This white paper is intended for VCPP Cloud Providers interested in offering remote access VPN solutions in their multi-tenant environments managed by VMware Cloud Director (VCD) or VMware Cloud Director service (CDS).
This document will guide you through the steps required to provide a remote access VPN to an organization VDC backed by NSX-T in Cloud Director by using third-party software.
VMware Cloud Director and Cloud Director service empower customers to deploy workloads in secured, isolated, and multi-tenant environments. While the deployment is an important aspect, customers also require access to their virtual machines for operations, maintenance, lifecycle, and troubleshooting.
The usage of a remote access VPN solution in a Cloud Director context has multiple benefits:
- Access securely virtual machines in an organization VDC without the use of a jump box from anywhere without exposing them to the Internet.
- Limit the number of public IPs used for NAT’d environments.
- Limit the number of ports opened to an organization VDC.
- Allows the customer to continue using software that they are familiar with (no changes in tooling).
VMware NSX-T Data Center only supports site-to-site VPN. This limitation requires providers or tenants to select alternative solutions, including open source or commercial, depending on the desired mix of features and support. It’s worth noting that the steps to enable the solutions are agnostic to the VPN solution used. Two examples are covered in the white paper: OpenVPN or Wireguard.
With the proposed implementation in this document, tenant admins can implement the VPN solution of their choice from the tenant portal, or cloud providers can provide this function as a managed service.