top of page


No tags yet.

Configure an Extended Network and Layer 2 VPN

Extended network with L2 VPN can be useful when we want to extend our onprem network to VMware Cloud on AWS environment. This configuration can help when we want to move our on-prem VMs to the cloud and do not want to loose network settings or want to keep same IP address in cloud as well. Apart from this we may want to spin-up new VMs and want them to be in the same network as our onprem VMs are. Stretching of L2 VPN requires a supported device at onprem side

For Example Stand alone nsx edge, NSX Edge or any supported gateway device for L2 stretch. in all the configurations VMC side will act as a server side of L2 VPN and the on prem device will join this server as client.

For the purpose of demonstration in this blog I am using a full edge deployment.

Before I forget let's have a look at the prerequisites

  • The on-premises data center must be running vSphere 5.0 or later. vSphere 5.1 or later is recommended

  • The source NSX Edge providing L2VPN client services must be NSX 6.1.1 or later. NSX 6.4.0 is recommended

  • You can stretch a vLAN or vxLAN, (This demo is for vxLAN)

  • An uplink IP address is required for the NSX Edge instance that serves as the L2 VPN client. This address must be the Compute Gateway public IP. Create a firewall rule to allow HTTPS traffic from this IP address to the cloud SDDC.

So let's Start with this setup

1) Configuration at VMware Cloud on AWS side : there are 2 simple configuration needed at VMware Cloud on AWS side -

a) Created an extended network

To create an extended network open the cloud vCenter and click on Menu, Select option Global inventory list

In the Global inventory list select Logical Networks option and Click on ADD

In the New Logical Network window change the Network from Routed Network to Extended Network, Also fill in a network name and Tunnel ID (You can put in any random number between 0 to 4093 and note down this number because this will be used while configuring on-prem side)

That's ! it part a of Cloud side is done now let's move to part b

b) In Part b we will prepare the L2 VPN Server in our SDDC, for doing this, we have to open the desired SDDC by logging into, once you are in your SDDC

- Click on network tab

- Scroll Down till Compute Gateway

- Expand L2 VPN.

- Click Add VPN

- In the Add VPN Section fill out the Details

VPN Name - Give a name of your choice

Status and Server IP will auto populate (Note Down the Server IP to supply it during Client Creation)

Encryption - Currently supported only AES128 we can select either on or off for encryption

Username - Any username of your choice (keep a note for client side config)

Password - Any password of your choice (keep a note for client side config)

Click Save and the VMware cloud on AWS part is done, Now comes the on-prem part

2) Configuration at Onprem Side (we will stretch a Logical network over L2 VPN) :

In the following picture we are using Test L2 logical switch for my VMs on onprem and we would like to stretch this over L2 VPN.

2. a) Once done we can start our task by creating a trunk port on the distributed switch (We can create this trunk port on standard switch as well) This port

will later be used while creating trunk port on NSX edge.

2 things to remember while creating trunk port are VLAN type as VLAN trunking & setting forged transmits to Accept

2.b) Lets do the NSX side configuration now

We need to go to Network and security in vSphere client and highlight NSX edges and double click the Edge device (This Edge should either have a public IP as up-link or connectivity to the internet)

In the Edge Select Manage

  • In the Manage > Settings tab for an NSX Edge, click Interfaces.

  • Select an interface and click the Edit () icon.

  • In the Edit Edge Interface dialog box, type a name for the interface.

  • In Type, select Trunk

  • Select the standard portgroup or distributed portgroup to which we created as trunk in step 2.a

  • Click Change next to the Connected To field.

  • Depending on what you want to connect to the interface, click the Standard Portgroup or Distributed Portgroup tab.

  • Select the appropriate portgroup and click OK.

  • In Sub Interfaces, click the Add icon.

  • Click Enable Sub interface and type a name for the sub interface.

  • In Tunnel Id, type a number between 1 and 4094 (here enter the same tunnel ID which we entered while creating the extended network at VMC side in part 1)

  • In Backing Type, we are selecting Network because we will extend the VXLAN network.

  • Click Select and select the distributed portgroup or logical switch. (The network we identified in the beginning of part 2

  • To add subnets to the sub interface, click the Add icon in the Configure Subnets area.

  • In Add Subnets, click the Add icon to add an IP address. Type the IP address and click OK. (VMS connected to this network will be using this IP as their gateway IP

  • Edit the default MTU value for the sub interface if required.

  • Select Enable Send Redirect to convey routing information to hosts.

  • Enable or Disable Reverse Path Filter.

Reverse Path Filter verifies the readability of the source address in packets being forwarded. In enabled mode, the packet must be received on the interface that the router would use to forward the return packet. In loose mode, the source address must appear in the routing table

Click on OK

Click on OK to close the NSX Edge Interface Window.

Now Let's click on the Manage > VPN in the NSX Edge Screen and select L2 VPN, After this we will have to select L2 VPN Mode as Client (the VMware cloud on aws side will act as L2 VPN server) and click on the change Button.

Now we are in Client Details window, Let's fill out the details

  • Server Addreess : Fill in the Public IP address of L2 VPN server which we recorded in part 1.b.

  • Encryption Algorithm : It should be same as what we have supplied in part 1.b. (As of now only AES 128 bit is supported )

  • Stretched Interface : click on select sub Interface and choose the interface which we have created in previous step.

We will Leave rest of the fields as blank and We will come down to User ID and password Section where we will fill in the Same User ID and password which we have supplied at VMware cloud on AWS end and recorded in section 1.b.

  • Click on OK

  • Now we are back on the VPN screen

  • Lets Click on the Start Button on L2 VPN Service Status.

If Everything is configured correctly we should see The VPN tunnel as UP in the Tunnel Status Section

Now Let's try to test the connectivity.. For this I have Migrated a VM from my on-prem to VMware Cloud on AWS and trying to ping Its gateway

So this was a long process of extending The L2 Network from the On-Prem to VMware cloud on AWS environment. if you do not have NSX implemented you can use standalone-edge. or any supported physical device.

For extending An on prem network as an L2 extension and also to bulk migrate Vms from Onprem to VMware cloud on AWS VMware has already introduced a new add-on Called HCX (Hybrid Cloud Extension) Which is a very exciting tool to use and Migrate the workload. the Best part of this add-on is it is Free of cost with VMware cloud on AWS solution. We will talk about it in detail in my upcoming blogs.


bottom of page