Encrypted VPN Connectivity from VMC on AWS SDDC to On-Premise DC


Dear Team, I have the following setup requirements between VMware on AWS SDDC and on-Premise DC.

  1. Need an encrypted VPN Solution between SDDC and On-Premise DC.
  2. Need an Encrypted VPN Solution between SideCar VPC and On-Premise DC.
  3. We have direct connect setup between DC and AWS.
  4. Protected firewall sitting behind the edge device in on-Premise DC , encrypted VPN setup on DX need two set of public. Firewall sitting behind edge devise VPN connectivity but that firewall could not configured with public ip. The last hop where the public ip could be configured is the edge devise on the customer site.

As per my understanding, I can use the public VIF on direct connect to setup the encrypted VPN connection between the client edge devise and AWS router. But the problem statement in this case is

  1. How to setup the encrypted VPN solution for both SDDC and sidecar VPC? Can we route the traffic from SDDC to VTGW to TGW(of the sidecar account) and then leverage public VIF to setup encrypted VPN from TGW to customer edge devise?
  2. Do we need the DX gateway to setup the encrypted VPN connectivity?
  3. Encrypted VPN on DX would need to set of public IPS. What if the customer firewall is not having the option to configure the public IP for encrypted VPN ?
  4. Can I use the DX setup in one OU to create the public VIF for another account in separate OU. This is required because I am looking to create the encrypted VPN connection from two OUs to the DC.

Please advise with your comments or if there is any reference architecture available with VMC/AWS.

Many Thanks Rio

1 Answer

I understand you could not have public ip address on the firewall where VPN will be terminated . You also have Direct Connect connection between on-premise (Edge device) to AWS. Also have Site to Site VPN connection from on-premise-DC to SSDC.

Answer to your below question:- you have public VIF connecting your on-premise DC and AWS, you can set up a VPN over Direct connect. Also, from your SSDC you will be able to access sideCar vpc.

SSDC ====VPN=====On-premDC ========VPN over Directconnect======SideCarVPC. To access SideCar VPC from SSDC. I assume route based VPN, between SSC and on-premDC. Incase, if its policy based VPN, Please include SideCar VPC as remote network in SSDC and in on-premise include SideCar VPC as local network. anyway VPN between on-prem dc to AWS is policy based based vpn. It will send the traffic over the tunnel with bgp routes. https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-direct-connect-aws-transit-gateway-vpn.html

How private IP VPN works

Private IP Site-to-Site VPN works over an AWS Direct Connect transit virtual interface (VIF). It uses an AWS Direct Connect gateway and a transit gateway to interconnect your on-premises networks with AWS VPCs. A private IP VPN connection has termination points at the transit gateway on the AWS side, and at your customer gateway device on the on-premises side. You can assign private IP addresses (RFC1918) to both the transit gateway and the customer gateway device ends of the IPsec tunnels.

You attach a private IP VPN connection to a transit gateway. You then route traffic between the VPN attachment and any VPCs (or other networks) that are also attached to the transit gateway. You do that by associating a route table with the VPN attachment. In the reverse direction, you can route traffic from your VPCs to the private IP VPN attachment by using route tables that are associated with the VPCs.

The route table that's associated with the VPN attachment can be the same or different from the one associated with the underlying AWS Direct Connect attachment. This gives you the ability to route both encrypted and unencrypted traffic simultaneously between your VPCs and your on-premises networks.


You will be able to create public VIF for different AWS account other than you have direct connect connection. When you create Public VIf, you need to select which account you want to create the VIF by selecting "virtual interface owner" same account or different account. https://docs.aws.amazon.com/directconnect/latest/UserGuide/create-vif.html

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions