This post lists some of the available options for connecting VMware Cloud on Amazon Web Services (AWS) with native AWS services for hybrid cloud deployments.
The most common way of consuming AWS services with VMware Cloud on AWS is to use the built in Elastic Network Interface (ENI) functionality. Each VMware Cloud Software Defined Data Center (SDDC) can be connected to another AWS Virtual Private Cloud (VPC) during the deployment phase. A VPC is Amazon’s logical separation of virtual networks. At scale, you may choose to have many VPCs and many accounts for different applications and environments. Multiple VPCs can be connected together using an AWS Transit Gateway (TGW). A further option we will look at is VPC Endpoints, enabling you to privately connect to supported AWS services and endpoints.
1. Connected VPC
The AWS bare metal hosts deployed for VMware Cloud on AWS use a redundant 25 Gbps physical interface or Elastic Network Adaptor (ENA). The physical interface uses a trunk port to carry multiple VLANs for services like management, vMotion, NSX, and connectivity to the AWS backbone network.
The cross-linked VPC architecture is provided by a series of ENIs. Each host in the vSphere cluster uses the network adaptor outlined above to provide an individual cross-VPC ENI per physical host; supporting high-bandwidth, low latency connectivity to native AWS services.
VMware Cloud on AWS uses the AWS VPC as an underlay for NSX-T. The NSX Edge (Tier 0) router is a virtual router acting as the uplink to the connected VPC. The active ENI in use is the physical ESXi host where the virtual router is running. The connected VPC is owned and managed by the customer, any native services deployed are billed separately by AWS. When deploying the SDDC the connected account and VPC is required along with a private subnet in each applicable Availability Zone (AZ). A static route is created for the defined subnets adding the connected VPC router as the next hop.
Traffic that traverses the ENI is not chargeable, however cross-AZ charges do need to be taken into consideration if a Stretched Cluster is in use. During provisioning of the SDDC, and connection of the customer managed AWS account, a CloudFormation template is deployed creating the necessary AWS Identity Access Management (IAM) roles and ENI configuration.
Post-SDDC deployment you can view the connected account, VPC, ENI, and subnet details in the Connected VPC menu under the Networking & Security tab of the SDDC, from the VMware Cloud Services Portal.
Access to and from native AWS services can be controlled, and needs to be opened, using the NSX firewalls (gateway and distributed) and AWS Security Groups. To see an example configuration see the Connecting VMware Cloud on AWS to Amazon EC2 post, or the Access an EC2 Instance section of the VMware Cloud on AWS Docs page.
2. VPC Endpoints
VPC Endpoints allow private connectivity between your VPC and supported AWS services or custom applications. Network traffic traversing a VPC endpoint does not leave the AWS backbone network, and therefore does not require Internet Gateway, Direct Connect, or VPN.
The Access an S3 Bucket Using an S3 Endpoint section of the VMware Cloud on AWS Docs page details the process for configuring a Gateway VPC Endpoint to access AWS Simple Storage Services (S3) from VMware Cloud on AWS, without having to go out to the Internet. Furthermore, you can use Interface VPC Endpoints to connect to supported AWS services in another VPC, or VPC Endpoint Services (AWS PrivateLink) to connect to custom applications in another VPC. Here are some examples:
The general process for creating an endpoint is the same across these VPC Endpoint types. In the example below we are connecting to a VPC Endpoint Service for Splunk, fronted by a Network Load Balancer (NLB) in another VPC. The administrator of the VPC Endpoint Service needs to grant IAM service consumer permissions and accept the incoming connection, as detailed in the AWS documentation here.
In the AWS console I log into the connected account and select the VPC service. I select Endpoints and Create Endpoint. To create a Gateway VPC Endpoint, e.g. for S3, or an Interface VPC Endpoint, e.g. for DynamoDB or other services, I would select the appropriate service from the AWS services service category. In this instance I use Find service by name and enter the endpoint private service name. Either way, the key point is that I select the connected VPC from the VPC drop-down, and the subnets that match up with those used for the ENI when deploying the VMware Cloud on AWS SDDC.
By using the cross-VPC linked subnets the Virtual Machines in the SDDC will utilise the static route across the ENI outlined in the Connected VPC section above. AWS Security Groups can be used to limit this to certain source IP addresses from within the SDDC or the wider VPC if required. In this instance we are able to successfully test the connection over port 443 following the creation of the VPC Endpoint.
3. Additional VPC Connectivity
Traditionally VPC Peering has been used to provide one to one private network connectivity between VPCs, including VPCs in different accounts. VPC Peering cannot be configured in the SDDC as we do not have access to the underlying AWS account. VPN connections between additional VPCs and the SDDC router (Tier 0) can be configured from the VMware Cloud Services Portal, enabling VMware Cloud on AWS connectivity with other VPC environments. As the number of VPCs and accounts begins to scale the VPN approach becomes harder to manage.
This predicament is resolved with a relatively new addition to AWS; the Transit Gateway (TGW). The native AWS TGW is available now and acts as a transit network hub allowing you to connect multiple VPCs and on-premise networks (using Direct Connect or VPN attachments). A Managed Transit Gateway is being developed by VMware to assist with multi-SDDC and multi-VPC connectivity. You can review how the native AWS Transit Gateway fits into the VMware Cloud on AWS architecture on the VMware Network Virtualization blog: VMware Cloud on AWS with Transit Gateway Demo:
Image VMware Cloud on AWS with Transit Gateway Demo. Further Resources:
- VMware Cloud on AWS Docs – Access AWS Services
- Data Center Modernization with VMware Cloud on AWS – VMware Cloud and AWS Native Service Integration page 59
- Connectivity Options for VMware Cloud on AWS Software Defined Data Centers
- VMware Cloud on AWS: NSX Networking and Security eBook