VMware Cloud on AWS enables you to have a hybrid cloud platform by running your VMware workloads in the cloud while having seamless connectivity to your on-premises and AWS native services.
The intergration which VMware and AWS have created allows for these services to communicate, for free, across a private network address space for services such as EC2 instances, which connect into subnets within a native AWS VPC, or with platform services which have the ability to connect to a VPC Endpoint, such as S3 Storage.
In this post, I’ll explain the VMware Cloud on AWS SDDC basic networking and how it connects to your Amazon VPC.
When you deploy an SDDC on VMware Cloud on AWS, it is created within an AWS account and VPC dedicated to your organization and managed by VMware. You must also connect the SDDC to an AWS account belonging to you, referred to as the customer AWS account. This connection allows your VMC SDDC to access AWS services belonging to your AWS VPC account.
During the on-boarding process, you have the ability to choose a VPC and the subnets they want to connect to their SDDC cluster.
P.S: You can see there’s an exclamation mark in the following diagram which means that connectivity between the SDDC and VPC will not incur any data egress costs if the ENI created for this service and SDDC are in the same Availability Zones. If they are in different AZs, you will incur standard data transfer charge.
Enter an IP address range for the management subnet as a CIDR block (or leave the text box blank to use the default, which is 10.2.0.0/16. Using this information), VMware will create a new VPC within the VMware-owned AWS account for this SDDC. This VPC will be created using the SDDC management IP address range provided here and several subnets will be created within this VPC. We use the 10.6.0.0/16 subnet for example to deploy our VMC SDDC.
After your SDDC is created, you can view SDDC information from the VMC Console, there’s green line showing that this VMC SDDC has been successfully connected to your AWS VPC network.
Click ingle host SDDCs have a default logical segment which name is “sddc-cgw-network-1”. (If this default segment causes a conflict, delete it and create a new segment) showing as below screen captured.
You can view details information from VMware Cloud on AWS console, i.e: the connected AWS Account ID, VPC ID, VPC Subnet and Active Network Interface which can help you retrieve related network mapping from AWS VPC console.
Now you can login to your AWS console, search by using your connected VPC ID, you can get the “Route table” ID, click on that ID, we can retrieve all the network routing information of this VPC.
Because we are deploying a single-host SDDC, the IP address range 192.168.1.0/24 is reserved for the default compute gateway logical network of the SDDC.
By default, there are three subnets which are in “Active” status. The default route table has automatically updated routes to all your logical networks, and this paves the way for services running in the VPC to communicate to the logical networks. 
VMware also makes it easy to update customer route tables based on the logical networks that are created. Let’s create one logical network segment in VMC to see if the route will be added automatically. Logical Networks provide network access to workload VMs. VMware Cloud on AWS supports two types of logical network segments, routed and extended. Routed networks are the default type. Routed networks have connectivity to other logical networks in the same SDDC and to external network services such as compute gateway firewall and NAT. Extended networks require layer 2 Virtual Private Network (L2VPN) which provides a secure communication tunnel between an on-premises network and one in your cloud SDDC.
We created one segment with 192.168.6.1/24 as the gateway IP/length.
You can see VMware added one 192.168.6.0/24 entry right away automatically in AWS VPC Route Tables, this AWS VPC can then route network traffic to your VMC SDDC via the “Active Network Interface” target. (eni-xxxxxxxxxx)
In VMC SDDC vCenter Server GUI, we can see the connection is through 25GB high speed, low latency network interface.
Of all the attached ENIs, only one of them is in use. The NSX edge Router (also called T0 Router) lives on a single ESXi host, and this decides the ENI that’s in active state. This ENI allows for connectivity between the SDDC cluster and customer VPC. In the event of a host failure, VMware vMotions the Compute Gateway to a new host and the customer route table is updated to point to the new active ENI. Customers will be able to see these ENIs in their account with a description set to ‘VMware VMC Interface’ as below.
This concludes our explanation of how the network connectivity is done between VMC SDDC and customer’s AWS VPC, hope this help, see you in next blog. thanks!
Notes:
- You may find detail info regarding connectivity options for VMware Cloud on AWS here.
We're virtually connected everywhere! On-Premise, Hybrid or Multi-Cloud! 