IBM Cloud Docs
Architecture pattern for deploying Client VPN into VMware Cloud Foundation VPC

Architecture pattern for deploying Client VPN into VMware Cloud Foundation VPC

This architecture pattern explains how to deploy Client VPN for VPC (Virtual Private Cloud) with an IBM Cloud® for VMware Cloud Foundation deployment. Client VPN for VPC provides client-to-site connectivity, which allows remote devices to securely connect to the VPC network by using an OpenVPN software client. This solution is useful for VMware® administrators who want to connect to the IBM Cloud from a remote location to manage an IBM Cloud for VMware Cloud Foundation instance.

An overview of this architecture pattern is shown in the following diagram.

Using client VPN with an IBM Cloud for VMware Cloud Foundation deployment
Figure 1. Using client VPN with an IBM Cloud for VMware Cloud Foundation deployment

Deploying Client VPN into VMware Cloud Foundation VPC

The following diagram introduces the high-level steps to deploy Client VPN into VMware Cloud Foundation VPC.

Deploying Client VPN into VMware Cloud Foundation VPC
Figure 2. Deploying Client VPN into VMware Cloud Foundation VPC

This architecture pattern deployment is summarized as follows:

  1. Review general planning considerations for VPN servers.
  2. Decide which VPN client authentication mode to use: certificate-based, user ID and passcode, or both.
  3. Create a Secrets Manager service instance and create and upload your TLS certificates.
  4. Create an IAM service-to-service authorization for your VPN server and IBM Cloud Secrets Manager.
  5. Design your Client IPv4 address pool and network access, general routing, and VPN server placement. Use the VMware Cloud Foundation VPC and Tier 0 private uplink VPC subnet or management subnet, depending on your networking requirements.
  6. Provision a stand-alone VPN server in a subnet (or provision a VPN server in two subnets for better high availability). For more information, see Creating a VPN server.
  7. Create VPN routes on your VPN server and VPC routes on the VMware Cloud Foundation VPC.
  8. Set up a client VPN environment and connect to the VPN server.

Tips for deploying Client VPN into VMware Cloud Foundation VPC

  • When you create VPN routes, you can use translate option to translate the source IP to the VPN server's private IP address before it is sent out from the VPN server, making your VPN client IP address from Client IPv4 address pool invisible to the destination devices. This process eases VPC up routing configurations.
  • Split tunnel is typically the mode what you would use if you need simultaneous access to corporate network and VMware Cloud Foundation VPC. Then, private traffic flows through the VPN interface to the VPN tunnel, and public traffic flows through the existing LAN interface. You can manage this process with VPN routes.
  • The VMware Cloud Foundation instance uses IBM Cloud DNS Server default IP addresses 161.26.0.7 and 161.26.0.8. When you manage the VMware Cloud Foundation instance, you need to ensure that you can use the DNS server and resolve the VMware Cloud Foundation entries. So ensure that your VPN routes cover this range.

Considerations

When you design or deploy this architecture pattern, consider the following information:

  • Design your IP addressing and VPN routing patterns. Think about the networks to be routed to the VMware Cloud Foundation VPC and what NSX overlay networks you need to access from the VPN.
  • Review general planning considerations for VPN servers.
  • Decide your VPN client authentication mode. You can use certificate-based, user ID and passcode, or both.
  • It is recommended to create private certificates with these considerations in mind.