Use PowerCLI to set your SDDC Policy Based VPN

Gilles Chekroun
Lead VMware Cloud on AWS Specialist
In the previous post, we talked about using PowerCLI to setup a route-based VPN. This post will show how to setup a policy based VPN.
For that I will use a new AWS VPC and a Customer Gateway with a Virtual Gateway in AWS natively.
This sets up 2 VPN tunnels with static routes compared to the BGP routes with the route-based VPN.

PowerCLI Functions

  • New-NSXTPolicyBasedVPN
  • Get-NSXTPolicyBasedVPN
  • Remove-NSXTPolicyBasedVPN

JSON and PSObjects

In this post I want to go a bit deeper on the relation between JSON and the PowerShell Objects. To set the VPN Tunnels, we use API calls and with that we need to pass a payload that will carry our multiple parameters like IP addresses, passwords, IKE and Tunnel encryption digest / algorithms.

The Java Script Object Notation (JSON) is mostly used with APIs and our NSX-T Policy APIs are not any exception. When we write a PowerCLI function we need to map the JSON notation to PowerShell.
For example, [...] in JSON will be represented by @{...} in PowerShell. The ":" will be "=" and an array will be represented by @(...).
Let's take a simple example. The PowerShell below . . . 
    display_name = "name";
    enabled = "true";
    local_address = "public_ip";
    remote_private_address = "";
    remote_public_address = "";
. . . is converted to JSON with the "ConverTo-Json" function and gives the output:
  "display_name": "name",
  "enabled": "true",
  "local_address": "public_ip",
  "remote_private_address": "",
  "remote_public_address": ""
That's a simple mapping. Let's go a bit more in depth:
    tunnel_digest_algorithms = @("SHA2_256");
    tunnel_encryption_algorithms =@("AES_256");
    ike_digest_algorithms =@("SHA2_256");
    ike_encryption_algorithms = @("AES_256");
is converted to:
  "tunnel_digest_algorithms": [
  "tunnel_encryption_algorithms": [
  "ike_digest_algorithms": [
  "ike_encryption_algorithms": [
We are getting there. Let's check about the subnets.
The following PS notation . . .
    l3vpn_session = @{
        resource_type = "PolicyBasedL3VpnSession";
        rules = @(
            id = "policy-1";
            display_name = "policy-1";
            sequence_number = 0;
            sources = @(
                @{ subnet = "";},
                @{ subnet = "";}
            destinations = @(
                @{ subnet = "";},
                @{ subnet = "";}
. . . is converted to JSON as:
  "l3vpn_session": {
    "resource_type": "PolicyBasedL3VpnSession",
    "rules": [
        "id": "policy-1",
        "display_name": "policy-1",
        "sequence_number": 0,
        "sources": [
            "subnet": ""
            "subnet": ""
        "destinations": [
            "subnet": ""
            "subnet": ""
This is now almost matching the payload of our API call.

Create Policy Base VPN

Step 1 - Get the NSX-T and VMC PowerShell modules. Download and import VMware.VMC.NSXT and VMware.VMC.
    Import-Module ./VMware.VMC.NSXT.psd1
    Import-Module ./VMware.VMC.psd1     
Step 2 - Get the Refresh-Token, Org name and SDDC name and assign them to variables
    $RefreshToken   = "62c26d4a-xxxx-xxxx-xxxx-913873b1dfe0"
    $OrgName        = "VMC-SET-EMEA"
    $SDDCName       = "GC-API-SDDC" 
Step 3 - Connect to your VMC environment
    Connect-Vmc -RefreshToken $RefreshToken
Step 4 - Get the NSX-T Proxy URL for all API calls
    Connect-NSXTProxy -RefreshToken $RefreshToken -OrgName $OrgName -SDDCName $SDDCName
Step 5 - Get the VPN Public IP of your SDDC
On the GUI, the VPN Public IP is displayed below:
Step 6 - Prepare and plan the Tunnels IP addresses, encryption methods, DH Group and password as follow:
    -PublicIP  This is the VPN Public IP retrieved above
    -RemotePublicIP  This is the remote site Public IP
    -RemotePrivateIP This is the tunnel private IP
    -TunnelEncryption  Tunnel encryption method
    -TunnelDigestEncryption  Tunnel Encryption Digest
    -IKEEncryption  Key Exchange encryption method
    -IKEDigestEncryption Key Exchange Digest
    -DHGroup  Diffie Hellman Group
    -IKEVersion  IKE Version
    -PresharedPassword  Tunnel password
Step 7 - Choose a name for the Tunnel and run the function
New-NSXTPolicyBasedVPN -Name Policy1 `
    -LocalIP 18.197.x.x `
    -RemotePublicIP 52.58.x.x `
    -RemotePrivateIP `
    -SequenceNumber 0 `
    -SourceIPs @("", "") `
    -DestinationIPs @("", "") `
    -TunnelEncryption AES_256 `
    -TunnelDigestEncryption SHA2_256 `
    -IKEEncryption AES_256 `
    -IKEDigestEncryption SHA2_256 `
    -DHGroup GROUP14 `
    -IKEVersion IKE_V1 `
    -PresharedPassword xxxx `
Successfully created Policy Based VPN

Get Policy Based VPN info

The following function gets the Policy based VPNs info and displays the following:

Delete Policy Based VPN

The delete function must apply to a tunnel name like:
Remove-NSXTPolicyBasedVPN -Name "Policy1"
Successfully removed NSX-T VPN Tunnel: Policy1



Egress VPC and AWS Transit Gateway (Part1)

Build a VMware Cloud on AWS Content Library using AWS S3

AWS Transitive routing with Transit Gateways in the same region