The Cloud Virtual Private Network (VPN) enables a VPNC-compliant IPSec VPN connection that connects VMware and Non VMware SD-WAN Sites. It also indicates the health of the sites (up or down status) and delivers real-time status of the sites.

Cloud VPN supports the following traffic flows:

  • Branch to Non SD-WAN Destination via Gateway
  • Branch to SD-WAN Hub
  • Branch to Branch VPN
  • Branch to Non SD-WAN Destination via Edge

The following figure represents all three branches of the Cloud VPN. The numbers in the image represent each branch and correspond to the descriptions in the table that follows.

red-1 Non VMware SD-WAN Site
red-2 Branch to SD-WAN Hub
red-3 Branch to Branch VPN
red-4 Branch to Non VMware SD-WAN Site
red-5 Branch to Non VMware SD-WAN Site

Branch to Non SD-WAN Destination via Gateway

Branch to Non SD-WAN Destination via Gateway supports the following configurations:

  • Connect to Customer Data Center with Existing Firewall VPN Router
  • Iaas
  • Connect to CWS (Zscaler)

Connect to Customer Data Center with Existing Firewall VPN Router

A VPN connection between the VMware Gateway and the data center firewall (any VPN router) provides connectivity between branches (with SD-WAN Edges installed) and Non VMware SD-WAN Sites, resulting in ease of insertion, in other words, no customer Data Center installation is required.

The following figure shows a VPN configuration:

red-1 Primary tunnel
red-2 Redundant tunnel
red-3 Secondary VPN Gateway
VMware supports the following Non VMware SD-WAN Site configurations through SD-WAN Gateway:
  • Check Point
  • Cisco ASA
  • Cisco ISR
  • Generic IKEv2 Router (Route Based VPN)
  • Microsoft Azure Virtual Hub
  • Palo Alto
  • SonicWALL
  • Zscaler
  • Generic IKEv1 Router (Route Based VPN)
  • Generic Firewall (Policy Based VPN)
    Note: VMware supports both Generic Route-based and Policy-based Non VMware SD-WAN Site from Gateway.

For information on how to configure a Branch to Non VMware SD-WAN Site through SD-WAN Gateway see Configure a Non SD-WAN Destinations via Gateway.

Iaas

When configuring with Amazon Web Services (AWS), use the Generic Firewall (Policy Based VPN) option in the Non VMware SD-WAN Site dialog box.

Configuring with a third party can benefit you in the following ways:

  • Eliminates mesh
  • Cost
  • Performance

VMware Cloud VPN is simple to set up (global networks of SD-WAN Gateways eliminates mesh tunnel requirement to VPCs), has a centralized policy to control branch VPC access, assures performance, and secures connectivity as compared to traditional WAN to VPC.

For information about how to configure using Amazon Web Services (AWS), see the Configure Amazon Web Services section.

Connect to CWS (Zscaler)

Zscaler Web Security provides security, visibility, and control. Delivered in the cloud, Zscaler provides web security with features that include threat protection, real-time analytics, and forensics.

Configuring using Zscaler provides the following benefits:

  • Performance: Direct to Zscaler (Zscaler via Gateway)
  • Managing proxy is complex: Enables simple click policy aware Zscaler

Branch to SD-WAN Hub

The SD-WAN Hub is an Edge deployed in Data Centers for branches to access Data Center resources. You must set up your SD-WAN Hub in the SD-WAN Orchestrator. The SD-WAN Orchestrator notifies all the SD-WAN Edges about the Hubs, and the SD-WAN Edges build secure overlay multi-path tunnel to the Hubs.

The following figure shows how both Active-Standby and Active-Active are supported.

Branch to Branch VPN

Branch to Branch VPN supports configurations for establishing a VPN connection between branches for improved performance and scalability.

Branch to Branch VPN supports two configurations:

  • Cloud Gateways
  • SD-WAN Hubs for VPN

The following figure shows Branch to Branch traffic flows for both Cloud Gateway and a SD-WAN Hub.

You can also enable Dynamic Branch to Branch VPN for both Cloud Gateways and Hubs.

You can access the 1-click Cloud VPN feature in the SD-WAN Orchestrator from Configure > Profiles > Device Tab in the Cloud VPN area.

Note: For step-by-step instructions to configure Cloud VPN, see Configure Cloud VPN for Profiles.

Branch to Non SD-WAN Destination via Edge

Branch to Non SD-WAN Destination via Edge supports the following Route-based VPN configurations:

  • Generic IKEv2 Router (Route Based VPN)
  • Generic IKEv1 Router (Route Based VPN)
Note: VMware supports only Route-based Non VMware SD-WAN Site configurations through Edge.

For more information, see Configure a Non SD-WAN Destinations via Edge.