During on-premises to the cloud migrations, to allow network connectivity between already migrated and not yet migrated virtual machines as in the same network segment, stretch the on-premises networks across the cloud site. Layer 2 VPN (L2 VPN) stretches the L2 networks across the sites.
VMware Cloud Director Availability L2 Stretch
By using NSX and its L2 VPN service technology, VMware Cloud Director Availability stretches on-premises L2 networks across the cloud site.
- Cloud Site
- To establish the server L2 VPN session, VMware Cloud Director Availability 4.2 uses VMware NSX. In addition to NSX, VMware Cloud Director Availability 4.2.1 and later also support VMware NSX ® Data Center for vSphere ® for stretching the L2 network.
- On-Premises Site
- To establish the client L2 VPN session, in a site not managed by NSX download and deploy a standalone VMware ® NSX Edge™ appliance, called NSX Autonomous Edge.
To provide self-service for the tenants, VMware Cloud Director Availability manages the entire L2 VPN configuration of the necessary NSX network infrastructure, both in the cloud site and in on-premises sites. As an alternative to using VMware Cloud Director Availability for the L2 stretch, the service provider can perform the entire L2 VPN configuration and management solely in NSX, with the added complexity.
L2 Stretch Use Case
While migrating workloads consisting of several virtual machines, some of the virtual machines can get migrated to the cloud site with the remaining virtual machines of the workload running on-premises. By stretching the network across the two data centers the communication between the migrated and the remaining virtual machines continues as if they operate across the same network segment. The virtual machines remain on the same subnet during the migration between the sites as the stretched network represents a single subnet with a single broadcast domain. When using NSX Autonomous Edge for the L2 stretch, the on-premises virtual machines can only run on VLAN-based networks of distributed switches, that is, distributed port groups.
For the cloud providers, the L2 VPN allows on-boarding tenants without modifying existing IP addresses used by their workloads and applications. Since the IP addresses of the virtual machines do not change upon migration, migrations of the tenants workloads between different network sites are seamless.
In addition to supporting data center migration, on-premises networks stretched with an L2 VPN are useful for disaster recovery plans and dynamically engaging off-premise compute resources and meeting the increased demand.
Internet Protocol Security (IPSec) Tunnel
- For information about IPSec VPN when using NSX, see Understanding IPSec VPN in the VMware NSX documentation.
- For information about IPSec VPN when using NSX Data Center for vSphere, see IPSec VPN Overview in the VMware NSX Data Center for vSphere documentation.
L2 VPN Tunnel
The L2 VPN tunnel carries only workload traffic and supports network address translation (NAT) through IPSec L2 VPN.
- For information about L2 VPN when using NSX, see Understanding Layer 2 VPN in the VMware NSX documentation.
- For information about L2 VPN when using NSX Data Center for vSphere, see L2 VPN Overview in the VMware NSX Data Center for vSphere documentation.
Multiple client L2 VPN sessions cannot pair to a single server L2 VPN session. An NSX Autonomous Edge can stretch networks from a single vSphere Distributed Switch (VDS), that is, the VDS of the trunk network. To stretch networks from more than one VDS, deploy multiple NSX Autonomous Edge instances.
On-premises, a single NSX Autonomous Edge instance can support a single client L2 VPN session, that can stretch multiple virtual machine networks. To stretch additional client L2 VPN sessions, deploy additional NSX Autonomous Edge instances.
In the cloud site, for information about the scale number of L2 stretched networks to a cloud site, see VMware Cloud Director Availability Configuration Limits.