IBM Cloud Docs
Using Transit Gateway to interconnect VCF as a Service with IBM Cloud services

Using Transit Gateway to interconnect VCF as a Service with IBM Cloud services

Use IBM Cloud® Transit Gateway to securely interconnect IBM Cloud for VMware Cloud Foundation as a Service multitenant and single-tenant virtual data centers (VDCs) to a transit gateway to enable network connectivity into your IBM Cloud Classic and Virtual Private Cloud (VPC) IaaS infrastructures, and your on-premises locations by using Direct Link connections. Use the VDC Interconnectivity tab in the VMware Solutions console to connect to Transit Gateway.

Transit Gateway uses Generic Routing Encapsulation (GRE) tunnels to connect your single-tenant and multitenant virtual data centers (VDCs) to a Transit Gateway resource in the same region as your VMware Cloud Foundation (VCF) as a Service Cloud Director site. Use the VMware Solutions console to add a connection group to your VDC. A connection group contains six unbound GRE tunnels to establish redundant connectivity to each zone. After you create the connection group, add each GRE tunnel to the Transit Gateway to attach the connection group. You can connect the tunnels to Transit Gateway by using either the IBM Cloud Shell or the Transit Gateway console.

You must individually attach all six unbound GRE tunnels to the Transit Gateway to attach the VDC connection group to Transit Gateway. The six unbound GRE tunnels help to avoid redundancy risks.

The Transit Gateway resource does not need to be in the same IBM Cloud account as the VDC. The Transit Gateway resource is included in your IBM Cloud account, not your VMware account.

Before you begin

Network edge version requirement

Your VDC must include a network edge version 2.0 or higher to use Transit Gateway. All VDCs created after 12 January 2024 are a network edge version 2.0 or higher. If your network edge version is not compatible, a notification displays in the VDC Interconnectivity tab in the VMware Solutions console.

If your VDC does not include a compatible version, create a new VDC that includes the network edge. For more information, see Ordering virtual data center instances.

Transit Gateway requirement

Before you can add a connection group to your VDC, you must create a Transit Gateway. For more information, see the Transit Gateway console and Getting started with IBM Cloud Transit Gateway.

You must create the Transit Gateway in the same region as the Cloud Director site where the VDC is deployed.

Procedure to connect VCF as a Service

  1. Add a connection group to your VDC.

    1. In the VMware Solutions console, click Resources > VCF as a Service from the left navigation pane.

    2. In the VMware Cloud Foundation as a Service table, click the Virtual data center tab, then click an instance name.

    3. Click the Interconnectivity tab to open the Transit Gateway connections page.

    4. Click Add connection group +.

    5. In the Add connection group panel, enter the Transit Gateway ID that you want to connect to. You can locate the Transit Gateway ID on the Transit Gateway details page on the Transit Gateway console.

    6. Click Add.

      The connection group with six pending GRE tunnels is added to your VDC and automation runs to generate the connection values. Next, you must individually connect the six unbound GRE tunnels to complete the connection.

      The Generating connection values status displays while automation generates the connection values. Refresh the VDC page to confirm that the values are generated before you complete the next step to create the Transit Gateway connection.

  2. Connect the connection group unbound GRE tunnels to Transit Gateway.

    Use either the CLI or the Transit Gateway console to connect the tunnels to Transit Gateway. It is recommended to use IBM Cloud Shell to create the connection to Transit Gateway.

    • Complete the following steps if you use Cloud Shell to connect the tunnels to Transit Gateway.
    1. Click the overflow menu on the row of the connection group and click Generate CLI commands. A single command for all six GRE tunnels is generated.
    2. From the Generate CLI commands panel, click the Copy to clipboard icon to copy the single CLI command to connect all six GRE tunnels.
    3. In the IBM Cloud console, click the IBM Cloud Shell icon to open the Cloud Shell interface.
    4. Paste the CLI command in Cloud Shell and run the command to connect all six tunnels to Transit Gateway.

    To run the CLI command locally, use the Transit Gateway CLI, which is implemented as an IBM Cloud CLI plug-in. For more information, see Creating an unbound Generic Routing Encapsulation tunnel connection and Transit Gateway CLI change log.

    • Complete the following steps if you use the Transit Gateway console to connect the tunnels to Transit Gateway.

    1. From the Transit Gateway connections page, expand the Transit Gateway ID. The six pending GRE tunnels display.

    2. Expand an unbound GRE tunnel. The tunnel parameters display. Use the Copy to clipboard icon to copy the parameters as you complete the next steps to create the tunnel connection.

    3. Click Add connection to Transit Gateway to open the Transit Gateway console.

    4. In the Transit Gateway console, complete the procedure to create the unbound GRE tunnel connection. Specify the following parameters.

      • Select Unbound GRE Tunnel for the network connection type.
      • Select Classic Infrastructure for the base network type.
      • Select Request connection to a network in another account for the connection reach.
      • Enter the GRE Tunnel connection values that you can copy and paste from the VMware Solutions console.

    The Transit Gateway documentation states that the Remote BGP ASN field is optional. However, you must provide the Remote BGP ASN value that is specified in the GRE tunnel connection values available to copy on the Interconnectivity tab for the VDC.

    1. Repeat the steps to create the unbound GRE tunnel for each unbound GRE tunnel associated with the Transit Gateway ID.

    When all unbound GRE tunnels display the Attached status, the connection group is attached to Transit Gateway.

  3. Complete the following procedures to configure the VDC network edge.

    1. Configure a fully routed network environment in your VDC. For more information, see Manage Route Advertisement in the VMware Cloud Director Tenant Portal.
    2. If you have existing SNAT rules, edit the priority and configurations rules and add No Source NAT (NOSNAT) rules to use Transit Gateway. For more information, see Add an SNAT or a DNAT Rule.
    3. Update your firewall rules to allow for the new outbound network traffic and for the new remote network inbound traffic. For more information, see Configure Firewall Rules on a Provider Gateway in the VMware Cloud Director Tenant Portal.

  4. From Transit Gateway, create the route and Border Gateway Protocol report. For more information, see Generating a route report.