NSX-T provides all the networking capabilities required by workloads running in the SDDC. These capabilities allow you to:
- Deploy networks (L2, L3, and isolated) and define subnets and gateways for the workloads that will reside there.
- L2VPNs extend your on-premises L2 domains to the SDDC, enabling workload migration without IP address changes.
- Route-based IPsec VPNs can connect to on-premises networks, VPCs, or other SDDCs. Route-based VPNs use BGP to learn new routes as networks become available.
- Policy-based IPsec VPNs can also be used to connect to on-premises networks, VPCs, or other SDDCs.
- Isolated networks have no uplinks and provide access only to those VMs connected to them.
- Use AWS Direct Connect (DX) to carry traffic between on-premises and SDDC networks over high bandwidth, low latency connectivity. You can optionally use a route-based VPN as backup for DX traffic.
ROUTE-BASED VPN:
A route-based VPN creates an IPsec tunnel interface and routes traffic through it as dictated by the SDDC routing table. A route-based VPN provides resilient, secure access to multiple subnets. When you use a route-based VPN, new routes are added automatically when new networks are created.
Route based VPNs in your VMware Cloud on AWS SDDC use an IPsec protocol to secure traffic and the Border Gateway Protocol (BGP) to discover and propagate routes as networks are added and removed.
IMPORTANT: Customer must be educated the difference between a Route-Based and Policy-Based VPN depending if the On-prem router supports BGP for Route based set up explaining the benefits.
If your SDDC includes both a policy-based VPN and a route-based VPN, connectivity over the policy-based VPN will fail if the route-based VPN advertises the default route (0.0.0.0/0) to the SDDC.
POLICY-BASED VPN:
A policy-based VPN creates an IPsec tunnel and a policy that specifies how traffic uses it. When you use a policy-based VPN, you must update the routing tables on both ends of the network when new routes are added.
Policy-based VPNs in your VMware Cloud on AWS SDDC use an IPsec protocol to secure traffic. To create a policy-based VPN, you configure the local (SDDC) endpoint, then configure a matching remote (on-premises) endpoint. A policy-based VPN can be an appropriate choice when you have only a few networks on either end of the VPN, or if your on-premises network hardware does not support BGP (which is required for route-based VPNs).