Set up VPN in the Native Cloud Enforced Mode

You can create a VPN tunnel between the PCG and a remote endpoint by following this workflow. These instructions are specific to workload VMs manged in the Native Cloud Enforced Mode.

You can use CSM APIs to configure VPN in NSX if both the endpoints are in the public cloud and managed by PCGs. See Automate VPN for Public Cloud Endpoints using APIs.

Prerequisites

In AWS: Verify that you have deployed a VPC in the Native Cloud Enforced Mode. This must be a Transit or Self-managed VPC. VPN is not supported for Compute VPCs in AWS.
In Microsoft Azure: Verify that you have deployed a VNet in the Native Cloud Enforced Mode. You can use both Transit and Compute VNets.
Verify that the remote endpoint is peered with the PCG and has route-based IPSec VPN and BGP capabilities.

Procedure

In your public cloud, find the NSX-assigned local endpoint for the PCG and assign a public IP address to if necessary:
1. Go to your PCG instance in the public cloud and navigate to Tags.
2. Note the IP address in the value field of the tag nsx.local_endpoint_ip.
3. (Optional) If your VPN tunnel requires a public IP, for example, if you want to set up a VPN to another public cloud or to the on-prem NSX deployment:
  1. Navigate to the uplink interface of the PCG instance.
  2. Attach a public IP address to the nsx.local_endpoint_ip IP address that you noted in step 1.b.
4. (Optional) If you have an HA pair of PCG instances, repeat steps 1.a and 1.b and attach a public IP address if necessary, as described in step 1.c.

In NSX Manager, enable IPSec VPN for the PCG that appears as a tier-0 gateway named like cloud-t0-vpc/vnet-<vpc/vnet-id> and create route-base IPSec sessions between this tier-0 gateway's endpoint and the remote IP address of the desired VPN peer. See Add an NSX IPSec VPN Service for other details.

Navigate to Networking > VPN > VPN Services > Add Service > IPSec. Provide the following details:

Option	Description
Name	Enter a descriptive name for the VPN service, for example `<VPC-ID>-AWS_VPN` or `<VNet-ID>-AZURE_VPN`.
Tier0/Tier1 Gateway	Select the tier-0 gateway for the PCG in your public cloud.

Navigate to Networking > VPN > Local Endpoints > Add Local Endpoint. Provide the following information and see Add Local Endpoints for other details:

Note: If you have an HA pair of PCG instances, create a local endpoint for each instance using the corresponding local endpoint IP address attached to it in the public cloud.

Option	Description
Name	Enter a descriptive name for the local endpoint, for example `<VPC-ID>-PCG-preferred-LE` or `<VNET-ID>-PCG-preferred-LE`
VPN Service	Select the VPN service for the PCG's tier-0 gateway that you created in step 2.a.
IP Address	Enter the value of the PCG's local endpoint IP address that you noted in step 1.b.

Navigate to Networking > VPN > IPSec Sessions > Add IPSec Session > Route Based. Provide the following information and see Add a Route-Based IPSec Session for other details:

Note: If you are creating a VPN tunnel between PCGs deployed in a VPC and PCGs deployed in a VNet, you must create a tunnel for each PCG's local endpoint in the VPC and the remote IP address of the PCG in the VNet, and conversely from the PCGs in the VNet to the remote IP address of PCGs in the VPC. You must create a separate tunnel for the active and standby PCGs. This results in a full mesh of IPSec Sessions between the two public clouds.

Option	Description
Name	Enter a descriptive name for the IPsec session, for example, `<VPC--ID>-PCG1-to-remote_edge`
VPN Service	Select the VPN service you created in step 2.a.
Local Endpoint	Select the local endpoint you created in step 2.b.
Remote IP	Enter the public IP address of the remote peer with which you are creating the VPN tunnel. Note: Remote IP can be a private IP address if you are able to reach the private IP address, for example, using DirectConnect or ExpressRoute.
Tunnel Interface	Enter the tunnel interface in a CIDR format. The same subnet must be used for the remote peer to establish the IPSec session.

Expand BGP and set up BGP neighbors on the IPSec VPN tunnel interface that you established in step 2. See Configure BGP for more details.

Navigate to Networking > Tier-0 Gateways.
Select the auto-created tier-0 gateway for which you created the IPSec session and click Edit.

Click the number or icon next to BGP Neighbors under the BGP section and provide the following details:

Option	Description
IP Address	Use the IP address of the remote VTI configured on the tunnel interface in the IPSec session for the VPN peer.
Remote AS Number	This number must match the AS number of the remote peer.

Advertise the prefixes you want to use for the VPN using the Redistribution Profile. Do the following:

Important: This step is only for NSX 3.0.0. Skip it if you are using NSX 3.0.1.
1. Expand Routing and add a static route for the CIDR of the VPC/VNet onboarded with the Native Cloud Enforced Mode to point to the uplink IP address of the tier-0 gateway, that is, PCG.
  See Configure a Static Route for instructions. If you have a PCG pair for HA, set up next hops to each PCG's uplink IP address.
2. In the expanded Routing category, add a prefix list for the VPC/VNet CIDR onboarded in the Native Cloud Enforced Mode and add it as an Out Filter in BGP neighbor configuration.
  See Create an IP Prefix List for instructions.
3. Expand Route Re-Distribution and set up a route redistribution profile, enabling static route and select the route filter you created for VPC/VNet CIDRs in the previous substep.
In your public cloud, do the following:
1. Go to the routing table of the subnet where you have your workload VMs.
  
  Note: Do not use the routing table of the PCG's uplink or management subnets.
2. Add the tag nsx.managed = true to the routing table.

Results

Verify that routes are created in the managed routing table for all IP prefixes advertised by the remote endpoint with next hop set to the PCG's uplink IP address.