This post demonstrates the connectivity between VMware Cloud (VMC) on AWS and native AWS services. In the example below we will be using Amazon Elastic Load Balancing (ELB) to provide highly available, scaleable, and secure load balancing backed by virtual machines hosted in the VMware Cloud Software-Defined Data Centre (SDDC). There is an assumption you have a basic understanding of both platforms.
When integrating with Amazon ELB there are 2 options: Application Load Balancer (ALB) which operates at the request layer (7), or Network Load Balancer (NLB) which operates at the connection layer (4). The Amazon Classic Load Balancer is for Amazon EC2 instances only. For assistance with choosing the correct type of load balancer review Details for Elastic Load Balancing Products and Product Comparisons. Amazon load balancers and their targets can be monitored using Amazon Cloud Watch.
- VMware Cloud on AWS links with your existing AWS account to provide access to native services. During provisioning a Cloud Formation template will grant AWS permissions using the Identity Access Management (IAM) service. This allows your VMC account to create and manage Elastic Network Interfaces (ENI) as well as auto-populate Virtual Private Cloud (VPC) route tables.
- An Elastic Network Interface (ENI) dedicated to each physical host connects the VMware Cloud to the corresponding Availability Zone in the native AWS VPC. There is no charge for data crossing the 25 Gbps ENI between the VMC VPC and the native AWS VPC, however it is worth remembering that data crossing Availability Zones is charged at $0.01 per GB (at the time of writing).
- An example architecture below shows a stretched cluster in VMware on AWS with web services running on virtual machines across multiple Availability Zones. The load balancer sits in the customers native AWS VPC and connects to the web servers using the ENI connectivity. Amazon’s DNS service Route 53 routes users accessing a custom domain to the web service.
- Remember to consider the placement of your target servers when deploying the Amazon load balancer. For more information see VMware Cloud on AWS Deployment Planning. See also Elastic Load Balancing Pricing.
VMC Gateway Firewall
Before configuring the ELB we need to make sure it can access the target servers. Log into the VMware on AWS Console, from the SDDCs tab locate the appropriate SDDC and click View Details. Select the Networking & Security tab, under Security click Gateway Firewall and Compute Gateway.
In this example I have added a rule for inbound access to my web servers. The source is AWS Connected VPC Prefixes (this can be tied down to only allow access from the load balancer if required). The destination is a user defined group which contains the private IPv4 addresses for the web servers in VMC, and the allowed service is set to HTTP (TCP 80).
If you are using the Application Load Balancer then you also need to consider the security group attached to the ALB. If the default group is not used, or the security group attached to the Elastic Network Interfaces has been changed, then you may need to make additional security group changes to allow traffic between the ALB and the ENIs. Review the Security Group Configuration section of Connecting VMware Cloud on AWS to EC2 Instances for more information. The Network Load Balancer does not use security groups. The gateway firewall rule outlined above will be needed regardless of the load balancer type.
Log into the VMware on AWS Console, from the SDDCs tab locate the appropriate SDDC and click View Details. Select the Networking & Security tab. Under System click Connected VPC. Make a note of the AWS Account ID and the VPC ID. You will need to deploy the load balancer into this account and VPC.
Log into the AWS Console and navigate to the EC2 service. Locate the Load Balancing header in the left hand navigation pane and click Load Balancers. Click Create Load Balancer. Select the load balancer type and click Create.
Typically for HTTP/HTTPS the Application Load Balancer will be used. In this example since I want to deploy the load balancer to a single Availability Zone for testing I am using a Network Load Balancer, which can also have a dedicated Elastic (persistent public) IP.
Enter the load balancer configuration. I am configuring an internet-facing load balancer with listeners on port 80 for HTTP traffic. Scroll down and specify the VPC and Availability Zones to use. Ensure you use the VPC connected to your VMware on AWS VPC. In this example I have selected a subnet in the same Availability Zone as my VMware Cloud SDDC.
In the routing section configure the target group which will contain the servers behind the load balancer. The target type needs to be IP.
In this instance since I am creating a new target group I need to specify the IP addresses of the web servers which are VMs sitting in my VMC SDDC. The Network column needs to be set to Other private IP address.
Once the load balancer and target group are configured review the settings and deploy. You can review the basic configuration, listeners, and monitoring by selecting the newly deployed load balancer.
Click the Description tab to obtain the DNS name of the load balancer. You can add a CNAME to reference the load balancer using Amazon Route 53 or another DNS service.
Finally, navigate to Target Groups. Here you can view the health status of your registered targets, and configure health checks, monitoring, and tags.