You can create an L2VPN service and session using only the API.

Note: L2VPN is not supported in the NSX-T Data Center limited export release.


  • Familiarize yourself with L2VPN. See L2VPN.
  • Verify that a tier-0 logical router configured with uplink profiles. See the NSX-T Data Center Installation Guide.
  • Verify that a logical switch is configured. See Create a Logical Switch.
  • Verify that an unmanaged NSX Edge is available in NSX Data Center for vSphere.
  • Verify that IPSec VPN is configured. Configuring IPSec VPN


  1. Configure an L2VPN service.
    Use the POST /api/v1/vpn/l2vpn/services call.
    POST /api/v1/vpn/l2vpn/services
     "logical_router_id": "b6fe5455-619b-4030-b5f8-8575749f4404",
     "logical_tap_ip_pool" : [ "" ],
     "enable_full_mesh" : true
  2. Configure an L2VPN session.
    Use the POST /api/v1/vpn/l2vpn/sessions call.
    POST /api/v1/vpn/l2vpn/sessions
     "l2vpn_service_id" : "421de3a2-c6ec-4c42-a891-5bde3b5feb68",
     "transport_tunnels" : [
          "target_id" : "801e5140-6da8-4e78-ab44-f966de75f311"
  3. Configure a logical port with attachment.
    Use the POST /api/v1/vpn/logical-ports call.
    POST /api/v1/logical-ports/
     "resource_type": "LogicalPort",
     "display_name": "Extend logicaSwitch, port for service",
     "logical_switch_id": "f52abcee-27a7-426c-a128-037db2283582",
     "admin_state" : "UP",
     "attachment": {
     "context" : {
        "resource_type" : "L2VpnAttachmentContext",
        "tunnel_id" : 10
  4. Download the L2VPN peer code configuration.
    GET /api/v1/vpn/l2vpn/sessions/<L2VPN-session-ID>/peer-codes
  5. Log in to the on premise NSX Data Center for vSphere unmanaged NSX Edge CLI.
  6. Paste the L2VPN peer code configuration.
  7. (Optional) Monitor the L2VPN session.
    • L2VPN session summary GET /api/v1/vpn/l2vpn/sessions/summary.
    • L2VPN session statistics GET /api/v1/vpn/l2vpn/sessions/<L2VPN-session-ID>/statistics.