To begin using VMware Cloud on Public Cloud to run workloads in your SDDC, you'll need to set up a network connecting your on-premises data center to the SDDC.

To set up a route-based VPN connecting your on-premises data center to your SDDC over the Internet, follow these steps.
Note:

If you use the native VPN services of the hyperscale cloud provider, see the hyperscale cloud provider documentation for more information on creating VPNs and configuring a VPN connection between your SDDC and on-premises data center.

Prerequisites

Procedure

  1. Create a route based VPN in the SDDC.
    A route-based VPN creates an IPsec tunnel interface and routes traffic through it as dictated by the SDDC routing table. A route-based VPN provides resilient, secure access to multiple subnets. When you use a route-based VPN, new routes are added automatically when new networks are created. See Create a Route-Based VPN in the VMware Cloud on Public Cloud Networking and Security guide.
  2. Configure an on-premises IPsec VPN.
    You can use NSX or any other device that can terminate an IPsec VPN.
    Important:

    The SDDC end of an IPsec VPN supports only time-based rekeying. Your on-premises device must disable lifebytes rekeying.

    Do not configure the on-premises side of the VPN to have an idle timeout (for example, the NSX Session idle timeout setting). On-premises idle timeouts can cause the VPN to become periodically disconnected.

    1. If your on-premises VPN gateway is behind a firewall, you must configure that firewall to forward IPsec protocol traffic:
      • Open UDP port 500 to allow Internet Security Association and Key Management Protocol (ISAKMP) traffic to be forwarded through the firewall.
      • Set IP protocol ID 50 to allow IPsec Encapsulating Security Protocol (ESP) traffic to be forwarded through the firewall.
      • Set IP protocol ID 51 to allow Authentication Header (AH) traffic to be forwarded through the firewall.
    2. Download the SDDC IPsec VPN configuration file.
      See IPsec VPN Settings Reference in the VMware Cloud on Public Cloud Networking and Security guide for more about what's in this file and how to use it to help you configure your on-premises VPN endpoint.
  3. (Optional) Create a network segment.
    A Single Host Starter SDDC is created with a single routed network segment named sddc-cgw-network-1. Multi-host SDDCs are created without a default network segment, so you must create at least one for your workload VMs. See Create a Network Segment in the VMware Cloud on Public Cloud Networking and Security guide.
  4. Create some basic firewall rules on the management gateway.
    By default, the management gateway blocks traffic to all destinations from all sources. Add Management Gateway firewall rules to allow traffic as needed. See Add or Modify Management Gateway Firewall Rules in the VMware Cloud on Public Cloud Networking and Security guide.
  5. Configure management network private DNS.
    Specify the addresses of your private DNS servers so that the management gateway, ESXi hosts, and management VMs resolve fully-qualified domain names (FQDNs) to IP addresses on the management network. To use features such as migration with vMotion, or cold migration, switch the vCenter Server resolution to a private IP address resolvable from the VPN.