For control and security purposes, the SDDC is split into management and compute components. The management components of the SDDC, such as vCenter, vSAN and NSX, are accessed over a Management Gateway (MGW). The MGW is powered powered by an NSX Edge Security gateway that provides network connectivity for the vCenter Server and NSX Manager running in the SDDC.
The compute components (Your workload), connect over a Compute Gateway (CGW). The CGW is powered by a separate NSX Edge instance and Distributed Logical Router (DLR) to enable ingress and egress of workload VM network traffic.
In this post, we will go through creating an IPSEC management VPN which will allows us to securely access our management components.
- An on-premises router or firewall capable of terminating an IPsec VPN, such as Cisco ISR, Cisco ASA, CheckPoint Firewall, Juniper SRX, NSX Edge, or any other device capable of IPsec tunneling.
- If your on-premises gateway is behind another firewall, allow IPsec VPN traffic to pass through the firewall to reach your device by doing the following:
- Open UDP port 500 to allow Internet Security Association and Key Management Protocol (ISAKMP) traffic to be forwarded through the firewall.
- Set IP protocol ID 50 to allow IPsec Encapsulating Security Protocol (ESP) traffic to be forwarded through the firewall.
- Set IP protocol ID 51 to allow Authentication Header (AH) traffic to be forwarded through the firewall.
Login to your VMC Console >VMware Cloud on AWS
Click on VMware Cloud on AWS then your SDDC
Under Management Gateway > Expand IPSEC VPN > ADD VPN
Enter your details
After you click Save, the VPN connects to the target. It will show a Connected status like the image below if successful.
After a successful connection the Network System Diagram will show the VPN connections with a status of green if the connection is active.
One last thing to do is to run the Firewall Rule Accelerator which creates the appropriate firewall policies in the management gateway. This will enable communication over the IPsec VPN tunnel with key management infrastructure components such as vCenter Server and ESXi from your on-premises data center.
Firewall Rule Accelerator
vCenter Server and ESXi from your on-premises data center.The Firewall Rule Accelerator helps create appropriate firewall policies in the management gateway. This enables communication over the IPsec VPN tunnel with key management infrastructure components such as
I hope this post was helpful. Thank you for reading.
My name is Amine El Badaoui and I currently live in Aylesbury, a small town in the south east of England
I have been working in the IT industry for few years now and specialise in VMware virtualisation, data centre infrastructure and cloud technologies. Over the years I have obtained numerous industry certifications from Microsoft, Netapp and VMware.I currently work as a VMware Product Engineer @ https://www.rackspace.com/
This blog represents my random technical notes and thoughts. The thoughts expressed here do not reflect my current employer in anyway.