You can use CSM APIs to automate VPN setup between VPCs or VNets.

You cannot use CSM APIs to set up VPN using on-prem endpoints.

Prerequisites:
  • Both endpoints for the VPN tunnel must be in the public cloud with PCGs deployed in them and in a running or up state.

The following entities are configured using CSM APIs. You can also use these APIs to unconfigure the VPN setup.

For NSX-T Data Center entities that support tags, the API reuses previously created entities by applying a tag to them with the new VPN session ID, for example, CsmVpnSessionId:<csm-vpn-session-id-new>.

  • For each source and destination endpoint:

    • IPSec VPN service is configured, named cloud-vpn-service-<vpc/vnet-id>.

    • BGP routing is configured, named cloud-routing-config-<vpc/vnet-id>. If BGP was not already enabled, the API enables it and assigns an AS number in the format: 55555.<1-64999>.

  • For each PCG in source and destination endpoints:

    • BGP route re-distribution is enabled for tier-0 static routes and tier-1 connected segments.

    • Public IP is assigned to PCG's uplink interface and associated to VPN-secondary private IP on PCG's uplink interface.

    • IPSec VPN local endpoint is created, named cloud-vpn-local-endpoint-<gateway-id>-<preferred/non-preferred>.

  • For each PCG combination between source and destination endpoints:

    • Route based IPSec VPN session is created, named <csm-vpn-session-id>-<Preferred/non-preferred>To<Preferred/non-preferred>-<hash-from-source-and-destination-PCG-ids>

    • BGP neighbor is added on tier-0 gateway for each IPSec VPN session configured.

Configuring/Updating VPN Sessions

  1. To configure a new VPN session, do the following: 
    1. GET /api/v1/csm/vpn/endpoints
    2. POST /api/v1/csm/vpn/session

Example Request:
POST https://<nsx-csm>/api/v1/csm/vpn/sessions
{
  "display_name": "aws azure session 01",
  "source_endpoint": {
    "id": "vpc-12345678",
    "display_name": "vpc test",
    "endpoint_type": "AWS"
  },
  "destination_endpoint": {
    "id": "d02af61a-e212-486e-b6c8-10462ccfbad6",
    "display_name": "vnet-01",
    "endpoint_type": "AZURE"
  }
}
  2. To update the display name of an existing VPN session: 
    PUT /api/v1/csm/vpn/sessions/<session-id>

Example Request:
PUT https://<nsx-csm>/api/v1/csm/vpn/sessions/9174ffd1-41b1-42d6-a28d-05c61a0698e2
{
  "display_name": "New VPN session",
  "source_endpoint": {
    "id": "vpc-12345678",
    "display_name": "vpc test",
    "endpoint_type": "AWS"
  },
  "destination_endpoint": {
    "id": "d02af61a-e212-486e-b6c8-10462ccfbad6",
    "display_name": "vnet-01",
    "endpoint_type": "AZURE"
  }
}

Getting the status of existing VPN sessions

  • To get status of all sessions: 
    GET /api/v1/csm/vpn/sessions/status
  • To get the status of a specific session by providing the session-id: 
    GET /api/v1/csm/vpn/sessions/<session-id>/status

Deleting Sessions

Delete sessions by providing session-id: 
DELETE /api/v1/csm/vpn/sessions/<session-id>

Troubleshooting

If the creation of entities fails:
  • Get the status for the specific session-id: 
    GET /api/v1/csm/vpn/sessions/<session-id>/status
  • You can see the point of failure in the response. Make the necessary changes to resolve the failure.
  • Recreate the remaining entities for the same session id using the API call: 
    POST /api/v1/csm/vpn/sessions/<session-id>?action=recreate

See the latest version of the NSX-T Data Center REST API Guide at https://code.vmware.com/ for API details.