You can configure AWS Direct Connect for private connections between VMware Cloud DR and your protected sites.

Prerequisites

Before configuring Direct Connect with VMware Cloud DR, do the following:
  • Select a /26 CIDR block within your company's private IP network scheme. This CIDR block must not overlap with other allocated CIDR blocks within your routed on-premises and cloud networking sites. The VMware Cloud DR internal networking uses 172.30.0.0/26, which cannot be used. The allocated CIDR block is part of VMware Cloud DR's Transit VPCs, which host the xENIs for the Orchestrator and cloud file system that are exported over Direct Connect.
  • After the VIF is attached, the original /26 CIDR block is split into two equal /27 CIDR blocks that are advertised by the interface. In some cases, you might need to make to your protected site's networking configuration to match advertised prefixes.
  • Select an appropriate and valid autonomous system number (ASN) number. VMware Cloud DR uses ASN number 64512, and cannot be used for your side of the Border Gateway Protocol (BGP) connection.
  • Obtain your VMware Cloud DR AWS shadow account ID. You can find this account ID and number by navigating to Settings > Direct Connect. Your network administrator needs this account number to export your private VIFs to VMware Cloud DR.
  • Have your network administrator create a private VIF that uses the allocated CIDR block, VMware Cloud DR shadow account ID, and the allocated BGP ASN number.
  • Export your private VIFs to the VMware Cloud DR shadow account ID. Your network administrator performs this task from your AWS account.
Using a private VIF with a VMware Cloud DR protected site is restricted by the following caveats:
  • Only a single CIDR block is supported and is shared among all VIFs.
  • Do not use the 172.30.0.0/26 CIDR block because it overlaps with CIDR blocks 172.30.16.0/24 and 172.16.0.0/16, which are reserved for use by VMware Cloud DR.
  • Multiple protected sites are supported for use with private VIFs, if all protected sites share the same CIDR block and are connecting to the end point of their Private VIF.
  • Post-deployment CIDR block changes are not supported.
  • You cannot convert a non-private VIF protected site to use a private VIF by yourself. If you are interested in converting a VMware Cloud DR protected site from using native internet or public VIF to private VIF, contact VMware support for assistance.
  • VMware Cloud DR cannot determine if a private VIF is being used for a specific protected site.

Procedure

  1. Navigate to Settings > Direct Connect.
    The Direct Connect dialog box shows the VMware Cloud DR AWS shadow account ID. Your IT administrator needs this information to create and export private VIFs to VMware Cloud DR. You cannot configure Direct Connect if you have not exported private VIFs to VMware Cloud DR.
  2. In the Direct Connect dialog box, click the Set CIDR block button.
    Snapshot replication routes through a private IP network using IP addresses in the AWS transit VPC CIDR. Do not use the 172.30.0.0/26 CIDR block because it overlaps with CIDR blocks 172.30.16.0/24 and 172.16.0.0/16, which are reserved for use by VMware Cloud DR.
    Note: Once you set the CIDR, you cannot change it.
  3. In the Set transit VPC CIDR block dialog box, enter the CIDR block to use with Direct Connect. Select an IP address range that does not conflict with any on-premises network on the protected site that uses Direct Connect.
  4. Select the check box to confirm that once you set the transit VPC CIDR, it cannot be changed.
  5. Click OK.
  6. If the connection is successful, the Direct Connect dialog box shows all private VIFs exported to your account.
    For each VIF, the dialog box shows the interface name and ID, Direct Connect ID, state (available, unavailable, attaching, or attached), and BGP status (up, down, or unknown).
  7. To enable a VIF, select the small menu to the right of the VIF row and select Attach.
  8. In the Attach virtual interface confirmation dialog box, select the check box to confirm, and then click OK.

What to do next

After you have established a Direct Connect connection, you can select this connection type when you set up a protected site.
Note: After the VIF is attached, the original /26 CIDR block is split into two equal /27 CIDR blocks that are advertised by the interface. In some cases, you might need to make to your protected site's networking configuration to match advertised prefixes.