Use PowerCLI to set your SDDC Policy Based VPN

-
Gilles Chekroun
Lead VMware Cloud on AWS Specialist
---
In the previous post, we talked about using PowerCLI to setup a route-based VPN. This post will show how to setup a policy based VPN.
For that I will use a new AWS VPC and a Customer Gateway with a Virtual Gateway in AWS natively.
This sets up 2 VPN tunnels with static routes compared to the BGP routes with the route-based VPN.

PowerCLI Functions

  • New-NSXTPolicyBasedVPN
  • Get-NSXTPolicyBasedVPN
  • Remove-NSXTPolicyBasedVPN

JSON and PSObjects

In this post I want to go a bit deeper on the relation between JSON and the PowerShell Objects. To set the VPN Tunnels, we use API calls and with that we need to pass a payload that will carry our multiple parameters like IP addresses, passwords, IKE and Tunnel encryption digest / algorithms.

 The Java Script Object Notation (JSON) is mostly used with APIs and our NSX-T Policy APIs are not any exception. When we write a PowerCLI function we need to map the JSON notation to PowerShell.
For example, [...] in JSON will be represented by @{...} in PowerShell. The ":" will be "=" and an array will be represented by @(...).
Let's take a simple example. The PowerShell below . . . 
@{
    display_name = "name";
    enabled = "true";
    local_address = "public_ip";
    remote_private_address = "169.254.60.5";
    remote_public_address = "52.58.160.117";
}
. . . is converted to JSON with the "ConverTo-Json" function and gives the output:
{
  "display_name": "name",
  "enabled": "true",
  "local_address": "public_ip",
  "remote_private_address": "169.254.60.5",
  "remote_public_address": "52.58.160.117"
}
That's a simple mapping. Let's go a bit more in depth:
@{
    tunnel_digest_algorithms = @("SHA2_256");
    tunnel_encryption_algorithms =@("AES_256");
    ike_digest_algorithms =@("SHA2_256");
    ike_encryption_algorithms = @("AES_256");
}
is converted to:
{
  "tunnel_digest_algorithms": [
    "SHA2_256"
  ],
  "tunnel_encryption_algorithms": [
    "AES_256"
  ],
  "ike_digest_algorithms": [
    "SHA2_256"
  ],
  "ike_encryption_algorithms": [
    "AES_256"
  ]
}
We are getting there. Let's check about the subnets.
The following PS notation . . .
@{
    l3vpn_session = @{
        resource_type = "PolicyBasedL3VpnSession";
        rules = @(
            @{
            id = "policy-1";
            display_name = "policy-1";
            sequence_number = 0;
            sources = @(
                @{ subnet = "1.1.1.1";},
                @{ subnet = "2.2.2.2";}
            )
            destinations = @(
                @{ subnet = "8.8.8.8";},
                @{ subnet = "9.9.9.9";}
            )
            }
        ) 
    }
}
. . . is converted to JSON as:
{
  "l3vpn_session": {
    "resource_type": "PolicyBasedL3VpnSession",
    "rules": [
      {
        "id": "policy-1",
        "display_name": "policy-1",
        "sequence_number": 0,
        "sources": [
          {
            "subnet": "1.1.1.1"
          },
          {
            "subnet": "2.2.2.2"
          }
        ],
        "destinations": [
          {
            "subnet": "8.8.8.8"
          },
          {
            "subnet": "9.9.9.9"
          }
        ]
      }
    ]
  }
}
This is now almost matching the payload of our API call.

Create Policy Base VPN

Step 1 - Get the NSX-T and VMC PowerShell modules. Download and import VMware.VMC.NSXT and VMware.VMC.
    Import-Module ./VMware.VMC.NSXT.psd1
    Import-Module ./VMware.VMC.psd1     
Step 2 - Get the Refresh-Token, Org name and SDDC name and assign them to variables
    $RefreshToken   = "62c26d4a-xxxx-xxxx-xxxx-913873b1dfe0"
    $OrgName        = "VMC-SET-EMEA"
    $SDDCName       = "GC-API-SDDC" 
Step 3 - Connect to your VMC environment
    Connect-Vmc -RefreshToken $RefreshToken
Step 4 - Get the NSX-T Proxy URL for all API calls
    Connect-NSXTProxy -RefreshToken $RefreshToken -OrgName $OrgName -SDDCName $SDDCName
Step 5 - Get the VPN Public IP of your SDDC
    Get-NSXTOverviewInfo
On the GUI, the VPN Public IP is displayed below:
Step 6 - Prepare and plan the Tunnels IP addresses, encryption methods, DH Group and password as follow:
    -PublicIP  This is the VPN Public IP retrieved above
    -RemotePublicIP  This is the remote site Public IP
    -RemotePrivateIP This is the tunnel private IP
    -TunnelEncryption  Tunnel encryption method
    -TunnelDigestEncryption  Tunnel Encryption Digest
    -IKEEncryption  Key Exchange encryption method
    -IKEDigestEncryption Key Exchange Digest
    -DHGroup  Diffie Hellman Group
    -IKEVersion  IKE Version
    -PresharedPassword  Tunnel password
Step 7 - Choose a name for the Tunnel and run the function
New-NSXTPolicyBasedVPN -Name Policy1 `
    -LocalIP 18.197.x.x `
    -RemotePublicIP 52.58.x.x `
    -RemotePrivateIP 169.254.90.1 `
    -SequenceNumber 0 `
    -SourceIPs @("192.168.5.0/24", "192.168.6.0/24") `
    -DestinationIPs @("172.204.10.0/24", "172.204.20.0/24") `
    -TunnelEncryption AES_256 `
    -TunnelDigestEncryption SHA2_256 `
    -IKEEncryption AES_256 `
    -IKEDigestEncryption SHA2_256 `
    -DHGroup GROUP14 `
    -IKEVersion IKE_V1 `
    -PresharedPassword xxxx `
    -Troubleshoot
Successfully created Policy Based VPN

Get Policy Based VPN info

The following function gets the Policy based VPNs info and displays the following:
Get-NSXTPolicyBasedVPN

Delete Policy Based VPN

The delete function must apply to a tunnel name like:
Remove-NSXTPolicyBasedVPN -Name "Policy1"
Successfully removed NSX-T VPN Tunnel: Policy1
Thanks.

Comments

Post a Comment

Populars

Egress VPC and AWS Transit Gateway (Part1)

-
Image
Gilles Chekroun
 Lead VMware Cloud on AWS Solutions Architect --- Usually my blog posts are customer driven and recently I have been working on a design that would include an Egress VPC and AWS Transit Gateway. This customer is going to use both VMware Managed Transit Gateway and also AWS Transit Gateway. I will split this post in 3 parts: The Egress VPC - this article Adding a VMC SDDC to the Egress VPC here Adding VMware Managed Transit Gateway here Why do we need an Egress VPC? Numerous posts on AWS site  will describe how to build an Egress VPC and the subtleties of the various route tables of the TGW and the Egress VPC itself. The main goal is to have ONE Internet gateway only  that will allow workloads to go out to internet on the Egress VPC. One of the most important point is redundancy and multi-availability zones. Applications usually reside in private subnets, while NAT Gateways reside in a public subnet. NAT Gateways To focus the Internet access to a single point, we can cre
Read more

AWS Transitive routing with Transit Gateways in the same region

-
Image
Gilles Chekroun Lead VMware Cloud on AWS Specialist --- At the AWS Re:invent 2019 conference, the long waited TGW peering functionality was announced and available in a few AWS regions. This is an INTER-REGION peering only meaning that the Transit Gateways need to be in different regions. Hoping that AWS will soon release an INTRA-REGION capability I discussed with a few AWS Solutions Architects in Las Vegas, among them Tom Adamski , about using a VPC as a bridge between two TGWs in the same region. Tom assured me that it is possible opening for the first time the transitive routing capability in AWS networking. Well . . . I needed to test that and see by myself. Test bed For a simple test, I will use 2 TGWs in the same regions with 2 VPCs attached each and another VPC as "bridge" connected to both TGWs. Yes you can connect a VPC up to 5 TGWs . The whole idea is to use this "bridging VPC" and point the default route of the TGWs to it. To do that I c
Read more

Considerations on vTGW to TGW Peering Link

-
Image
   Gilles Chekroun
 Lead VMware Cloud on AWS Solutions Architect --- Recently I was talking with a Customer on designing their VMware Cloud on AWS environment and linking it to their existing AWS infrastructure. The idea was to have 2 SDDCs, Test and Prod, and link them with a VMware Managed TGW and peer it to their existing TGW. The customer requirements were: VMs in each SDDC should have internet access from the SDDC out VMs from Test should be able to talk to VMs in Prod VMs in any SDDC should be able to access their own vCenter but also the other one Some VMs any SDDC should have a Public IP and NAT rule to be accessible from outside VMware traffic should stay within VMware SDDCs Other traffic, like on-prem, should go via the Customer TGW Test Setup Step1 - Create SDDC Group Create an SDDC Group and attach the 2 SDDCs Prod and Test Make sure the proper FireWall rules are open in each SDDC Compute GW. Step 2 - Attach the Customer TGW In the SDDC Groups, under External TGW TAB, add t
Read more