Architecture pattern for using IPsec over Direct Link with a vCenter Server with NSX instance
On VMware Cloud Foundation for Classic - Automated instance in IBM Cloud® classic infrastructure, your workloads are deployed and run on VMware NSX™ overlay networks. As part of the deployment, the automation deploys an example NSX topology. You can use the provisioned examples as your base or build your own topologies on overlay. These overlay networks are not automatically advertised to IBM Cloud classic infrastructure network.
This architecture pattern presents private connectivity for VMware Cloud Foundation for Classic - Automated that uses IBM Cloud Direct Link and tunneling. This solution is applicable for NSX-based VCF for Classic - Automated instance, which is provisioned in IBM Cloud classic infrastructure. You can use Gateway Appliance or vCenter Server gateway cluster with Juniper® vSRX or other device as part of the solution as an option.
The tunnel is established between NSX T0 and a customer router routable through Direct Link. If vSRX or other third-party device is used in a gateway cluster, you can terminate the tunnel in these devices as well. In this case, NSX T0 advertises routes in the vSRX (or other third-party device) through BGP or Static Routes.
Deploying IPsec over Direct Link with vCenter Server and NSX
The following diagram presents an overview for an architecture pattern for deploying IPsec over Direct Link with vCenter Server and NSX.
This architecture pattern deployment is summarized as follows:
- VCF for Classic - Automated instance is deployed at IBM Cloud classic infrastructure. Two IBM Cloud private VLANs and one IBM Cloud public VLAN (optional) are deployed. Each of these host multiple subnets. You can see the details on IBM Cloud for VMware Solutions portal.
- NSX T0 is deployed with two interfaces - private and public (optional). If you opt for a public, this interface is attached to your Public VLAN and has direct internet access. Your T0's private interface is attached to the Private VLAN and uses IBM Cloud portable private IP.
- If vCenter Server gateway cluster with vSRX (or other third-party device) or IBM Cloud Gateway Appliance is deployed to your classic infrastructure, you must configure your VCF for Classic - Automated instance private primary VLAN. It must be routed through the vSRX or Gateway Appliance. Also, establish routing between your NSX T0 and vSRX, such as BGP.
- Create a Direct Link at your IBM Cloud data center or zone location and attach your classic network as a connection. All your classic networks in the region are advertised with local routing option (or all with Global option).
- Configure a Policy or Route Based IPsec connection between your customer router to vSRX or Gateway Appliance private IP (IBM Cloud private portable). Ensure that your T0, vSRX, or Gateway Appliance has a route to this tunnel end point. Large MTU is supported in IBM Cloud private network and Direct Link.
- You can exchange routes through BGP, or static between your overlay and the on-premises customer router through the tunnel.
- You can attach any other required VPC connections to the Direct Link, for example, VPCs. Your VPC IP address allocation design must ensure that you do not overlap with the attached classic network nor with the NSX overlay networks.
Direct Link does not provide direct connectivity between the VPC and classic. But, depending on your routing setup, it is possible to do a hair pinning on the customer router. Alternatively, use transit gateway for this use case.
Considerations
When you design or deploy this architecture pattern, consider the following steps:
- Route-based IPsec VPN is recommended for dynamic routing.
- IPsec tunnels can also be terminated to Tier-1 gateways. In this case, only policy-based VPNs are supported. Also, ensure that the VPN endpoint is known and routed in IBM Cloud classic network (for example, use a
/32from the private portable subnet for the T1 VPN endpoint).