A policy-based VPN creates an IPsec tunnel and a policy that specifies how traffic uses it. When you use a policy-based VPN, you must update the routing tables on both ends of the network when new routes are added.
This topic explains how to create a policy-based VPN that connects to the SDDC's default public or private IP. If your SDDC has additional Tier-1 gateways (see Add a Custom Tier-1 Gateway to a VMware Cloud on AWS SDDC), you can click OPEN NSX MANAGER and add VPN services that terminate on those gateways. See Adding VPN Services in the NSX Data Center Administration Guide.
In VMware Cloud on AWS, VPN services to a Tier-1 gateway do not support BGP.
Policy-based VPNs in your VMware Cloud on AWS SDDC use an IPsec protocol to secure traffic. To create a policy-based VPN, you configure the local (SDDC) endpoint, then configure a matching remote (on-premises) endpoint. Because each policy-based VPN must create a new IPsec security association for each network, an administrator must update routing information on premises and in the SDDC whenever a new policy-based VPN is created. A policy-based VPN can be an appropriate choice when you have only a few networks on either end of the VPN, or if your on-premises network hardware does not support BGP (which is required for route-based VPNs).
If your SDDC includes both a policy-based VPN and another connection such as a route-based VPN, DX, or VTGW connectivity over the policy-based VPN will fail if any of those other connections advertises the default route (0.0.0.0/0) to the SDDC. If none of those other connections advertise the default route, all traffic matching the VPN's policy will flow over the VPN even if the other connections provide a more specific route. In case of overlap, a route-based VPN route is preferred over a policy-based VPN policy match. Networks configured on a policy-based VPN cannot be used over any other connection. Traffic matching the VPN policy is always sent to the VPN when it's enabled, regardless of the state of the VPN tunnel itself, and will be dropped if the tunnel is down but the VPN admin state is enabled.
Procedure
Results
- Click DOWNLOAD CONFIG to download a file that contains VPN configuration details. You can use these details to configure the on-premises end of this VPN.
- Click VIEW STATISTICS to view packet traffic statistics for this VPN. See View VPN Tunnel Status and Statistics.
What to do next
Create or update firewall rules as needed. To allow traffic through the policy-based VPN, specify Internet Interface in the Applied to field.