During on-premises to the cloud migrations, to allow network connectivity between already migrated and not yet migrated virtual machines as in the same network segment, stretch the on-premises networks across the cloud site. Layer 2 VPN (L2 VPN) stretches the L2 networks across the sites.

VMware Cloud Director Availability L2 Stretch

By using NSX and its L2 VPN service technology, VMware Cloud Director Availability stretches on-premises L2 networks across the cloud site.

  • In the cloud, to establish the server L2 VPN session, VMware Cloud Director Availability uses VMware NSX-T™ Data Center.
  • On-premises, to establish the client L2 VPN session in a site not managed by NSX-T Data Center, download and deploy a standalone VMware® NSX Edge™ appliance, called NSX Autonomous Edge.

To provide self-service for the tenants, VMware Cloud Director Availability manages the entire L2 VPN configuration of the necessary NSX network infrastructure, both in the cloud site and in on-premises sites. As an alternative to using VMware Cloud Director Availability for the L2 stretch, the service provider can perform the entire L2 VPN configuration and management solely in NSX, with the added complexity.

L2 Stretch Use Case

While migrating workloads consisting of several virtual machines, some of the virtual machines can get migrated to the cloud site with the remaining virtual machines of the workload running on-premises. By stretching the network across the two data centers the communication between the migrated and the remaining virtual machines continues as if they operate across the same network segment. The virtual machines remain on the same subnet during the migration between the sites as the stretched network represents a single subnet with a single broadcast domain. When using NSX Autonomous Edge for the L2 stretch, the on-premises virtual machines can only run on VLAN-based networks of distributed switches, that is, distributed port groups.

For the cloud providers, the L2 VPN allows on-boarding tenants without modifying existing IP addresses used by their workloads and applications. Since the IP addresses of the virtual machines do not change upon migration, migrations of the tenants workloads between different network sites are seamless.

In addition to supporting data center migration, on-premises networks stretched with an L2 VPN are useful for disaster recovery plans and dynamically engaging off-premise compute resources and meeting the increased demand.

Internet Protocol Security (IPSec) Tunnel

In an L2 stretch, a route-based IPSec tunnel between the server L2 VPN and the client L2 VPN secures the network traffic flowing between the two networks connected over a public network through IPSec gateways called endpoints. For more information, see Understanding IPSec VPN in the VMware NSX-T Data Center documentation.

L2 VPN Tunnel

The L2 VPN tunnel carries only workload traffic and supports network address translation (NAT) through IPSec L2 VPN. For more information, see Understanding Layer 2 VPN in the VMware NSX-T Data Center documentation.

Multiple client L2 VPN sessions cannot pair to a single server L2 VPN session. An NSX Autonomous Edge can stretch networks from a single vSphere Distributed Switch (VDS), that is, the VDS of the trunk network. To stretch networks from more than one VDS, deploy multiple NSX Autonomous Edge instances.

A single NSX Autonomous Edge instance can support a single client L2 VPN session, that can stretch multiple networks. For more information, see NSX-T Data Center Configuration Limits. To stretch additional client L2 VPN sessions, deploy additional NSX Autonomous Edge instances.

Note: Cannot establish the L2 VPN tunnel until both the server L2 VPN and the client L2 VPN are configured, and a stretched network is created by selecting client network for each server network. For the procedure steps order, see Stretching Layer 2 Networks On-Premises.