Looking at Virtual Private Cloud (VPC) documentation in IBM Cloud we see VMware does not appear as a supported platform to establish an IPsec tunnel (https://cloud.ibm.com/docs/vpc?topic=vpc-vpn-onprem-example). This doesn’t mean you can not use VMware NSX-V Edge to connect to the VPC VPN Gateway to extend your datacenter with IBM Cloud services, and consuming them securely through the tunnel.
The final picture after the IPsec tunnel creation looks like this:
In order to establish the tunnel we need to follow the next steps:
- In the ‘VPC/VPN Gateways’ menu, go to the ‘IKE Policies’ tab and create an IKE policy, with these values:
- In the ‘VPC/VPN Gateways’ menu, go to the ‘IPsec Policies’ tab and create an IPsec policy, with these values:
- Create a VPN Gateways, the key parameters to set are:
- Create a route table in the IBM Cloud VPC:
- Once that the ‘route table’ is created, select it and create a route to the networks exposed in the VMware environment:
- On the VMware side go to the ‘Networking & Security’ menu, later to the ‘NSX-V Edge’ select the edge exposed to the Internet, go to the VPN tab and add an IPsec VPN site:
On the ‘Tunnel Configuration’ tab, fill with the same parameters that we created the IPsec and IKE policies in IBM Cloud:
On the ‘advanced’ tab:
- On the tab SSL VPN-Plus, on the ‘Private Networks’ section add the routes to the VPC. This enables the users connected to the NSX-V Edge via the NSX-V VPN, to reach IBM Cloud services via the IBM Cloud private endpoints.
- Create a SNAT rule to mask the traffic from the NSX-V VPN users to reach IBM VPN VPC and service endpoints networks, via the IPsec tunnel stablished.
Let’s check this approach work!
I deployed a PostgreSQL instance exposed only on a private service endpoint (no internet connection)
I also deployed a Red Hat Openshift Kubernetes Service (ROKS) instance exposed only on a private service endpoint (no internet connection):
If we are NOT connected to the VMware VPN we can NOT reach the PostgreSQL service as we can see in the screenshot below:
The same happens with Red Hat Openshift Kubernetes Service:
If we are connected to the VMware VPN we can reach the PostgreSQL service as we can see in the screenshot below:
If we are connected to the VMware VPN we can reach the ROKS instance as we can see in the screenshot below:
Next Steps: Terminate VPN IPsec tunnel on NSX-T instead NSX-V
Hope this helps you guys!!!
***Written in collaboration with Sebastian Chaparro***