You can use CSM APIs to automate VPN setup between VPCs or VNets.

You cannot use CSM APIs to set up VPN using on-prem endpoints.

Prerequisites:
  • Both endpoints for the VPN tunnel must be in the public cloud with PCGs deployed in them and in a running or up state.

The following entities are configured using CSM APIs. You can also use these APIs to unconfigure the VPN setup.

For NSX entities that support tags, the API reuses previously created entities by applying a tag to them with the new VPN session ID, for example, CsmVpnSessionId:<csm-vpn-session-id-new>.

  • For each source and destination endpoint:

    • IPSec VPN service is configured, named cloud-vpn-service-<vpc/vnet-id>.

    • BGP routing is configured, named cloud-routing-config-<vpc/vnet-id>. If BGP was not already enabled, the API enables it and assigns an AS number in the format: 55555.<1-64999>.

  • For each PCG in source and destination endpoints:

    • BGP route re-distribution is enabled for tier-0 static routes and tier-1 connected segments.

    • Public IP is assigned to PCG's uplink interface and associated to VPN-secondary private IP on PCG's uplink interface.

    • IPSec VPN local endpoint is created, named cloud-vpn-local-endpoint-<gateway-id>-<preferred/non-preferred>.

  • For each PCG combination between source and destination endpoints:

    • Route based IPSec VPN session is created, named <csm-vpn-session-id>-<Preferred/non-preferred>To<Preferred/non-preferred>-<hash-from-source-and-destination-PCG-ids>

    • BGP neighbor is added on tier-0 gateway for each IPSec VPN session configured.

Configuring/Updating VPN Sessions

  1. To configure a new VPN session, do the following: 
    1. GET /api/v1/csm/vpn/endpoints
    2. POST /api/v1/csm/vpn/session

Example Request:
POST https://<nsx-csm>/api/v1/csm/vpn/sessions
{
  "display_name": "aws azure session 01",
  "source_endpoint": {
    "id": "vpc-12345678",
    "display_name": "vpc test",
    "endpoint_type": "AWS"
  },
  "destination_endpoint": {
    "id": "d02af61a-e212-486e-b6c8-10462ccfbad6",
    "display_name": "vnet-01",
    "endpoint_type": "AZURE"
  }
}
  2. To update the display name of an existing VPN session: 
    PUT /api/v1/csm/vpn/sessions/<session-id>

Example Request:
PUT https://<nsx-csm>/api/v1/csm/vpn/sessions/9174ffd1-41b1-42d6-a28d-05c61a0698e2
{
  "display_name": "New VPN session",
  "source_endpoint": {
    "id": "vpc-12345678",
    "display_name": "vpc test",
    "endpoint_type": "AWS"
  },
  "destination_endpoint": {
    "id": "d02af61a-e212-486e-b6c8-10462ccfbad6",
    "display_name": "vnet-01",
    "endpoint_type": "AZURE"
  }
}

Getting the status of existing VPN sessions

  • To get status of all sessions: 
    GET /api/v1/csm/vpn/sessions/status
  • To get the status of a specific session by providing the session-id: 
    GET /api/v1/csm/vpn/sessions/<session-id>/status

Deleting Sessions

Delete sessions by providing session-id: 
DELETE /api/v1/csm/vpn/sessions/<session-id>

Troubleshooting

If the creation of entities fails:
  • Get the status for the specific session-id: 
    GET /api/v1/csm/vpn/sessions/<session-id>/status
  • You can see the point of failure in the response. Make the necessary changes to resolve the failure.
  • Recreate the remaining entities for the same session id using the API call: 
    POST /api/v1/csm/vpn/sessions/<session-id>?action=recreate

See the latest version of the NSX REST API Guide at https://code.vmware.com/ for API details.