The Cloud Virtual Private Network (VPN) enables a VPNC-compliant IPSec VPN connection that connects VMware and Non VMware SD-WAN Sites. It also indicates the health of the sites (up or down status) and delivers real-time status of the sites.
Cloud VPN supports the following traffic flows:
- Branch to Non SD-WAN Destination via Gateway
- Branch to SD-WAN Hub
- Branch to Branch VPN
- Branch to Non SD-WAN Destination via Edge
The following figure represents all three branches of the Cloud VPN. The numbers in the image represent each branch and correspond to the descriptions in the table that follows.
Non VMware SD-WAN Site | |
Branch to SD-WAN Hub | |
Branch to Branch VPN | |
Branch to Non VMware SD-WAN Site | |
Branch to Non VMware SD-WAN Site |
Branch to Non SD-WAN Destination via Gateway
Branch to Non SD-WAN Destination via Gateway supports the following configurations:
- Connect to Customer Data Center with Existing Firewall VPN Router
- Iaas
- Connect to CWS (Zscaler)
Connect to Customer Data Center with Existing Firewall VPN Router
A VPN connection between the VMware Gateway and the data center firewall (any VPN router) provides connectivity between branches (with SD-WAN Edges installed) and Non VMware SD-WAN Sites, resulting in ease of insertion, in other words, no customer Data Center installation is required.
The following figure shows a VPN configuration:
Primary tunnel | |
Redundant tunnel | |
Secondary VPN Gateway |
- Check Point
- Cisco ASA
- Cisco ISR
- Generic IKEv2 Router (Route Based VPN)
- Microsoft Azure Virtual Hub
- Palo Alto
- SonicWALL
- Zscaler
- Generic IKEv1 Router (Route Based VPN)
- Generic Firewall (Policy Based VPN)
Note: VMware supports both Generic Route-based and Policy-based Non VMware SD-WAN Site from Gateway.
For information on how to configure a Branch to Non VMware SD-WAN Site through SD-WAN Gateway see Configure a Non SD-WAN Destinations via Gateway.
Iaas
When configuring with Amazon Web Services (AWS), use the Generic Firewall (Policy Based VPN) option in the Non VMware SD-WAN Site dialog box.
Configuring with a third party can benefit you in the following ways:
- Eliminates mesh
- Cost
- Performance
VMware Cloud VPN is simple to set up (global networks of SD-WAN Gateways eliminates mesh tunnel requirement to VPCs), has a centralized policy to control branch VPC access, assures performance, and secures connectivity as compared to traditional WAN to VPC.
For information about how to configure using Amazon Web Services (AWS), see the Configure Amazon Web Services section.
Connect to CWS (Zscaler)
Zscaler Web Security provides security, visibility, and control. Delivered in the cloud, Zscaler provides web security with features that include threat protection, real-time analytics, and forensics.
Configuring using Zscaler provides the following benefits:
- Performance: Direct to Zscaler (Zscaler via Gateway)
- Managing proxy is complex: Enables simple click policy aware Zscaler
Branch to SD-WAN Hub
The SD-WAN Hub is an Edge deployed in Data Centers for branches to access Data Center resources. You must set up your SD-WAN Hub in the SD-WAN Orchestrator. The SD-WAN Orchestrator notifies all the SD-WAN Edges about the Hubs, and the SD-WAN Edges build secure overlay multi-path tunnel to the Hubs.
The following figure shows how both Active-Standby and Active-Active are supported.
Branch to Branch VPN
Branch to Branch VPN supports configurations for establishing a VPN connection between branches for improved performance and scalability.
Branch to Branch VPN supports two configurations:
- Cloud Gateways
- SD-WAN Hubs for VPN
The following figure shows Branch to Branch traffic flows for both Cloud Gateway and a SD-WAN Hub.
You can also enable Dynamic Branch to Branch VPN for both Cloud Gateways and Hubs.
You can access the 1-click Cloud VPN feature in the SD-WAN Orchestrator from Configure > Profiles > Device Tab in the Cloud VPN area.
Branch to Non SD-WAN Destination via Edge
Branch to Non SD-WAN Destination via Edge supports the following Route-based VPN configurations:
- Generic IKEv2 Router (Route Based VPN)
- Generic IKEv1 Router (Route Based VPN)
For more information, see Configure a Non SD-WAN Destinations via Edge.