You can set up VPN using PCGs that appear as auto-created tier-0 gateways in the on-prem NSX-T Data Center deployment. These instructions are specific to workload VMs manged in the NSX Enforced Mode.
Prerequisites
- Verify that you have one or an HA pair of PCGs deployed in a VPC/VNet.
- Verify that the remote peer supports route-based VPN and BGP.
Procedure
- In your public cloud, find the NSX-assigned local endpoint for the PCG and assign a public IP address to if necessary:
- Go to your PCG instance in the public cloud and navigate to Tags.
- Note the IP address in the value field of the tag nsx.local_endpoint_ip.
- (Optional) If your VPN tunnel requires a public IP, for example, if you want to set up a VPN to another public cloud or to the on-prem NSX-T Data Center deployment:
- Navigate to the uplink interface of the PCG instance.
- Attach a public IP address to the nsx.local_endpoint_ip IP address that you noted in step b.
- (Optional) If you have an HA pair of PCG instances, repeat steps a and b and attach a public IP address if necessary, as described in step c.
- In NSX Manager, enable IPSec VPN for the PCG that appears as a tier-0 gateway named like cloud-t0-vpc/vnet-<vpc/vnet-id> and create route-base IPSec sessions between this tier-0 gateway's endpoint and the remote IP address of the desired VPN peer. See Add an IPSec VPN Service for other details.
- Go to Networking > VPN > VPN Services > Add Service > IPSec. Provide the following details:
Option Description Name Enter a descriptive name for the VPN service, for example <VPC-ID>-AWS_VPN or <VNet-ID>-AZURE_VPN. Tier0/Tier1 Gateway Select the tier-0 gateway for the PCG in your public cloud. - Go to Networking > VPN > Local Endpoints > Add Local Endpoint. Provide the following information and see Add Local Endpoints for other details. :
Note: If you have an HA pair of PCG instances, create a local endpoint for each instance using the corresponding local endpoint IP address attached to it in the public cloud.
Option Description Name Enter a descriptive name for the local endpoint, for example <VPC-ID>-PCG-preferred-LE or <VNET-ID>-PCG-preferred-LE VPN Service Select the VPN service for the PCG's tier-0 gateway that you created in step 2a. IP Address Enter the value of the PCG's local endpoint IP address that you noted in step 1b. - Go to Networking > VPN > IPSec Sessions > Add IPSec Session > Route Based. Provide the following information and see Add a Route-Based IPSec Session for other details:
Note: If you are creating a VPN tunnel between PCGs deployed in a VPC and PCGs deployed in a VNet, you must create a tunnel for each PCG's local endpoint in the VPC and the remote IP address of the PCG in the VNet, and conversely from the PCGs in the VNet to the remote IP address of PCGs in the VPC. You must create a separate tunnel for the active and standby PCGs. This results in a full mesh of IPSec Sessions between the two public clouds.
Option Description Name Enter a descriptive name for the IPsec session, for example, <VPC--ID>-PCG1-to-remote_edge VPN Service Select the VPN service you created in step 2a. Local Endpoint Select the local endpoint you created in step 2b. Remote IP Enter the public IP address of the remote peer with which you are creating the VPN tunnel. Note: Remote IP can be a private IP address if you are able to reach the private IP address, for example, using DirectConnect or ExpressRoute.Tunnel Interface Enter the tunnel interface in a CIDR format. The same subnet must be used for the remote peer to establish the IPSec session.
- Go to Networking > VPN > VPN Services > Add Service > IPSec. Provide the following details:
- Set up BGP neighbors on the IPSec VPN tunnel interface that you established in step 2. See Configure BGP for more details.
- Navigate to Networking > Tier-0 Gateways
- Select the auto-created tier-0 gateway for which you created the IPSec session and click Edit.
- Click the number or icon next to BGP Neighbors under the BGP section and provide the following details:
Option Description IP Address Use the IP address of the remote VTI configured on the tunnel interface in the IPSec session for the VPN peer.
Remote AS Number This number must match the AS number of the remote peer.
- Advertise the prefixes you want to use for the VPN using the Redistribution Profile. In NSX Enforced Mode, connect tier-1 enabled routes in the redistribution profile.