Workload VMs in an SDDC that uses a policy-based VPN for its on-premises connection are unable to reach an on-premises DNS server.

Problem

You connect to your VMware Cloud on AWS SDDC to your on-premises SDDC over a policy-based VPN and can ping IP addresses in the on-premises network from VMs in the SDDC network but workload VMs cannot reach your on-premises DNS servers.

Cause

The problem occurs if the policy-based VPN connection to your on-premises SDDC has not been configured to allow DNS requests.

Solution

  1. If you can configure your on-premises connection over a route-based VPN or Direct Connect, you can skip the rest of these steps.
    If you must use a policy-based VPN as your on-premises connection, configure the SDDC side of the VPN tunnel to allow DNS requests over the VPN.
  2. Log in to the VMware Cloud Console at https://vmc.vmware.com.
  3. Click Inventory > SDDCs, then pick an SDDC card and click VIEW DETAILS.
  4. Click OPEN NSX MANAGER and log in with the NSX Manager Admin User Account shown on the SDDC Settings page.
    You can also use the VMware Cloud Console Networking & Security tab for this workflow. See SDDC Network Administration with NSX Manager.
    1. Select Networking > VPN > Policy Based.
    2. Click the vertical ellipsis icon for the VPN and select Edit VPN.
    3. Under the Local Networks drop-down, select cgw-dns-network.
    4. Click SAVE.
  5. Configure the on-premises side of the tunnel of connect to local_gateway_ip/32 in addition to the Local Gateway IP address. This allows DNS requests to be routed over the VPN.