Skip to content

Latest commit

 

History

History
273 lines (231 loc) · 14.3 KB

File metadata and controls

273 lines (231 loc) · 14.3 KB

Site-to-site VPNs

A site-to-site VPN allows multiple sites to establish a secure connection over the public network. In our case, we are talking about a secure connection between your VPC and another network (e.g. VPC, offices).

List site-to-site VPNs

curl -X GET \
   -H "MC-Api-Key: your_api_key" \
   "https://cloudmc_endpoint/api/v2/services/compute-on/test_area/sitetositevpns"

The above command returns a JSON structured like this:

{
  "data": [
    {
        "id": "d49b2922-0581-4587-94df-6fe719327d0f",
        "name": "stargate",
        "state": "Connected",
        "vpcId": "3fe7d82a-f4c4-4552-ac3b-787fdafed4e7",
        "gateway":"19.19.19.19",
        "cidrList":"10.12.0.2/22,10.0.0.0/24",
        "ipSecPsk": "WtOBS9GRux2XtJPtHY2TUvrv",
        "ikeEncryptionAlgorithm": "aes256",
        "ikeHashAlgorithm": "sha1",
        "ikeDhGroup":"modp1536",
        "ikeLifetime":86400,
        "espEncryptionAlgorithm":"aes256",
        "espHashAlgorithm":"sha1",
        "espPerfectForwardSecrecy":"modp1536",
        "espLifetime":3600,
        "dpd": false,
        "forceEncap": false
    }
  ],
  "metadata": {
    "recordCount": 1
  }
}

GET /services/:service_code/:environment_name/sitetositevpns

Retrieve a list of all site-to-site VPNs in an environment.

Attributes  
id
UUID
The id of the site-to-site VPN
name
string
The name of the site-to-site VPN
state
string
The state of the site-to-site VPN. Can be Connected, Pending, Disconnected or Error. If disconnected, you can try to use the reset operation
vpcId
UUID
The VPC for which the site-to-site VPN was created.
gateway
string
The gateway of the network you want to connect to. NOTE: you cannot use a gateway that has already been used by a site-to-site VPN in your environment
cidrList
string
Comma-separated list of CIDRs of the networks you want to connect to.
ipSecPsk
string
IPSec pre-shared key.
ikeEncryptionAlgorithm
string
The Internet Key Exchange (IKE) policy for phase-1. The supported encryption algorithms are AES128, AES192, AES256, and 3DES.
ikeHashAlgorithm
string
The IKE hash for phase-1. The supported hash algorithms are SHA1 and MD5.
ikeDhGroup
string
A public-key cryptography protocol which allows two parties to establish a shared secret over an insecure communications channel. The supported options are Group-5 (1536-bit) and Group-2 (1024-bit).
ikeLifetime
integer
The phase-1 lifetime of the security association in seconds.
espEncryptionAlgorithm
string
Encapsulating Security Payload (ESP) algorithm within phase-2. The supported encryption algorithms are AES128, AES192, AES256, and 3DES.
espHashAlgorithm
string
Encapsulating Security Payload (ESP) hash for phase-2. Supported hash algorithms are SHA1 and MD5.
espPerfectForwardSecrecy
string
Perfect Forward Secrecy (or PFS) is the property that ensures that a session key derived from a set of long-term public and private keys will not be compromised. The supported options are Group-5 (1536-bit) and Group-2 (1024-bit).
espLifetime
integer
The phase-2 lifetime of the security association in seconds
dpd
boolean
A method to detect an unavailable Internet Key Exchange (IKE) peer.
forceEncap
boolean
Force encapsulation for NAT Traversal
Query Parameters  
vpc_id
UUID
Filter the list to only retrieve the site-to-site VPNs of a VPC

Retrieve a site-to-site VPN

curl -X GET \
   -H "MC-Api-Key: your_api_key" \
   "https://cloudmc_endpoint/api/v2/services/compute-on/test_area/sitetositevpns/d49b2922-0581-4587-94df-6fe719327d0f"

The above command returns a JSON structured like this:

{
  "data": {
      "id": "d49b2922-0581-4587-94df-6fe719327d0f",
      "name": "stargate",
      "state": "Connected",
      "vpcId": "3fe7d82a-f4c4-4552-ac3b-787fdafed4e7",
      "gateway":"19.19.19.19",
      "cidrList":"10.12.0.2/22,10.0.0.0/24",
      "ipSecPsk": "WtOBS9GRux2XtJPtHY2TUvrv",
      "ikeEncryptionAlgorithm": "aes256",
      "ikeHashAlgorithm": "sha1",
      "ikeDhGroup":"modp1536",
      "ikeLifetime":86400,
      "espEncryptionAlgorithm":"aes256",
      "espHashAlgorithm":"sha1",
      "espPerfectForwardSecrecy":"modp1536",
      "espLifetime":3600,
      "dpd": false,
      "forceEncap": false
  }
}

GET /services/:service_code/:environment_name/sitetositevpns/:id

Retrieve information about a site-to-site VPN.

Attributes  
id
UUID
The id of the site-to-site VPN
name
string
The name of the site-to-site VPN
state
string
The state of the site-to-site VPN. Can be Connected, Pending, Disconnected or Error. If disconnected, you can try to use the reset operation
vpcId
UUID
The VPC for which the site-to-site VPN was created.
gateway
string
The gateway of the network you want to connect to. NOTE: you cannot use a gateway that has already been used by a site-to-site VPN in your environment
cidrList
string
Comma-separated list of CIDRs of the networks you want to connect to.
ipSecPsk
string
IPSec pre-shared key.
ikeEncryptionAlgorithm
string
The Internet Key Exchange (IKE) policy for phase-1. The supported encryption algorithms are AES128, AES192, AES256, and 3DES.
ikeHashAlgorithm
string
The IKE hash for phase-1. The supported hash algorithms are SHA1 and MD5.
ikeDhGroup
string
A public-key cryptography protocol which allows two parties to establish a shared secret over an insecure communications channel. The supported options are Group-5 (1536-bit) and Group-2 (1024-bit).
ikeLifetime
integer
The phase-1 lifetime of the security association in seconds.
espEncryptionAlgorithm
string
Encapsulating Security Payload (ESP) algorithm within phase-2. The supported encryption algorithms are AES128, AES192, AES256, and 3DES.
espHashAlgorithm
string
Encapsulating Security Payload (ESP) hash for phase-2. Supported hash algorithms are SHA1 and MD5.
espPerfectForwardSecrecy
string
Perfect Forward Secrecy (or PFS) is the property that ensures that a session key derived from a set of long-term public and private keys will not be compromised. The supported options are Group-5 (1536-bit) and Group-2 (1024-bit).
espLifetime
integer
The phase-2 lifetime of the security association in seconds
dpd
boolean
A method to detect an unavailable Internet Key Exchange (IKE) peer.
forceEncap
boolean
Force encapsulation for NAT Traversal

Create a site-to-site VPN

# Here is the absolute minimum information required to create a new site-to-site VPN:
curl -X POST \
   -H "Content-Type: application/json" \
   -H "MC-Api-Key: your_api_key" \
   -d "request_body" \
   "https://cloudmc_endpoint/api/v2/services/compute-on/test_area/sitetositevpns"

Request body example:

{
      "name": "stargate",
      "vpcId": "3fe7d82a-f4c4-4552-ac3b-787fdafed4e7",
      "gateway":"19.19.19.19",
      "cidrList":"10.12.0.2/22,10.0.0.0/24",
      "ipSecPsk": "WtOBS9GRux2XtJPtHY2TUvrv",
      "ikeEncryptionAlgorithm": "aes256",
      "ikeHashAlgorithm": "sha1",
      "ikeDhGroup":"modp1536",
      "ikeLifetime":86400,
      "espEncryptionAlgorithm":"aes256",
      "espHashAlgorithm":"sha1",
      "espPerfectForwardSecrecy":"modp1536",
      "espLifetime":3600,
      "dpd": false,
      "forceEncap": false
  }

POST /services/:service_code/:environment_name/sitetositevpns

Create a site-to-site VPN.

Required  
name
string
The name of the site-to-site VPN. Must be unique in the environment.
vpcId
UUID
The VPC for which the site-to-site VPN was created.
gateway
string
The gateway of the network you want to connect to. NOTE: you cannot use a gateway that has already been used by a site-to-site VPN in your environment
cidrList
string
Comma-separated list of CIDRs of the networks you want to connect to.
ipSecPsk
string
IPSec pre-shared key.
ikeEncryptionAlgorithm
string
The Internet Key Exchange (IKE) policy for phase-1. The supported encryption algorithms are AES128, AES192, AES256, and 3DES.
ikeHashAlgorithm
string
The IKE hash for phase-1. The supported hash algorithms are SHA1 and MD5.
ikeDhGroup
string
A public-key cryptography protocol which allows two parties to establish a shared secret over an insecure communications channel. The supported options are Group-5 (1536-bit) and Group-2 (1024-bit).
ikeLifetime
integer
The phase-1 lifetime of the security association in seconds.
espEncryptionAlgorithm
string
Encapsulating Security Payload (ESP) algorithm within phase-2. The supported encryption algorithms are AES128, AES192, AES256, and 3DES.
espHashAlgorithm
string
Encapsulating Security Payload (ESP) hash for phase-2. Supported hash algorithms are SHA1 and MD5.
espPerfectForwardSecrecy
string
Perfect Forward Secrecy (or PFS) is the property that ensures that a session key derived from a set of long-term public and private keys will not be compromised. The supported options are Group-5 (1536-bit) and Group-2 (1024-bit).
espLifetime
integer
The phase-2 lifetime of the security association in seconds
Optional  

dpd
boolean | A method to detect an unavailable Internet Key Exchange (IKE) peer. Defaults to false forceEncap
boolean | Force encapsulation for NAT Traversal. Defaults to false

Update a site-to-site VPN

# Here is the absolute minimum information required to update a site-to-site VPN:
curl -X PUT \
   -H "Content-Type: application/json" \
   -H "MC-Api-Key: your_api_key" \
   -d "request_body" \
   "https://cloudmc_endpoint/api/v2/services/compute-on/test_area/sitetositevpns/d49b2922-0581-4587-94df-6fe719327d0f"

Request body example:

{
      "name": "stargate",
      "gateway":"19.19.19.19",
      "cidrList":"10.12.0.2/22,10.0.0.0/24",
      "ipSecPsk": "WtOBS9GRux2XtJPtHY2TUvrv",
      "ikeEncryptionAlgorithm": "aes256",
      "ikeHashAlgorithm": "sha1",
      "ikeDhGroup":"modp1536",
      "ikeLifetime":86400,
      "espEncryptionAlgorithm":"aes256",
      "espHashAlgorithm":"sha1",
      "espPerfectForwardSecrecy":"modp1536",
      "espLifetime":3600,
      "dpd": false,
      "forceEncap": false
  }

POST /services/:service_code/:environment_name/sitetositevpns/:id

Update a site-to-site VPN.

Optional  
name
string
The name of the site-to-site VPN. Must be unique in the environment.
gateway
string
The gateway of the network you want to connect to. NOTE: you cannot use a gateway that has already been used by a site-to-site VPN in your environment
cidrList
string
Comma-separated list of CIDRs of the networks you want to connect to.
ipSecPsk
string
IPSec pre-shared key.
ikeEncryptionAlgorithm
string
The Internet Key Exchange (IKE) policy for phase-1. The supported encryption algorithms are AES128, AES192, AES256, and 3DES.
ikeHashAlgorithm
string
The IKE hash for phase-1. The supported hash algorithms are SHA1 and MD5.
ikeDhGroup
string
A public-key cryptography protocol which allows two parties to establish a shared secret over an insecure communications channel. The supported options are Group-5 (1536-bit) and Group-2 (1024-bit).
ikeLifetime
integer
The phase-1 lifetime of the security association in seconds.
espEncryptionAlgorithm
string
Encapsulating Security Payload (ESP) algorithm within phase-2. The supported encryption algorithms are AES128, AES192, AES256, and 3DES.
espHashAlgorithm
string
Encapsulating Security Payload (ESP) hash for phase-2. Supported hash algorithms are SHA1 and MD5.
espPerfectForwardSecrecy
string
Perfect Forward Secrecy (or PFS) is the property that ensures that a session key derived from a set of long-term public and private keys will not be compromised. The supported options are Group-5 (1536-bit) and Group-2 (1024-bit).
espLifetime
integer
The phase-2 lifetime of the security association in seconds
dpd
boolean
A method to detect an unavailable Internet Key Exchange (IKE) peer. Defaults to false
forceEncap
boolean
Force encapsulation for NAT Traversal. Defaults to false

Delete a site-to-site VPN

curl -X DELETE \
   -H "MC-Api-Key: your_api_key" \
   "https://cloudmc_endpoint/api/v2/services/compute-on/test_area/sitetositevpns/d49b2922-0581-4587-94df-6fe719327d0f"

DELETE /services/:service_code/:environment_name/sitetositevpns/:id

Delete an existing site-to-site VPN.

Reset the connection of a site-to-site VPN

curl -X POST \
   -H "Content-Type: application/json" \
   -H "MC-Api-Key: your_api_key" \
   "https://cloudmc_endpoint/api/v2/services/compute-on/test_area/sitetositevpns/ca86b14f-20db-463d-b58a-9d3fa5959af2?operation=reset"

POST /services/:service_code/:environment_name/sitetositevpns/:id?operation=reset

Reset a site-to-site VPN.