Configure a L2VPN & Extend Network in VMware cloud on AWS

During the meeting with customers, I am asked lots of questions around L2 extension capabilities on VMware cloud on AWS, such as retaining same IP address as production and live migration without business disruption. To address these challenges, VMware offers a very powerful tool – HCX to make both L2 extension and migrations of workloads. It is also provided free of charge when purchasing VMware Cloud on AWS. However, L2 extension with HCX requires Distributed vSwitches and those in turn are only available with the top-level vSphere Enterprise Plus license. Many customers only have the Standard vSphere license and therefore HCX can’t be used for L2 extension. To address licensing concern or just for L2 extension, NSX Autonomous Edge would be the a perfect choice.

So, VMware Cloud on AWS provides two options for extending an on-prem network to the SDDC-HCX Network Extension (NE) and L2VPN (Autonomous edge or if you have NSX-T edge already in your environment it can be leveraged for L2VPN as well). While both solutions provide the same functionality, they are different in several aspects. Following are the quick comparison (based on SDDC M16 released and HCX4.2)

Supported Functionalities

NSX Autonomous Edge

HCX

Resiliency

Active/Standby

vSphere based HA

vSwitch Type

VSS, DVS

VDS

Network Type

VLAN

VXLAN, VLAN

No of Extended Networks

14

200

Mgmt. Interface

GUI

GUI

VPN Tunnel termination endpoints

Tier-0 Router on SDDC

HCX L2C – HCX L2C 

Others

Needs NSX-T license to download

Mobility Optimized Networking capability

On this post, I am writing step by step guide to extend the vlan 100 from On-Prem to Vmware Cloud on AWS SDDC (as per diagram below). The L2VPN is based on a L2VPN client and a L2VPN server. The L2VPN Server will be configured on VMConAWS (on NSX Edge T0 Router) while NSX Autonomous Edge will be configured as L2VPN Client on-prem. To simplify the configuration steps, I have divided it into 3 phases. Phase 1- L2VPN server configuration and segment creation on VMware Cloud on AWS SDDC, Phase 2-deployment of Autonomous Edge on-prem  and Phase3-configuration of Autonomous Edge and establish L2VPN session.

Diagram

Description automatically generated

Prerequisite

UDP 500/4500, ESP & AH (IP Protocol 50/51) must have allowed from the On-premises L2VPN client to the VMC SDDC L2VPN Server

SDDC and Autonomous Edge environment

SDDC version: 1.16

NSX-Edge: 3.1.1.0.0.17483065

Phase 1: Configure L2VPN Server and create segment in VMware Cloud on AWS SDDC end

Step 1:  Log in to your VMC Console, go to Networking & Security tab–> Network–>VPN–>Layer2 and click “ADD VPN TUNNEL”.

Graphical user interface, application

Description automatically generated

Step 2: Configure VPN Server

Select Public IP from the local IP Address drop-down(if you have DX connection you have to chose Local IP) and input the public IP of L2VPN’s remote end.  On-Prem site, my Autonomous Edge will be behind a NATed device so remote private IP is required. And, click ‘SAVE’ 

Graphical user interface, website

Description automatically generated

Step 3: To Configure Extended Network Segment, Click on ‘ADD SEGMENT’. In my case I am configuring; Segment Name: VLAN 100-l2vpn and VPN Tunnel ID: 100 (the tunnel ID needs to match the on-prem tunnel ID)

Graphical user interface, text, application

Description automatically generated

Step 4: ‘DOWNLOAD CONFIG’, it’s peer codes in text file, we need this information later to configure L2VPN peers in Autonomous Edge

Graphical user interface, text, application, email

Description automatically generated

Note: Downloaded Config file will be something like this we need to copy and paste highlighted area while we create session on  Autonomous Edge.

Text

Description automatically generated

Phase 2: Deploy NSX-T Autonomous Edge (L2VPN Client)

Note: Autonomous Edge will be deployed with  4 interfaces. To visualize connection of autonomous edge via those interfaces I have drawn the diagram below. Since we need port-groups to connect on those interfaces, and if you don’t have Port-groups on your on-prem VC yet pls create them  (I have created following 4 port-groups)

  1. PG-MGMT (Autonomous Edge mgmt. access)
  2. PG-External (For external connectivity, this interface will be used to establish l2vpn peer)
  3. PG-L2VPN-Trunk01 (trunk Port group- Promiscuous mode: Accepted and Forged transmits: Accept)
  4. PG-HA (If you want to deploy active/standby autonomous edge)

Diagram

Description automatically generated

Download Autonomous Edge:

On VMware Cloud on AWS console, navigate Networking & Security ->VPN -> Layer 2 and click on ‘REMOTE AUTONOMOUS EDGE DOWNLOAD’ and it will land you on download page

Graphical user interface, text, application, Teams

Description automatically generated

Step 5: Access your On-Prem VC, right click on cluster and click on ‘Deploy OVF Template’. It will open Deploy OVF Template wizard and select NSX-EDGE ova file and click on ‘NEXT’

Graphical user interface, website

Description automatically generated

Step 6: Supply Virtual Machine’s inventory name, select location and click on ‘NEXT’

Graphical user interface, text

Description automatically generated

Step 7: Select Compute resource and click on ‘NEXT’

Graphical user interface, application

Description automatically generated

Step 8: Choose the size of the Autonomous Edge and click ‘NEXT’

Graphical user interface

Description automatically generated

Step 9: Select storage and click on ‘NEXT’

Graphical user interface, website

Description automatically generated

Step 10: Please refer the table below and select the Network then click on ‘NEXT’

Edge VM vNIC

OVF Template

Edge GUI

Purpose

Network Adapter1

Network 0

Management(eth0)

Management

Network Adapter2

Network 1

eth1

Uplink/External

Network Adapter3

Network 2

eth2

Trunk

Network Adapter4

Network 3

eth3

HA

Graphical user interface

Description automatically generated

Step 11: This step little bit confusing as it needs lots of information. I have taken screenshots of important portion only; rest can be left default. Supply all the require passwords in password section and don’t forget to check Autonomous Edge.

Graphical user interface, text, website

Description automatically generated

In Network Properties section; supply hostname, ip (subnet, GW) information

Graphical user interface

Description automatically generated

In DNS and NTP Section, input DNS and NTP

Graphical user interface, application

Description automatically generated

External Port configuration section is very important, supply the VLAN Id, Interface, NATTED internal ip address, subnetmask (example: 0,eth1,xx.xx.xx.xx,24) and Gateway. As we are not using any internal port and not configuring HA this time so these sections will be blank. Now leave the remaining part default and click on ‘NEXT’

Graphical user interface

Description automatically generated

Step 12: Have a final review and click on ‘FINISH’

Graphical user interface, application

Description automatically generated

Phase 3: Configure NSX-T Autonomous Edge (L2VPN Client)

Power on Autonomous Edge VM, it takes sometime for OS/Daemons initialization . Once it done you should able to access web console via mgmt ip address (https://xx.xx.xx.xx). Navigate ‘PORT’ and you should notice external port configuration (this information we had supplied during the OVA deployment)

Graphical user interface

Description automatically generated with low confidence

Step 13 : Now select ‘L2VPN’ and click on ‘ADD SESSION’ and Provide Session Name (ex: L2VPN_Client ), ENABLE Admin status, Local IP (this will be eth1 ip, Internal NATTED IP in my case), Remote ip (It will be global ip on VMware Cloud on AWS end), copy and paste Peer code (this is what we downloaded  on Step 4) and ‘SAVE’ it

Graphical user interface, text, application, chat or text message

Description automatically generated

Step 14: Now, verify that L2VPN session, it should be UP

Graphical user interface

Description automatically generated

Step 15: Go to PORT->ADD PORT and Provide the details of the VLAN you want to extend (In my case: Port name-VLAN100-L2ext, VLAN-100 and Interface-2) and ‘SAVE’ it.

Graphical user interface, application, website

Description automatically generated

Step 16: Go to L2VPN->ATTACH PORT, for the session select ‘L2VPN_Client’, Port (the one we just created to extend) ‘VLAN100_L2ext vlan100’ and tunnel id ‘100’ (to make easier I selected same as vlan id 100, tunnel id should be matched on both sites) and hit on ‘SAVE’ button

Graphical user interface

Description automatically generated

Step 17: Verify that VPN tunnel/session has been up on both sites. On Autonomous Edge, navigate ‘L2VPN’ and verify Session has been up. And on VMC console, navigate ‘VPN’ and go to ‘Layer 2’ and make sure that Session status is ‘SUCCESS’

Graphical user interface

Description automatically generated

Graphical user interface, text, application, email

Description automatically generated

Loading