What is Virtual Private Network (VPN)? L2 L3 VPN
L2/L3 VPN
A Virtual Private Network (or VPN) helps extend a private network over a public network privately, as the name suggests, and securely. It does this by creating a tunnel or private line from a local network to an external network (and vice versa) for the secure transmission of data. It encrypts the data before it leaves a device, and then masks the sender/recipient’s IP (Internet Protocol) address by connecting to the server of a VPN service provider. The VPN service provider assigns the sender/recipient a temporary IP address that cannot be traced back to them.
The tunnel is a virtual connection established between two endpoints using a tunneling protocol. Tunneling protocols enable the secure transmission of every type of data between two points on a network or from one network to another. Two of the most widely-used tunneling protocols are:
-
Internet Protocol Security (IPsec), which authenticates senders, checks the integrity of data being transmitted and encrypts it; users need to install software on their machines in order to be able to establish a connection
-
Secure Sockets Layer (SSL), or its successor Transport Layer Security (TLS), both of which enable secure communication across public networks from a web browser.
The VPN service provider’s server decrypts the data and sends it to its destination.
With Layer 2 VPN (L2 VPN), you can extend Layer 2 networks (VLANs or VXLANs) across multiple sites that are on the same broadcast domain. Data is forwarded to one of the Layer 2 formats (Medium Access Control (MAC) and Logical Link Control (LLC), for example) on a service provider’s Layer 3 network running over the public internet infrastructure and is then converted back to Layer 2 format at the receiving end. VMs in Layer 2 can seamlessly communicate with each other over an L2 VPN even if they are located in different datacenters. The extended network is a single subnet with a single broadcast domain, so VMs remain on the same subnet when they are moved between network sites, and their IP addresses remain the same.
A L2 VPN might be used for connections in the following scenarios:
-
between an NSX-T Data Center L2 VPN server and an L2 VPN client hosted on an NSX Edge managed in an NSX Data Center for vSphere; a managed L2 VPN client is limited to supporting VXLANs
-
between an NSX-T Data Center L2 VPN server and an L2 VPN client hosted on a standalone or unmanaged NSX Edge; an unmanaged L2 VPN client supports VLANs
-
between an NSX-T Data Center L2 VPN server and NSX-T Data Center L2 VPN client; in this scenario, you can extend the L2 network between two software-defined data centers (SDDCs) deployed on the cloud, such as VMware Cloud on Amazon.
Layer 3 VPN (L3 VPN) services are used to provide secure Layer 3 connectivity into the data center network from remote locations.
As shown in the illustration above, the L3 VPN services can be used by remote clients using SSL tunnels to securely connect to private networks behind an NSX Edge gateway which is acting as an L3 VPN server in the data center. This service is usually referred to as SSL VPN-Plus. (A gateway is a device that enables data to be transmitted from one network to another. Unlike switches and routers, they can use more than one protocol at the same time and can function at all seven layers of the OSI model.)
Alternatively, the NSX Edge can be deployed to use standard IPSec protocol settings to operate with all major physical VPN vendors’ equipment and establish site-so-site secure L3 connections. It is possible to connect multiple remote IP subnets (broadcast domains) to the internal network behind the NSX Edge. Connectivity, in this case, is routed since the remote and local subnets are part of different address spaces (broadcast domains).