The private network within the IBM Cloud is always assigned an address from a 10.X subnet. As a result, accessing the IBM Cloud network from addresses outside the 10.X range may prove to be a challenge since the network will drop packets from an unrecognized address. For example, if you created an IPsec VPN from your on-prem environment that is assigned a 192.X address, you will not be able to reach vCenter or any other VLAN-backed 10.X address resident on the IBM Cloud private network. The same is true for VXLAN-backed virtual machines assigned addresses outside of the IBM Cloud address space. This is why we must use NAT.