IBM Cloud Docs
Architecture pattern for deploying Client VPN into VMware Cloud Foundation for VPC

Architecture pattern for deploying Client VPN into VMware Cloud Foundation for VPC

This architecture pattern explains how to deploy Client VPN for VPC (Virtual Private Cloud) with an VMware Cloud Foundation for VPC deployment. Client VPN for VPC provides client-to-site connectivity, which allows remote devices to securely connect to the VPC network by using an OpenVPN software client. This solution is useful for VMware® administrators who want to connect to the IBM Cloud from a remote location to manage an VMware Cloud Foundation for VPC instance.

An overview of this architecture pattern is shown in the following diagram.

Using a client VPN with an VMware Cloud Foundation for VPC deployment
Using a client VPN with an VMware Cloud Foundation for VPC deployment

Deploying Client VPN into VCF for VPC

The following diagram introduces the high-level steps to deploy Client VPN into VCF for VPC.

Deploying Client VPN into VCF for VPC
Deploying Client VPN into VCF for VPC

This architecture pattern deployment is summarized as follows:

  1. Review general planning considerations for VPN servers.
  2. Decide which VPN client authentication mode to use: certificate-based, user ID and passcode, or both.
  3. Create a Secrets Manager service instance and create and upload your TLS certificates.
  4. Create an IAM service-to-service authorization for your VPN server and IBM Cloud Secrets Manager.
  5. Design your Client IPv4 address pool and network access, general routing, and VPN server placement. Use the VCF for VPC and Tier 0 private uplink VPC subnet or management subnet, depending on your networking requirements.
  6. Provision a stand-alone VPN server in a subnet (or provision a VPN server in two subnets for better high availability). For more information, see Creating a VPN server.
  7. Create VPN routes on your VPN server and VPC routes on the VCF for VPC.
  8. Set up a client VPN environment and connect to the VPN server.

Tips for deploying Client VPN into VCF for VPC

  • When you create VPN routes, you can use translate option to translate the source IP to the VPN server's private IP address before it is sent out from the VPN server, making your VPN client IP address from Client IPv4 address pool invisible to the destination devices. This process eases VPC up routing configurations.
  • Split tunnel is typically the mode what you would use if you need simultaneous access to the corporate network and VCF for VPC. Then, private traffic flows through the VPN interface to the VPN tunnel, and public traffic flows through the existing LAN interface. You can manage this process with VPN routes.
  • The VMware Cloud Foundation instance uses IBM Cloud DNS Server default IP addresses 161.26.0.7 and 161.26.0.8. When you manage the VMware Cloud Foundation instance, you need to ensure that you can use the DNS server and resolve the VMware Cloud Foundation entries. So ensure that your VPN routes cover this range.

Considerations

When you design or deploy this architecture pattern, consider the following information:

  • Design your IP addressing and VPN routing patterns. Think about the networks to be routed to the VCF for VPC and what NSX overlay networks you need to access from the VPN.
  • Review general planning considerations for VPN servers.
  • Decide your VPN client authentication mode. You can use certificate-based, user ID and passcode, or both.
  • It is recommended to create private certificates with these considerations in mind.