Route-based VPN

A route-based VPN creates an IPsec tunnel interface and routes traffic through it as dictated by the SDDC routing table. VMware Cloud on AWS uses the same public IP for all VPN connections. You can create only one VPN connection (Route-based, Policy-based, or L2VPN) to a given remote public IP address.

Route-based VPNs in your SDDC use an IPsec protocol to secure traffic, and use the Border Gateway Protocol (BGP) protocol to discover and propagate routes as you create new networks.

For more information, see Create a Route-Based VPN.

Policy-based VPN

A policy-based VPN creates an IPsec tunnel and a policy that specifies how traffic uses it. When you use a policy-based VPN, you must update the routing tables on both ends of the network when new routes are added. In the following graphic, number 1 shows the VTI interfaces used with route-based VPN which enable the VPN tunnels to be treated as if they were routed interfaces.

For more information, see Create a Policy-Based VPN.

Layer 2 VPN

A Layer 2 Virtual Private Network (L2VPN) extends an on-premises network to multiple VLAN-based networks, which can be extended with different tunnel IDs on the same L2VPN tunnel. This extended network is a single subnet with a single broadcast domain, so you can migrate VMs to and from your Recovery SDDC without having to change their IP addresses.

The layer-2 network is ideal in a real DR event, but can make recovery plan testing more complicated, due to IP address and NetBios name conflicts with the original VM still running on the same network segment.

In the image below, number 1 shows the IPsec VPN policy applied to the edge internet uplink. Number 2 shows networks from either VPC cross link or Direct Connect that do not pass through the internet uplink and affect the policy.

For more information, see Configure a Layer 2 VPN and Extended Network Segment.