[ATP/FLEX] How to Set up VPN area and VPN topology on Nebula site-to-site VPN

Zyxel_James

First of all, you need to have a Nebula Professional Pack to implement this feature. Nebula VPN Orchestrator provides software-defined design to build scalable VPN topology within an organization. We can create multiple VPN areas within an organization and each area has its own sites and VPN topology. The users need Nebula Pro Pack to implement this feature.

There are two topologies we can use: Fully-Meshed and Hub-and-Spoke. Fully Meshed: Each site has a site-to-site VPN tunnel to each site in a VPN area, sites are able to directly communicate with the other sites. Hub-and-spoke: Every spoke sites have a site-to-site VPN tunnel to the hub site. Traffic between spoke sites must go through the hub site. If the hub site fails, the VPN area fails, you may assign more than one site as a hub site to avoid this happens.

VPN topology Configure Steps

Go to Organization-wide manage > VPN orchestrator > Smart VPN, once the Nebula site-to-site VPN is enabled, the site will appear on the menu in the VPN area "Default". The default VPN topology of the Default Area is site-to-site which means the VPN connections are fully-meshed.

Select Hub-and-Spoke as the VPN topology, and select at least one site as the Hub site. Tick the site (North) and click the Hub button, and Save.

And you will see the site (North) becomes the Hub site.

VPN Area Configure Steps

Go to Organization-wide manage > VPN orchestrator > Smart VPN, click + Create VPN area, and input a VPN area name VPNarea2.

Go to Configure > Firewall > Site-to-Site VPN, and select VPNarea2 as VPN area.

As I select VPNarea2 as the area for North and South. We can see the Default VPN area is only left west and east. North and South are changed to VPNarea2

By default, every VPN area cannot communicate with other VPN areas. To communicate between areas. To achieve Area Communication, please enable Area Communication for the gateway. In site-to-site topology, we have to assign an Area Leader which will be the hub of communication with other VPN areas. In Hub-and-spoke topology, the hub site will be Area Leader automatically if any site in the area enables Area Communication.