IBM Cloud Docs
IBM Cloud VPN overview

IBM Cloud VPN overview

IBM Cloud® Virtual Private Network (VPN) for VPC service offers two types of VPNs:

  • Site-to-site gateways - This VPN type connects your on-premises network to the IBM Cloud VPC network.
  • Client-to-site servers - This VPN type allows clients on the internet to connect to VPN servers, while still maintaining secure connectivity.

IBM Cloud VPN Gateway for VPC provides a simple yet powerful solution for highly scalable and robust site-to-site VPN gateways. With this service, you can create site-to-site VPN tunnels for secure, encrypted connectivity. Also, you connect from on-premises sites to IBM Cloud through a VPN gateway on an IBM Cloud VPC, and a peer gateway on-premises. For more information, see About site-to-site VPN gateways.

IBM Cloud Client VPN for VPC provides an open source compatible client-to-site VPN solution that allows users to connect to IBM Cloud resources through secure, encrypted connections. Whether you want to connect to access or manage your workloads that are running in VPC Virtual Servers or VMware® workloads, you can use the OpenVPN-based client-to-site VPN solution for remote access. For more information, see About client-to-site VPN servers.

Considerations with VMware Cloud Foundation solution in VPC

When you use the VMware virtual machines (VMs) on the VPC subnet architecture, your VMs are attached to VPC subnets and the routing behaves in the same way as with VPC Virtual Servers. The VPC subnets are provisioned from the zone prefix, and the routing works between the VPC without any required changes. You can use both IBM Cloud VPN Gateway for VPC and IBM Cloud Client VPN for VPC with this solution as described in the documentation previously listed.

VPNaaS with VMware on VPC
VPNaaS with VMware on VPC

When you use NSX™ on your VMware solution on VPC, the VMs are attached on the NSX overlay segments. They use an IP address range or prefix, which is reachable through VPC route that points to NSX Tier-0 private uplink VIP as described in the VMware NSX logical routing on VPC topic. You can use both IBM Cloud VPN Gateway for VPC and IBM Cloud Client VPN for VPC with this solution as described in the documentation previously listed.

VPNaaS with VMware on VPC with NSX
VPNaaS with VMware on VPC with NSX

When you use IBM Cloud Client VPN for VPC, you must add VPN routes that are advertised to the VPN clients for the NSX overlay destinations. Set the VPC routes to the same destination and pointing to the NSX Tier-0 Private Uplink VIP. In NSX Tier-0, ensure that you have a static route for the prefix route of your VPN Client IPv4 address pool, which points to the default gateway of the uplink subnet.

With IBM Cloud VPN Gateway for VPC, it is recommended to use route-based tunnels, as described in the VPN Gateway for VPC features topic. Ensure that you define static routes at the on-premises VPN gateway toward NSX overlay prefixes. Set the VPC routes to the same destination and pointing to the NSX Tier-0 Private Uplink VIP. For on-premises destinations, VPC routes must point to the VPN Tunnel. In NSX Tier-0, ensure that your private routes are pointing to the default gateway of the uplink subnet.