By using the management interface of VMware Cloud Director Availability in the cloud site backed by NSX, organization administrators create the server side of the L2 VPN session, enabling the L2 stretch of one or more networks across the on-premises site.

After preparing VMware Cloud Director with an external network and an edge gateway as per the two steps in the prerequisites, and the on-premises site as per the On-premises stretching layer 2 networks to the Cloud Director site procedure, follow the procedure below and create the server L2 VPN session.

Prerequisites

  • Verify that in both the cloud site and in the on-premises site VMware Cloud Director Availability 4.2 or later is successfully deployed.
  • Verify that the on-premises site is prepared for an L2 VPN session with NSX Autonomous Edge. For information about the order of the steps of the procedure, see On-premises stretching layer 2 networks to the Cloud Director site.
  • Verify that NSX 3.1 or later is deployed in the cloud site to allow stretching of routed and isolated networks.
    Note:
  • Verify that VMware Cloud Director 10.1.0 or 10.2.1 is deployed to allow a single network stretch, or that VMware Cloud Director 10.2.2 or later is deployed to allow multiple networks stretches. The L2 stretch by using NSX does not support VMware Cloud Director versions earlier than 10.2.
    Note: VMware Cloud Director 10.3.1 and later do not support isolated networks. To stretch isolated networks use VMware Cloud Director 10.3.0 or earlier.
  • Verify that the Organization Administrator user has rights to View L2 VPN and Configure L2 VPN. For information about the rights, see Users and sessions in the Security Guide.
  • Verify that VMware Cloud Director is prepared to use NSX network resources, after adding an external network backed by a tier-0 gateway, then adding an NSX edge gateway that allows establishing the server L2 VPN session while providing the organization VDC networks with connectivity to external networks:
    1. Verify that in VMware Cloud Director the NSX backed external network is added. For more information, see Add a Provider Gateway in Your VMware Cloud Director in the VMware Cloud Director documentation.
      Note: The VPN service is not supported in an active-active HA (high availability) mode of the tier-0 gateway. For more information, see Add a Tier-0 Gateway in the NSX documentation.
    2. Verify that in VMware Cloud Director the NSX edge gateway is added. For more information, see Add an Edge Gateway Backed by an NSX Provider Gateway in VMware Cloud Director in the VMware Cloud Director documentation.

Procedure

  1. Log in to the management interface of the Cloud Director Replication Management Appliance.
    1. In a Web browser, go to https://Appliance-IP-Address/ui/admin.
    2. Select Appliance login or SSO login and enter the root or the single sign-on user credentials.
    3. Click Login.
  2. In the left pane, under the Configuration section click L2 Stretch.
  3. Click L2 VPN Sessions.
  4. From the Gateway menu, select the edge gateway and click New.
    The NSX Gateway menu lists both NSX and NSX-V edge gateways that are registered and added in VMware Cloud Director. For information about using NSX-V for server L2 sessions, see Create a server L2 VPN session with NSX Data Center for vSphere in the Cloud Director site.
  5. In the New L2 VPN server session window, configure the server L2 VPN session and click Create.
    1. In the Name text box, enter a name for this server L2 VPN session.
    2. In the Local Address text box, enter an IP address residing in the IP pool of the edge gateway at the server side of the L2 VPN session.
      The local IP address is a static IP address within the allocated IP range of the NSX edge gateway hosting the server L2 VPN session.
    3. In the Remote Address text box, enter the on-premises IP address at the client side of the L2 VPN session.
      Usually the remote IP address is the static endpoint IP address of the NSX Autonomous Edge on-premises. For more information, see Configure the networks of the NSX Autonomous Edge on-premises.
      Note: Ensure that the network communication between the local IP address in the cloud and the remote IP address on-premises exists unobstructed.
    4. In the Pre-shared Key text box, enter the pre-shared key as provided by your network administrator.

      Enter only visible ASCII characters, including space, excluding non-printable characters like Null, BEL, and so on. The pre-shared key must meet the following complexity requirements:

      • At least 8 characters
      • At least one uppercase letter
      • At least one lowercase letter
      • At least one digit
      • At least one special character
    5. In the Tunnel Interface text box, enter a private, non-routable subnet address in a CIDR notation.
    6. Under Server Network(s), to establish an L2 stretch select the server side networks to stretch.
      The number of available server networks to select, depends on the version of VMware Cloud Director. For information about the VMware Cloud Director versions, see the prerequisites above.
    Note: Attempting to delete the server L2 VPN session takes several minutes. Do not attempt to recreate the server L2 VPN session immediately after deletion as it fails due to the deletion progress in the background.

Results

You created the server L2 VPN session in the cloud site.

What to do next

You can now create the client L2 VPN session that completes the L2 stretch. For more information, see On-premises stretching layer 2 networks to the Cloud Director site.