Problem Statement

Enterprises need to extend secure connectivity from their Aviatrix multi-cloud architectures to the IBM cloud.

Solution

Aviatrix transit and spoke gateways deployed in any cloud can establish secure IPsec VPN connections directly to VPN Gateways deployed in the IBM Cloud.

Architecture diagram

Workflow

IBM Cloud Side

1. Navigate to the VPN Gateway creation page

   
   
   
   
   
   

   1. Under Network → VPNs, select Create

      

       

   
   
   




2. Create a Site-to-site VPN Gateway:

   
   
   
   
   
   

   1. Select Site-to-site gateway

   
   
   

   2. Enter the VPN gateway name and Resource group

   
   
   

   3. Select the Region

   
   
   

   4. Select the Virtual private cloud and the Subnet for the VPN gateway

   
   
   

   5. Select Route-based for Mode

   
   
   

   6. Create the first of two VPN connections for VPC (there will be one to each of the Aviatrix HA gateways)

   
   
   

   7. Enter the VPN connection name, the Peer gateway address of the Aviatrix primary gateway, and a Preshared key of your choosing

   
   
   

   8. Leave the other parameters as default

   
   
   

   9. Select Create VPN gateway.

      

      

      

       

   
   
   




3. Create the second VPN connection for VPC by selecting the VPN gateway you just created

   

    





4. Under VPN connections select Create

   

    





5. Create the second VPN connection

   
   
   
   
   
   

   1. Enter the VPN connection name, the Peer gateway address of the Aviatrix HA gateway, and the same Preshared key as the primary gateway

   
   
   

   2. Leave the other parameters as default

   
   
   

   3. Select Create VPN gateway.

      

       

   
   
   




6. Note the Public IP addresses of the VPN gateway

   

    

Aviatrix side

1. Create the Site2Cloud connection from the Aviatrix Transit Gateway to the IBM VPN Gateway

   
   
   
   
   
   

   1. Under Multi-Cloud Transit → Setup → Attach scroll to the External Connection section

   
   
   

   2. Select External Device, Static Remote Route-Based, and the VPC Name

   
   
   

   3. Enter the Connection Name and the Remote Subnets

   
   
   

   4. Select the Primary Aviatrix Gateway and the IKEv2 check box

   
   
   

   5. In the Remote Gateway IP box, enter the two Public IP addresses from the IBM Cloud VPN Gateway, separated by a comma

   
   
   

   6. Enter the same Pre-shared Key used for the IBM Cloud VPN connection for VPC

      

       

   
   
   




2. Navigate to SITE2CLOUD, select the newly created connection, and select EDIT.

   

    





3. Scroll down to Local Subnet and add any other VPC or Vnet subnets that need to be advertised to the IBM Cloud. Select Change Local Subnet.

   

    

Validation

1. Navigate to SITE2CLOUD and verify that the Status is Up. Select the newly created connection, and select EDIT.

   

    





2. Verify both tunnels show Up.

   

    





3. On CoPilot, navigate to Cloud Routes → Site 2 Cloud and verify S2C Status, Tunnel Status are all Up/Green

   

    





4. On IBM Cloud, navigate to the VPN gateway details, and under VPN connections, verify the Status is Active for both connections.