Cloud Global

 View Only
Expand all | Collapse all

Steps to migrate an IaaS Classic IPsec VPN customer to VPN for VPC with minimal downtime

  • 1.  Steps to migrate an IaaS Classic IPsec VPN customer to VPN for VPC with minimal downtime

    Posted 2 days ago

    This blog captures the steps to migrate a customer from the classic IPsec VPN to VPN for VPC + TGW solution. To better understand the challenges customers face while choosing between the migration options available to them and motivations to move them to VPN for VPC, I recommend reading the full blog

    We announced the deprecation of IBM classic IPsec VPN offering back in November. The service is scheduled for End of Service in June, 2025 and the customers using this service have option to migrate to 

    1)    VPN for VPC or

    2)    Gateway Appliances

    When a customer reaches out with a migration request, here's the multi-phased approach to take to migrate them from IPsec VPN to VPN for VPC:

    Phase 1

    • Customer configures an appliance (say Juniper vSRX) to begin with.
    • After testing the appliance works fine, customer can proceed with deleting their IPsec instances

    At this stage, customer has migrated from IPsec VPN and has their services running without any downtime required for the migration from IPsec VPN to Gateway Appliance.

    Phase 2

    • Now, Customer reaches out to support for non VRF to VRF conversion and fixes the date/time for this exercise.
    • Support performs the conversion
    • Once conversion is done, customers will restart services while still leveraging appliance to connect the op-prem to IBM cloud.

    At the end of Phase 2, customer has their deployment still using Gateway appliance however now, they have their account migrated to VRF which enables them to start experimenting with VPN for VPC service.

    Phase 3

    • Customer configures the VPN for VPC + Transit Gateway based solution to connect on-prem to IBM cloud and tests the deployment.
    • When successful connection is established, customer can just route their traffic to VPN for VPC.
    • Delete the Gateway appliance.

          Refer the below high level reference architecture diagram for a VPN for VPC + Transit Gateway solution.

    VPN for VPC with Transit Gateway

    With this multi-phased approach leveraging an appliance during the migration, downtime is limited only to the period where customer's account will be converted from non VRF to VRF.

    #iaas #vpn #vpnforvpc #migration #ipse


    ------------------------------
    Mukesh Kumar
    Senior Product Manager
    IBM
    Bengaluru, Karnataka
    ------------------------------