Configuring ACLs and security groups for use with VPN

Access control lists (ACLs) and security groups can be configured on the VPN gateway's subnet where the VPN gateway is deployed, and other VPC subnets that communicate over the VPN tunnel.

The following diagram illustrates packet flow through VPC network ACLs.

Encapsulated, bidirectional traffic flows from the peer gateway (1) to the VPC resources that are a part of the encrypted domain. Unencapsulated packets then leave the VPN subnet and enter the VSI subnet (2). They travel back to the VPN subnet (3), where they then return to the peer gateway (4).

If you configure ACLs or security groups on the VPN gateway's subnet, make sure that the following rules are in place to allow management traffic and VPN tunnel traffic. For more information, see Setting up network ACLs and About security groups.

Inbound and outbound rules on VPN gateway's subnet
Inbound/Outbound Rules	Protocol	Source IP	Source Port	Destination IP	Destination Port
Inbound	All	Peer gateway public IP^[1]	N/A	VPN gateway's subnet	N/A
Outbound	All	VPN gateway's subnet	N/A	Peer gateway public IP^[2]	N/A
Inbound	All	On-premises, private CIDR	N/A	VPC CIDR	N/A
Outbound	All	VPC CIDR	N/A	On-premises, private CIDR	N/A
Inbound	All	VPC CIDR	N/A	On-premises, private CIDR	N/A
Outbound	All	On-premises, private CIDR	N/A	VPC CIDR	N/A
Inbound (optional)	ICMP	Any	N/A	Any	N/A

If you use ACLs or security groups on the VPC subnets that communicate over the VPN tunnel, make sure that ACL or security group rules are in place to allow traffic between virtual server instances in your VPC and the other network.

Inbound and outbound rules on VPC subnets
Inbound/Outbound Rules	Protocol	Source IP	Source Port	Destination IP	Destination Port
Inbound	All	On-premises, private CIDR	N/A	VPC CIDR	N/A
Outbound	All	VPC CIDR	N/A	On-premises, private CIDR	N/A

Rules for VPN traffic using NACLs

Two kinds of NACL exist; the first is attached to a subnet that you choose to create the VPN gateway, the second is attached to a subnet that you choose to create the virtual server instance.

NACL attached to the subnet that you chose to create the VPN gateway

The following rules apply to NACLs attached to subnets that you choose to create the VPN gateway.

Rules scenario 1

Rules1: Allow IPsec protocol packet between IBM gateway and your on-premises gateway
Inbound/Outbound Rules	Protocol	Source IP	Destination
Inbound	ALL	Your on-premises gateway public IP	Subnet CIDR that you choose to create the VPN gateway.
Outbound	ALL	Subnet CIDR that you choose to create the VPN gateway	Your on-premises gateway public IP.

Rules scenario 2

Rules2: Allow traffic between your on-premises private and VPC subnet in which you chose to create the virtual server instance
Inbound/Outbound Rules	Protocol	Source IP	Destination
Inbound	ALL	Your on-premises subnets	Subnet CIDR that you choose to create the VPC virtual server instance.
Outbound	ALL	Subnet CIDR in which you choose to create the VPC virtual server instance	Your on-premises subnets.

Rules scenario 3

Allow ICMP to the VPN gateway for troubleshooting. (Optional)

NACL attached to create the virtual server instance

Same as table 4.

Set the source IP to the peer gateway public IP address. This setting allows traffic from the VPC and the on-premises subnets. ↩︎
Set the source IP to the peer gateway public IP address. This setting allows traffic from the VPC and the on-premises subnets. ↩︎