A colleague's customer recently had a requirement to host both DMZ and Production workloads in VMware Cloud on AWS while ensuring that traffic is segregated during transit. Currently, if the customer was to deploy DMZ and Production networks attached to the default Compute Gateway (CGW) Tier-1 then that traffic would be routed by the Tier-1 and thus violate the segregation required as per below:
You can also create the required network segments that need to be attached to the DMZ NAT'ed Tier-1 but this is not required to establish the VPN so I won't be covering that.
Provide a suitable name and ensure you link it to the recently created VPN Service and provide the public IP address that was allocated by AWS:
We now need to allow the traffic in via the internet interface so the VPN can be established from outside the SDDC. Navigate to Security -> Gateway Firewall -> Compute Gateway and click Add Rule:
Once you click save you should be able to ping the public IP address providing you allowed ICMP. For this example, I just allowed all traffic:
Now we should be able to create a new VPN session via Networking -> VPN -> Tier-1 -> IPSec Sessions and also at the remote side to establish an IPSec tunnel: