You can create a VPN tunnel between the PCG and a remote endpoint by following this workflow. These instructions are specific to workload VMs manged in the Native Cloud Enforced Mode.
You can use CSM APIs to configure VPN in NSX if both the endpoints are in the public cloud and managed by PCGs. See Automate VPN for Public Cloud Endpoints using APIs.
Prerequisites
- In AWS: Verify that you have deployed a VPC in the Native Cloud Enforced Mode. This must be a Transit or Self-managed VPC. VPN is not supported for Compute VPCs in AWS.
- In Microsoft Azure: Verify that you have deployed a VNet in the Native Cloud Enforced Mode. You can use both Transit and Compute VNets.
- Verify that the remote endpoint is peered with the PCG and has route-based IPSec VPN and BGP capabilities.
Procedure
Results
Verify that routes are created in the managed routing table for all IP prefixes advertised by the remote endpoint with next hop set to the PCG's uplink IP address.