "sources": [
            "subnet": ""
            "subnet": ""
        "destinations": [
            "subnet": ""
            "subnet": ""
This is now almost matching the payload of our API call.

Create Policy Base VPN

Step 1 - Get the NSX-T and VMC PowerShell modules. Download and import VMware.VMC.NSXT and VMware.VMC.
    Import-Module ./VMware.VMC.NSXT.psd1
    Import-Module ./VMware.VMC.psd1     
Step 2 - Get the Refresh-Token, Org name and SDDC name and assign them to variables
    $RefreshToken   = "62c26d4a-xxxx-xxxx-xxxx-913873b1dfe0"
    $OrgName        = "VMC-SET-EMEA"
    $SDDCName       = "GC-API-SDDC" 
Step 3 - Connect to your VMC environment
    Connect-Vmc -RefreshToken $RefreshToken
Step 4 - Get the NSX-T Proxy URL for all API calls
    Connect-NSXTProxy -RefreshToken $RefreshToken -OrgName $OrgName -SDDCName $SDDCName
Step 5 - Get the VPN Public IP of your SDDC
On the GUI, the VPN Public IP is displayed below:
Step 6 - Prepare and plan the Tunnels IP addresses, encryption methods, DH Group and password as follow:
    -PublicIP  This is the VPN Public IP retrieved above
    -RemotePublicIP  This is the remote site Public IP
    -RemotePrivateIP This is the tunnel private IP
    -TunnelEncryption  Tunnel encryption method
    -TunnelDigestEncryption  Tunnel Encryption Digest
    -IKEEncryption  Key Exchange encryption method
    -IKEDigestEncryption Key Exchange Digest
    -DHGroup  Diffie Hellman Group
    -IKEVersion  IKE Version
    -PresharedPassword  Tunnel password
Step 7 - Choose a name for the Tunnel and run the function
New-NSXTPolicyBasedVPN -Name Policy1 `
    -LocalIP 18.197.x.x `
    -RemotePublicIP 52.58.x.x `
    -RemotePrivateIP `
    -SequenceNumber 0 `
    -SourceIPs @("", "") `
    -DestinationIPs @("", "") `
    -TunnelEncryption AES_256 `
    -TunnelDigestEncryption SHA2_256 `
    -IKEEncryption AES_256 `
    -IKEDigestEncryption SHA2_256 `
    -DHGroup GROUP14 `
    -IKEVersion IKE_V1 `
    -PresharedPassword xxxx `
Successfully created Policy Based VPN

Get Policy Based VPN info

The following function gets the Policy based VPNs info and displays the following:

Delete Policy Based VPN

The delete function must apply to a tunnel name like:
Remove-NSXTPolicyBasedVPN -Name "Policy1"
Successfully removed NSX-T VPN Tunnel: Policy1



AWS Transitive routing with Transit Gateways in the same region

Using Terraform with multiple providers in multiple phases to deploy and configure VMware Cloud on AWS

AWS Transit Gateway and Multiple Accounts