Set up an IPSec VPN session between the PCG and your service appliance.

Prerequisites

  • One or an HA pair of PCGs must be deployed in a Transit VPC/VNet.
  • The service appliance must be set up in your public cloud, preferably in the Transit VPC/VNet.

Procedure

  1. Navigate to Networking > VPN
  2. Add a VPN service of type IPSec and note the following configuration options specific to NSX Cloud. See Add an NSX IPSec VPN Service for other details.
    Option Description
    Name The name of this VPN service is used to set up the local endpoint and the IPSec VPN sessions. Make a note of it.
    Service Type Confirm that this value is set to IPSec.
    Tier-0 Gateway Select the tier-0 gateway auto-created for your Transit VPC/VNet. Its name contains your VPC/VNet ID, for example, cloud-t0-vpc-6bcd2c13.
  3. Add a Local Endpoint for your PCG. The IP address of the local endpoint is the value of the tag nsx:local_endpoint_ip for the PCG deployed in your Transit VPC/VNet. Log in to your Transit VPC/VNet for this value. Note the following configurations specific to NSX Cloud and see Add Local Endpoints for other details.
    Option Description
    Name The local endpoint name is used to set up the IPSec VPN sessions. Make a note of it.
    VPN Service Select the VPN Service you added in step 2.
    IP Address Find this value by logging in to the AWS console or the Microsoft Azure portal. It is the value of the tag nsx:local_endpoint_ip applied to the uplink interface of the PCG.
  4. Create a Route-Based IPSec session between the PCG and the service appliance in your public cloud (preferably hosted in the Transit VPC/VNet).
    Option Description
    Type Confirm that this value is set to Route Based.
    VPN Service Select the VPN Service you added in step 2.
    Local Endpoint Select the local endpoint you created in step 3.
    Remote IP Enter the private IP address of the service appliance.
    Note: If your service appliance is accessible using a public IP address, assign a public IP address to the local endpoint IP (also known as secondary IP) to the PCG's uplink interface.
    Tunnel Interface This subnet must match with the service appliance subnet for the VPN tunnel. Enter the subnet value you set up in the service appliance for the VPN tunnel or note the value you enter here and make sure the same subnet is used when setting up the VPN tunnel in the service appliance.
    Note: You configure BGP on this tunnel interface. See Configure BGP and Route Redistribution.
    Remote ID Enter the private IP address of your service appliance in the public cloud.
    IKE Profile The IPSec VPN session must be associated with an IKE profile. If you created a profile, select it from the drop-down menu. You can also use the default profile.

What to do next

Configure BGP and Route Redistribution