Connectivity required between On-Premises Datacenter, VMware Cloud on AWS SDDC, Internet, and Amazon VPC.

• VPNs used by the SDDC.
• Configuring the gateways and networks that will be used during SDDC deployment.
• Setting up firewall rules.
• Other aspects for managing and maintaining the VMware Cloud on AWS connectivity.

There are two type of networks in Cloud SDDC defined for control and security purpose.

These parts carry different components of a Cloud SDDC environment, as listed below. Management Gateway (MGW) provides connectivity to vCenter and NSX devices, whereas Compute gateway (CGW) provides connectivity to actual workload which is in form of Virtual Machines.

 Management Gateway (MGW) utilizes NSX Edge Security gateway to provide the connectivity to management Components, and Compute Gateway (CGW) utilizes NSX Edge and DLR to provide the connectivity to Compute Components.

Network Framework of VMware Cloud on AWS

While preparing for VMware Cloud on AWS, we need to understand the network framework of Vmware Cloud on AWS SDDC environment, and need to understand how it provides connectivity between your On-Premises datacenter, your VPC, and Internet. below are the components which must be communicate with each other in order to work provide functionality.

Management VPN

You need to create a management VPN and determine the range of IP address that will be used by this management components. This address range will be in form of CIDR block. Once Cloud SDDC is provisioned, you need build an IPSec VPN which will be between your on-premises datacenter and management components. This VPN travels over the internet or over AWS direct connect. Once connected, you can create firewall rules in the VMware Cloud on AWS console to control access to the vCenter Server for your on-premises datacenter.

Public Access to Management

The next connection is optional, it is only needed if you need your vCenter access over the internet. A public IP for your management components will automatically be provided during the provisioning process. However, all access to this IP is restricted. To provide internet connection, you need to create firewall rules in VMware Cloud on AWS console to allow the direct type of internet access.

Compute VPN

Second VPN you need to create is Compute VPN between Compute Components and On-Premises Datacenter. To do this, we will need to create several logical networks that will provide the IP address to the Virtual machines that you migrated or build in VMware Cloud on AWS. This VPN allow VMware Cloud on AWS workloads to communicate with On Premises workloads. Vmware Cloud on AWS allows customers to leverage IPSec Layer 3 VPNs as well as Layer 2 VPNs. It enables you to stretch on-premises data link layer (Layer 2) to the Cloud SDDC environment. L2VPN uses for live migration. It works over the internet or over the AWS direct connect. To secure the environment, we create firewall as needed.

Elastic Network Interface

Next connection is between Cloud SDDC Virtual machines (Compute Components) to Amazon VPC in form of Elastic Network Interface. It automatically created during SDDC provisioning process. Once you select AWS VPN associated through your Cloud SDDC, elastic interfaces will be created, which will allow traffic to flow between the Cloud SDDC Compute environment. To control the security, you create IAM policies on AWS site, and firewall rules on VMware Cloud on AWS.

Public Access to Compute

Finally, you want to get access to some of your Compute workloads of Cloud SDDC. You need internet access to access over public. You need to leverage AWS elastic IPs along with NAT and firewall rules to allow the public access to the workloads. This can be done from Networking interface of Vmware Cloud on AWS Console

Network Recommendations before you start Onboarding to VMC on AWS

There are certain discussion points which need to make while planning to deploy your Cloud SDDC, as listed below.

CIDR Block for Management

First information we required is CIDR Block for Management components. It provides IPs to the SDDC domain which are managed by VMware, like ESXi Host and vCenter Server. Maximum number of hosts in SDDC depends on the network mask.

• Recommend a /20 subnet
• Private IP address space, not a public IP
• Not publicly routable
• Does not overlap with AWS VPC Subnet
• Does not overlap with on-premises subnet

AWS VPC Subnet

Dedicated subnet in Amazon AWS VPC to connect VMware cloud on AWS. This information will again be used during deployment process and will be used unique elastic interfaces connectivity.

• Dedicates subnet
• Does not overlap with workload logical network
• Does not overlap with MGMT CIDR block
• Doesn’t overlap with AWS VPC Subnet
• Doesn’t overlap with MGMT CIDR block

Logical Networks

• Doesn’t overlap with AWS VPC Subnet
• Doesn’t overlap with MGMT CIDR block
• IPSec VPN can leverage any private IP space
• L2 VPN can stretch any on-premises IP network

Public IPs

• Determine workloads requiring internet access
• Configure NAT and firewall rules as needed

IPSec VPN Discussion (VPN-1)

• For Management Components

IPSec or L2 VPN Discussion (VPN-2)

• Handle network traffic for virtual machines

Check List from Network Point of View

Management Consideration

• Management Gateway Overview
• Review IPSec VPN Requirement
• Internet vs Amazon Direct Connect
• Management CIDR Block
• DNS
• MGW Firewall Settings

Compute Consideration

• Compute Gateway Overview
• IPSec vs Layer 2 VPN
• Internet vs Amazon Direct Connect
• AWS VPC Subnet
• Logical Networks for Workloads
• DNS
• Public IPs and NAT Settings for Workloads
• CGW Firewall Settings