Site-to-site IPsec VPNs connect separate networks to each other through the public Internet. For example, a branch office network can connect by site-to-site VPN to a headquarters network. Each site on the network is equipped with a VPN gateway, such as a router, firewall, VPN concentrator, or security appliance.
Setting up an IPsec VPN connection from a remote network to Horizon Cloud Service is the most common scenario, because of the relative simplicity and short amount of time necessary to establish the IPsec VPN tunnel. When using IPsec VPN, maximum bandwidth is approximately 1 Gbps because of the limitation of the Edge Gateway.
The site-to-site IPsec VPN tunnel includes logical and encrypted point-to-point connections between Horizon Cloud Service instances and your organization’s site. These connections provide secure access to your organization’s data center services, such as business applications, Active Directory, DNS, and DHCP servers. They also provide secure access for protocol traffic originating from your organization’s networks.
When setting up an IPsec VPN connection from a remote network to Horizon Cloud Service, keep the following in mind:
|Latency spikes||The IPsec VPN tunnel is built through the public Internet and is subject to congestion or other network-related problems common on public Internet connections that can increase latency. Latency spikes caused by the public Internet are beyond the control of both your enterprise and VMware.|
|Setup||When setting up IPsec VPNs, it is recommended that the VPNs be managed using router hardware for performance reasons. Setting up VPNs using a Windows server is not recommended. Multiple VPN connections are supported, although they must not have the same source and destination lists because the Edge Gateway cannot determine which IPsec tunnel to route traffic to.|
|Redundancy||Incorporating two IPsec VPNs for redundancy is an option, but bonding the VPNs is not supported. The first VPN is set as active, and the secondary VPN is deactivated. Horizon Cloud Service does not provide automated failover for VPNs. If a failure occurs, the VPN must be manually failed over.|
|Horizon Cloud setup web form||During the VPN setup, you provide information in the Horizon Cloud setup web form, including your router vendor, router model, and endpoint IP address. VMware provides the endpoint IP address of your Horizon Cloud Service tenant, which is used in establishing the IPsec VPN tunnel. This IP address is provided during the deployment of the Horizon Cloud Service.|
|Subnets||You must provide which subnets are allowed across the VPN connection, commonly referred to as the Protected Networks list or source and destination lists. The list defines the internal networks that can traverse the VPN to access your virtual desktops and RDSH-hosted applications from within your network, along with what the virtual desktops and RDSH-hosted applications are able to access across the VPN for different services within your network.|
|Network routing||For VPN-based connections to Horizon Cloud Service, static routing is configured during the VPN peering process. If other networking routing requirements arise, open a VMware support ticket to have the networks added.|