Establish VPN Connectivity
A VPN configuration uses an IPSec tunnel and an associated BGP to allow a remote site to receive traffic originating from clouds connected to the data interfaces of your virtual device. You can enable VPN only for Equinix-Configured devices.
Refer to Network Edge VPN tunnels and sites for more information
To create a VPN you must have:
1) A provisioned virtual device with a registered license and access control list (ACLs). Call Get Virtual Devices to check the status of your devices and find the virtualDeviceUuid.
2) If you have a redundant device, you must also provide secondary VPN details.
If you have the above, then you can skip ahead to Step 3 and create a VPN. Otherwise, follow the steps.
Step 1: Authenticate
Submit your user credentials, Client ID, and Client Secret for OAuth2 authentication.
See Generating Client id and Client Secret under the Getting Access Token section for instructions to create a client ID and client secret. See Requesting Access and Refresh tokens for instructions to call the Oauth API to validate and authenticate your credentials.
If you are unaware of your user credentials, contact your local Equinix Service Desk.
Step 2: Create/Get Virtual Devices
a) To create a virtual device, please follow these steps.
b) To check the status of your virtual device, call Get Virtual Device {uuid} API or Get Virtual Devices API.
You may skip the above step if you have a provisioned device with a registered license.
Step 3: Create VPN
| POST /ne/v1/vpn | |
|---|---|
| Method | POST |
| URL or End Point | /ne/v1/vpn |
| Headers | Authorization, Content-Type |
| Query Parameters | Not applicable |
| Body Parameters | siteName, virtualDeviceUuid, configName, peerIp, peerSharedKey, remoteAsn, remoteIpAddress, password, localAsn, tunnelIp, useNetworkServiceConnection, secondary {configName, peerIp, peerSharedKey, remoteAsn, remoteIpAddress, password, localAsn, tunnelIp} |
To obtain an authorization token, refer to Requesting Access and Refresh tokens under the Getting Access Token section.
Sample curl request to create VPN configuration for a single device.
curl -X
POST "https://api.equinix.com/ne/v1/vpn"
-H "Authorization: Bearer 4P8uH5ZWsgH4qlovBrFZG4Hzpp2V"
-H "Content-Type: application/json"
-d '{
"siteName": "Chicago",
"virtualDeviceUuid": "8c2845e5-be83-4561-ba2b-a53a7e4cf5ec",
"configName": "Traffic from AWS cloud",
"peerIp": "110.11.12.222",
"peerSharedKey": "5bb2424e888bd",
"remoteAsn": 65413,
"remoteIpAddress": "100.210.1.31",
"password": "pass123SROY",
"localAsn": 65414,
"tunnelIp": "192.168.7.2/30",
"useNetworkServiceConnection": false
}'
Sample curl request to create VPN configuration for a redundant device.
curl -X
POST "https://api.equinix.com/ne/v1/vpn"
-H "Authorization: Bearer 4P8uH5ZWsgH4qlovBrFZG4Hzpp2V"
-H "Content-Type: application/json"
-d '{
"siteName": "Chicago",
"virtualDeviceUuid": "8c2845e5-be83-4561-ba2b-a53a7e4cf5ec",
"configName": "Traffic from AWS cloud",
"peerIp": "110.11.12.222",
"peerSharedKey": "5bb2424e888bd",
"remoteAsn": 65413,
"remoteIpAddress": "100.210.1.31",
"password": "pass123SROY",
"localAsn": 65414,
"tunnelIp": "192.168.7.2/30",
"useNetworkServiceConnection": false,
"secondary": {
"configName": "Traffic from AWS cloud-SROY",
"peerIp": "110.11.12.222",
"peerSharedKey": "5bb2424e888bd",
"remoteAsn": 65413,
"remoteIpAddress": "100.210.1.31",
"password": "pass123SROY",
"localAsn": 65414,
"tunnelIp": "192.168.7.2/30"
}
}'
Description of request body parameters:
| Body Parameter Name | Mandatory | Type | Example | Applicable Values | Description |
|---|---|---|---|---|---|
| siteName | Yes | string | Chicago | Your remote siteName. This must be unique and between 2 and 10 alphanumeric characters long with no spaces. | |
| virtualDeviceUuid | Yes | string | f79eead8-b837-41d3-9095-9b15c2c4996d | Unique Id of the virtual device. This must be 36 characters long. | |
| configName | Yes | string | Traffic from AWS cloud | Description of the VPN. This must be between 3 and 50 characters. In case you have a redundant device, you must provide a secondary config name. | |
| peerIp | Yes | string | 100.210.1.221 | IP Address of the remote site to which you are connecting (this is on the customer side). You must provide a unique peer IP address for every VPN between a virtual device and the remote site. | |
| peerSharedKey | Yes | string | 10013 | Pre-shared key for VPN. | |
| remoteAsn | Yes | string | 10023 | Remote ASN (autonomous system number). Remote ASN and local ASN cannot be the same. You cannot use the following reserved ASN numbers: 0, 23456, 64496-64511, 65535, 65552-131071, 4294967295. | |
| remoteIpAddress | Yes | string | 100.210.1.31 | Remote IP address to establish BGP peering (this is on the customer side). | |
| password | No | string | pass123SROY | Password for BGP peering. This must not start with a number, must be between 4 and 25 characters long, and contain only alphanumeric characters. | |
| localAsn | Yes | integer | 65414 | Local ASN (autonomous system number) of Equinix site. Remote and local ASN cannot be the same. You cannot use the following reserved ASN numbers: 0, 23456, 64496-64511, 65535, 65552-131071, 4294967295. | |
| tunnelIp | Yes | string | 192.168.7.2/30 | Local tunnel IP in CIDR format. | |
| useNetworkServiceConnection | Yes | boolean | false | Whether this VPN should use the existing network service connection. You should set this value to True only if you have an existing network service connection on your device. |
Sample VPN configuration response for a single device.
{
"vpnUuid": "eb26b601-02cc-4473-b1ee-3e2d4d847315"
}
Sample VPN configuration response for a redundant device.
{
"secondaryVpnUuid": "991b775a-16ec-4f2e-b861-8ab93a39902a",
"vpnUuid": "eb26b601-02cc-4473-b1ee-3e2d4d847315"
}
Description of the response payload:
| Field | Type | Example Values | Description |
|---|---|---|---|
| vpnUuid | string | 991b775a-16ec-4f2e-b861-8ab93a39902a | Unique Id of the VPN on the primary device. |
| secondaryVpnUuid | string | eb26b601-02cc-4473-b1ee-3e2d4d847315 | Unique Id of the VPN on the secondary device. |
After you create a VPN configuration, you can check the status of your VPN by calling Get VPN.
| Possible VPN status | Description |
|---|---|
| PROVISIONING | VPN is provisioning. |
| PROVISIONED | VPN is provisioned. |
| FAILED | VPN provisioning failed. |
| DEPROVISIONING | VPN is de-provisioning. |
| DEPROVISIONED | VPN is de-provisioned |
VPN tunnel status is either UP or DOWN.
If you get “Access Denied” error, contact your local Equinix Service Desk.