This article covers how an Edge using only an MPLS link(s) can reach the VMware SD-WAN Orchestrator and Gateways located in the public cloud.  The article outlines how to address this issue using the SD-WAN Service Reachable feature with one of two supported topologies: using an external router/firewall to breakout to the public internet; or using a Hub Edge that has a public internet link(s).

VMware SD-WAN by VeloCloud

VMware SD-WAN uses the feature - "SD-WAN Service Reachable" to reach the Orchestrator and Gateways using the Private MPLS links.  Because both the Orchestrator and Gateways are cloud-based, normally it is reached through a public WAN link.  However, for environments that only have MPLS links or require failover to MPLS links, users can still connect to the Orchestrator and Gateways by leveraging the SD-WAN Service Reachable feature.

With this feature enabled the user has available two possible topologies for reaching the Orchestrator and Gateways: 

1. Configure a breakout to the public internet using a 3rd party router/firewall from the MPLS link.
2. Use another Edge in the network that is configured as a Hub to break out to the public cloud.

In either topology, the branch site Edge forms an overlay tunnel to the Gateway using the private MPLS link, as long as there is an internet breakout available via either the router/firewall or Hub site respectively.

Requirements:

• On the User Defined WAN Overlay, the Link Type must be configured as Private Link.
• The feature SD-WAN Service Reachable must be enabled in the same User Defined WAN Overlay section.
• Underlay routing must be configured in such a way that the Edge can reach both the Orchestrator and Gateways via MPLS (these routes should be as specific as possible).  

Topologies

 

1. Reaching the SD-WAN Service using an External Router:
In this topology we leverage an external router or firewall that can reach the public network from the MPLS underlay.  We will “fall back” into a private-only mode when all public internet links are down.

This allows the Edge to remain online and manageable from the Orchestrator, as well as allowing public internet connectivity via the Gateway irrespective of whether or not there is public link connectivity.

2. Reaching the SD-WAN Service using another Edge configured as a Hub:
The issue with the first topology was that many customers do not have an external router or firewall to provide the internet breakout point for traffic destined for the VeloCloud Orchestrator or Gateway.

To address this limitation, VMware SD-WAN also includes the ability to route Orchestrator and Gateway traffic from the branch Edge with MPLS-only links through an Edge configured as a Hub which is able to break out to the public cloud.

This enhanced version of SD-WAN Service Reachable provides full protection for all traffic routed via the Gateway or a SaaS like Zscaler and uses only public WAN links to reach the Internet when available, and then seamlessly fails over to MPLS if all public Internet links are unavailable.

Warning: Care must be taken when enabling SD-WAN Reachable. This feature means the Edge is expecting to have reachability to both the Orchestrator and Gateways over that link. If it's enabled on a private WAN link where that is not case this can cause problems in two ways:
   1. If it's a Hub Edge, and Spoke Edges are using that Hub Edge as the internet breakout, their tunnels to the Gateway may not come up because the Hub Edge may forward those flows back out the private link.
   2. The Edge with this misconfiguration may appear offline in the Orchestrator if it tries to use that private link to contact the Orchestrator.

Note: The NAT address of this traffic will remain the same and customers will not notice any difference other than increased latency due to hairpinning through the Hub.

Configuration:

On the Configure > Edge > Device page, scroll down to Device Settings and Edit the Interface connected to the MPLS link.  Configure the WAN Overlay as 'User Defined Overlay' so that the SD-WAN Service Reachable feature is then available:



In the WAN Settings section, Edit the Private link and enable SD-WAN Service Reachable. 



You will then see a table of IPs labeled Public SD-WAN Addresses and this list is every destination IP for either the Orchestrator or the Gateways associated with this Edge.  This IP list must be advertised across your MPLS network but the Branch Edge (where the SD-WAN Service Reachable feature is enabled) is not required to learn this route via MPLS. So filter these routes learning on the Edge via the MPLS network as underlay routes.