An Edge with only Private MPLS links can reach the Orchestrator and Gateways located in public cloud, by using the SD-WAN Service Reachable option.

In a site with no direct public internet access, the SD-WAN Service Reachable option allows the private WAN to be used for private site-to-site VCMP tunnels and as a path to communicate with an internet hosted VMware service.

For hybrid environments that have MPLS-only links or require failover to MPLS links, you can enable the SD-WAN Service Reachable option.
Caution: You should be careful when you turn on SD-WAN Reachable. This feature means that the Edge can connect to both the Orchestrator and Gateways over that link. But if you use it on a private WAN link that does not have this connection, it can cause two problems:
  1. If the Edge is a Hub, and Spoke Edges are using that Hub Edge as the internet breakout, their tunnels to the Gateway may not come up because the Hub Edge may forward those flows back out the private link.
  2. An Edge with this incorrect setting may appear offline in the Orchestrator. This is because it may try to use the private link to contact the Orchestrator.

MPLS-only Sites

VMware supports private WAN deployments with a hosted VMware service for customers with hybrid environments who deploy in sites with only a private WAN link.

In a site with no public overlays, the private WAN can be used as the primary means of communication with the VMware service, including the following:

  • Enabled SD-WAN service reachability through private link
  • Enabled NTP override using private NTP servers

The following image shows a Regional Hub with Internet connection and SD-WAN Edge with only MPLS connection.

The traffic from the SD-WAN Edge with MPLS-only links is routed to the Orchestrator and Gateway through a Regional Hub, which is able to break out to the public cloud. SD-WAN Service Reachable option allows the Edge to remain online and manageable from the Orchestrator, and allows public internet connectivity through the Gateway irrespective of whether or not there is public link connectivity.

Dynamic Failover via MPLS

If all the public Internet links fail, you can failover critical Internet traffic to a private WAN link. The following image illustrates Resiliency of SD-WAN Orchestrator and Non SD-WAN Destination, Zscaler.

  • Orchestrator Resiliency – The Orchestrator connects to the Internet. If the Internet fails, the Orchestrator will connect through MPLS. The Orchestrator connection is established using the IP Address which is advertised over MPLS. The connectivity leverages the public Internet link in the Regional Hub.
  • Zscaler Resiliency – The Zscaler connectivity is established through Internet. If the public link fails, then Zscaler connects through MPLS.

Configure SD-WAN Service Reachable

  1. In the SD-WAN Service of the Enterprise portal, click Configure > Edges. The Edges page displays the existing Edges.
  2. Click the link to an Edge or click the View link in the Device column of the Edge. The configuration options for the selected Edge are displayed in the Device tab.
  3. In the Connectivity category, expand Interfaces.
  4. The different types of Interfaces available for the selected Edge are displayed. Click the link to an Interface connected to the MPLS link.
  5. In the Interface window, select the Override check box and from the WAN Link drop-down menu, select User Defined and click Save.
    Note: The SD-WAN Service Reachable is available only for a User Defined network.
  6. In the WAN Link Configuration section, click the Interface activated with User Defined WAN link. The User Defined WAN Link window appears.
  7. In the User Defined WAN Link window, select the SD-WAN Service Reachable check box to deploy sites which only have a private WAN link and/or activate the capability to failover critical Internet traffic to a private WAN link.

    When you select the SD-WAN Service Reachable checkbox, a list of public IP addresses of SD-WAN Gateways and SD-WAN Orchestrator is displayed, which may need to be advertised across the private network, if a default route has not been already advertised across the same private network from the firewall.

    When you select the SD-WAN Service Reachable Backup check box, the Private SD-WAN reachable link is used as the backup link for Internet and as an active link for Enterprise destinations, if Public WAN overlays are present. When this option is deactivated, the Private link is used as an active link.

  8. Configure other options as required, and then click Update Link to save the settings.

For more information on other options in the WAN Overlay window, see Configure Edge WAN Overlay Settings with New Orchestrator UI.