VMware Cloud on AWS GovCloud (US) services | 3 September 2024 Check for additions and updates to these release notes. |
VMware Cloud on AWS GovCloud (US) services | 3 September 2024 Check for additions and updates to these release notes. |
SDDC Version 1.22 v8
This latest SDDC release includes important updates and stability fixes, improving overall product experience.
Single Host SDDC
The new Single Host SDDC offering provides a low-cost entry point for customers to jump-start their hybrid cloud experience and prove the value of VMware Cloud on AWS GovCloud. A Single Host SDDC lasts up to 60 days, but customers can scale up to a minimum of two hosts to retain workloads and data. The Single Host SDDC starter configuration is appropriate for test and development or proof of concept use cases. Ensure to not run production workloads on a single host SDDC.
You can scale up your Single Host SDDC to a two-host SDDC without any disruption. This process adds resiliency and full SLA support, allowing the SDDC to exist beyond 60 days.
vTPM Support
Windows 11 Desktop Operating System Support – vTPM
Microsoft introduced new minimum virtual hardware requirements with the Windows 11 operating system. Microsoft requires a Virtual Trusted Platform Module (vTPM) device to be present during Windows 11 virtual machine installation and upgrades. SDDCs created using version 1.20 and later automatically include provisioning vSphere Native Key Provider in vCenter to support new vTPM devices. This feature was in Preview earlier.
Add a vTPM device to a virtual machine
VMware Cloud on AWS enables you to add a new Virtual Trusted Platform Module (vTPM) device to virtual machines running Windows Server 2008 and later, Windows desktop 7 and later, or Linux. SDDCs created using version 1.20 and later automatically include the provisioning of vSphere Native Key Provider in vCenter to support new vTPM devices.
VMware Cloud on AWS SDDCs are preinstalled with the VMware Native Key Provider to support new vTPM devices. When you add a vTPM device to a VM running on VMware Cloud on AWS GovCloud, virtual machine “home” files will be encrypted (memory, swap, NVRAM files).
vSphere Virtual Machine Encryption is a separate vSphere feature and is not supported on VMware Cloud on AWS GovCloud.
VMware Native Key Provider is not authorized for FedRAMP or DoD impact level (IL) authorizations.
I4i.metal instance type is now available for VMware Cloud on AWS GovCloud regions
I4i.metal instances are now available for existing SDDC(s) and existing cluster deployments on VMware Cloud on AWS. You must upgrade the SDDCs to latest version of 1.18 to get i4i capabilities. New i4i clusters can be deployed on existing VMC on AWS SDDCs after upgrade is completed successfully. These instances come with Intel Xeon Ice Lake processors @3.5GHz (Turbo), 128 vCPUs with hyper-threading enabled, 1024 GB memory & approximately 20.46 TiB usable storage capacity. I4i instances include default support for host-to-host encryption and data-at-rest encryption powered by vSAN. I4i.metal instance type is currently available in 12 regions, with support for more regions coming soon. For more information, see FAQ, Blog, and i4i Host Types.
Introduction of NSX 4.0.0 & vSphere 8.0
The new release of VMware Cloud on AWS introduces NSX-T 4.0.0 & interoperability with the next major release of vSphere 8.0. These new major releases will provide many features for enhanced security and networking functionality in VMware Cloud on AWS.
vCenter Server in VMware Cloud privilege enhancements
The CloudAdminGroup, SSO group, and CloudAdmin user roles are updated on specific management objects. This role update enables the CloudAdmin user and any users in the CloudAdminGroup to grant other users or groups read-only access to VMware Cloud on AWS vCenter management objects such as the Management-ResourcePool, Management VMs folder, Discovered Virtual Machines folder, vmc-hostswitch, and vsanDatastore. For more details, see vSphere Permissions and Privileges.
Live Traffic Analysis
Live Traffic Analysis (LTA) is now enabled in VMware Cloud on AWS. LTA provides helpful insight into tracing live traffic and bi-directional packet tracing. Traffic analysis monitors live traffic at a source or between the source and destination, along with the packet capture. You can identify error flows between the source and the destination. Live Traffic Analysis is supported on segments inside a single SDDC.
VPN Enhancements
FIPS 140-2 Validated Cryptographic Modules Refresh:
NSX utilizes several FIPS 140-2 cryptographic modules to perform various networking functions in FIPS-compliant mode. FIPS-validated modules are eventually sunset when the module reaches its expiry date or NIST/CMVP chooses to no longer re-validate certain module(s). When FIPS 140-2 cryptographic modules are sunset, you must replace those modules as necessary to maintain the FIPS validation of their platforms.
The FIPS 140-2 cryptographic modules leveraged in release 1.18 (VMware's VPN Crypto Module version 1.0) have been sunset.
The current release introduces (VMware's VPN Crypto Module version 2.0) to maintain FIPs 140-2 Validation
More information on Validation Status can be found here: Cryptographic Module Validation Program.
NAT Support for Policy-Based VPNs on Tier-1 Gateways:
VPNs terminated on Tier-1 gateways can now support NAT rules which allows two remote sites that share the same CIDR to use the same VPN.
DHCP UI enhancement
The DHCP UI enhancement provides an intuitive workflow and seamless user experience for the Cloud Admin to configure DHCP. The DHCP statistics for Gateway DHCP and Segment DHCP are exposed to help monitor DHCP messages.
Filtering Default CGW prefixes
By suppressing more specific route prefixes and instead only advertising aggregated routes for their default CGW workload segments, you can significantly reduce the Transit Connect or Direct Connect, or Connected VPC route table size.
The new feature introduces the ability to filter out prefixes of segments connected to the default CGW. When the route filtering feature is enabled on Intranet (DX/TGW) or Services (Connected VPC) endpoints, prefixes behind the default CGW will not be advertised.
This feature is available for VMware Cloud on AWS GovCloud SDDCs version 1.20 and higher.
Shared Prefix Lists for SDDC Groups
This feature is useful in connecting Transit Connect to external VPC and AWS TGW scenarios. Before enabling this feature, you must manually configure return routes for SDDC prefixes on the external VPC and AWS TGW to route traffic to the SDDC group. This manual process can be cumbersome and error-prone over time as SDDC group memberships change and subnets are added or removed from SDDCs.
VMware HCX 4.7
VMware HCX 4.7 for VMware Cloud on AWS GovCloud is a minor release that provides new features, interoperability enhancements, and resolved issues. For more information, see HCX 4.7 Release Notes.
VMware Transit Connect
VMware Transit Connect with AWS Transit Gateway is now available in VMware Cloud on AWS GovCloud
VMware Transit Connect delivers VMware-managed, easy-to-use, scalable, and performant connectivity solutions between VMware Cloud on AWS SDDCs designated within an SDDC Group. It leverages the AWS Transit Gateway (TGW) to enable any-to-any high bandwidth, low latency connectivity between SDDC Group members. It also enables connectivity between an SDDC Group and multiple AWS native Virtual Private Clouds (VPCs) and multiple on-premises environments connected via an AWS Direct Connect Gateway. Users can provision Transit Connect to their SDDCs by organizing them into an SDDC Group in the VMware Cloud on AWS Organization console.
Available feature connectivity models:
Inter-Region Peering between SDDCs using Transit Connect
Intra-Region Peering between SDDCs using Transit Connect
SDDC Group connectivity to AWS Transit Gateway with Intra and Inter-Region support
Custom metering
Shared prefix list
For more information, see VMware Transit Connect - Simplifying network for VMC.
VMware HCX 4.6 is available for VMware Cloud on AWS GovCloud deployments
VMware HCX 4.6.0 for VMware Cloud on AWS GovCloud is a minor release that provides feature alignment, usability enhancements, improved platform security, resolved issues and complies with FedRAMP High baseline requirements. VMware HCX delivers secure and seamless application mobility and infrastructure hybridity both on-premises and in the cloud. HCX abstracts the distinct private or public vSphere resources and presents a Service Mesh as an end-to-end entity. HCX Interconnect can provide high-performance, secure, and optimized multi-site connectivity to achieve infrastructure hybridity and offer multiple options for bi-directional virtual machine mobility with technologies that facilitate the modernization of legacy data centers. See HCX 4.6 Release Notes for more details.
Note: HCX for VMware Cloud on AWS GovCloud does not support WAN Optimization and OS-Assisted Migration. For more information, see HCX for VMware Cloud on AWS GovCloud.
SDDC Version 1.18 v10
VMware Site Recovery Manager
With the new Cloud-to-Cloud disaster recovery on VMware Cloud on GovCloud, you can conduct cross-region DR operations leveraging the VMware Site Recovery Manager capabilities running on VMware Cloud on GovCloud East and West regions as a failover target or source site. Some of the key benefits of this cross-cloud DR functionality are:
Improved reliability: With Active-Active configuration between the source and target site, you get low overall RPO/RTO for protected workloads.
Reduced operational complexity: Unified cross-cloud DR operations under one umbrella eliminate DR risk and complexity.
Better resiliency: Cloud-to-Cloud DR minimizes the risk of potential infrastructure outages.
For more information, see VMware Site Recovery on VMware Cloud on AWS GovCloud(US).
VMware Cloud on AWS Multi CGW
This feature enables you to create additional CGWs (Compute Gateways or Tier-1 Gateways) and manage the lifecycle for those CGWs. You can create the CGWs as Routed, NAT'ed, or Isolated CGWs. This feature will support addition of static routes, route aggregation, filtering, local DHCP server or DNS forwarding, and Traceflow. This feature will enable the following use cases:
Multi-tenancy within an SDDC
Overlapping IPv4 address space across CGWs
Gateway Firewall/ NAT scoped to individual CGWs
Support for static routes on user managed CGW
Access to the Connected VPC from user managed CGW
Deployment of Isolated test 'segments’ for Disaster Recovery (DR) testing or 'sandbox' environments.
For more information, see VMware Cloud on AWS Advanced Networking and Routing Features.
Route Aggregation for advertisement over Direct Connect and Transit Connect
With this feature, you can now control which SDDC CIDRs are advertised externally over Direct Connect and Transit Connect. These can be set via NSX UI or NSX API. You can now:
Define desired SDDC CIDRs to advertise in a 'Prefix list'.
Associate the Prefix List with a supported 'Connectivity Endpoint' to advertise routes.
Supported 'Connectivity Endpoints' include:
Direct-Connect and Transit Connect
Connected VPC
VMware Cloud on AWS support for AD/LDAP
This feature will provide the ability to use Active Directory or OpenLDAP as an external authentication method in VMware Cloud on AWS. You can use this integration for assigning NSX-T cloud-admin roles based on Active Directory or OpenLDAP group membership.
DNS FQDN zones for Management Network
This feature enables you to configure DNS FQDN Zones for Management Gateway traffic. Multi-tenant users get more flexibility to configure distinct FQDN zones on the MGW DNS forwarder.
Settings for public/private connectivity for the Open NSX Manager button
This feature adds further enhancements to the Standalone NSX Manager UI feature introduced in 1.16. The following capabilities are enabled as part of this feature:
Ability to configure whether the 'Open NSX Manager' button defaults to Public URL or Private URL access.
Ability to use API to retrieve and change this setting.
Provides an ability to configure the access mode to public or private for the NSX Manager UI access. The configured setting can be retrieved or changed using the UI or API.
3-Host scale-down
With this service update, you can scale down 3-host non-stretched single-AZ clusters to 2-host clusters. The scale-down process will remove any additional Elastic DRS configuration, and the cluster will revert to the Baseline Policy.
Elastic DRS Baseline Policy
This new policy replaces the Default Storage Scale-Out policy. This policy is always in effect and cannot be disabled. The baseline policy will scale out the cluster in thefollowing scenarios:
Less than 20% free capacity on any vSAN cluster
Availability Zone Failure
To learn more about Elastic DRS and the policies available, visit the VMware Cloud on AWS Documentation.
VMware HCX 4.5.1 is available for VMware Cloud on AWS GovCloud deployments only
VMware HCX delivers secure and seamless application mobility and infrastructure hybridity both on-premises and in the cloud. HCX abstracts the distinct private or public vSphere resources and presents a Service Mesh as an end-to-end entity. HCX Interconnect can provide high-performance, secure, and optimized multi-site connectivity to achieve infrastructure hybridity and offer multiple options for bi-directional virtual machine mobility with technologies that facilitate the modernization of legacy data centers. See HCX 4.5.1 Release Notes for more details.
HCX for VMware Cloud on AWS GovCloud does not support WAN Optimization and OS-Assisted Migration. For more information, see HCX for VMware Cloud on AWS GovCloud.
What's New 25 August 2022
SDDC Version 1.16 v11
VMware HCX 4.3.9 for VMware Cloud on AWS GovCloud
VMware HCX delivers secure and seamless application mobility and infrastructure hybridity across both on-premises and in the cloud. HCX abstracts the distinct private or public vSphere resources and presents a Service Mesh as an end-to-end entity. HCX Interconnect can then provide high-performance, secure, and optimized multi-site connectivity to achieve infrastructure hybridity and present multiple options for bi-directional virtual machine mobility with technologies that facilitate the modernization of legacy data centers. For more information, see HCX 4.3.9 Release Notes.
SDDC Version 1.16v11
Elastic DRS Storage Scale-up threshold update
Due to enhancements in vSAN, the vSAN Slack Space requirement has been decreased from 30% to 20%. To accommodate this improvement, the Storage Scale-up threshold for all Elastic DRS policies has been increased to 80%. You can now consume up to 79% of vSAN capacity regardless of the Elastic DRS policy.
2-Host Stretched Clusters (1-1)
You can now deploy a 2-host stretched cluster. With a single host in each AZ and a managed witness in the third, the cluster can survive the loss of an entire AZ. This powerful capability enables business-critical applications within VMware Cloud without rearchitecting for AWS availability.
With one host per AZ, vSAN depends on the Dual Site Mirror for resiliency and therefore, it comes with a 99.9% availability guarantee. This can be increased to 99.99% at any time by scaling up to a 6-host cluster.
Elastic DRS storage-only scale-out is enabled by default. If a 2-host stretched cluster is scaled up to a 4-host, the cluster can not be scaled back down. For more information, see the 2-Host release and or Stretched Cluster design considerations.
Stretched Cluster resiliency improvements
Elastic DRS has been improved to increase the resiliency of any Stretched Cluster. This enhancement is provided free of charge and works in conjunction with the existing Auto-Remediation capabilities found in Auto-Scaler. For more information, see Scaling Multiple Availability Zone Clusters.
The VMware Cloud service will automatically Scale-Out any Stretched Cluster on AZ failure. With this latest enhancement, the cluster will automatically Scale-In as soon as the failed AZ has been restored and the burst capacity is no longer needed.
If an instance fails on a Stretched Cluster and Auto-Remediation is unable to recover or replace the host, the service will add the instance to the other AZ until a new host can be recovered in the original AZ. This capability is added free of charge and will attempt to maintain the Compute resources in the event of a partial AZ failure by adding non-billable hosts to the surviving AZ until the cluster has returned to its original host count. This functionality is dependent on free capacity and therefore carries no guarantee.
Networking and Security - Operational Improvements
You can view network traffic stats per external interface to the SDDC. The Global Configuration tab provides user visibility in terms of bytes/packets received and transmitted per uplink. You can also control interface settings on the Global Configuration tab.
vSphere Distributed Switch (VDS)
The vSphere Distributed Switch (VDS) enables you to manage NSX network segments as vCenter DVPG objects. New deployments in 1.16 will use VDS. Existing deployments will be converted to VDS prior to 1.18 upgrade. The vSphere Web Services API Opaque Network objects will be converted to NSX DistributedVirtualPortGroup (DVPG) objects. The corresponding API parameters/return values are changing, therefore users need to update applications that are using these API calls. vSphere Opaque Network objects will not be supported beyond 1.16. For more details, including the latest VMware and partner application versions that are compatible with VDS, see KB 82487.
Compute Policy Scale Increase
The limit for VM-VM anti-affinity compute policies has been increased to 1500 (total of all compute policies combined). The limit for all other compute policies remains at 100. Using the card view is recommended when working with a large number of policies in the UI. See the VMware Configuration Maximums page for limit details.
SDDC Version 1.14v7
Regional Expansion to AWS GovCloud US-East region
Since the launch of VMware Cloud on AWS GovCloud (US), the hybrid cloud service has been helping Federal, state and local government agencies in their digital transformation initiatives. VMware now announces the regional expansion of VMware Cloud on AWS GovCloud (US) service to the AWS GovCloud US-East region. This will bring the availability of the service to both AWS GovCloud regions – GovCloud (US-West) and GovCloud (US-East). This gives US public sector customers additional geographic choice and disaster recovery options for sensitive data and workloads while meeting US government security and compliance requirements.
Support for 2-host i3en.metal
Reduce your steady state and recovery infrastructure costs by using a 2-host i3en.metal SDDCs.
2-Host Stretched Clusters (1-1)
You can now deploy a 2-host stretched cluster. With a single host in each AZ and a managed witness in the third, the cluster can survive the loss of an entire AZ. This powerful capability enables business-critical applications within VMware Cloud without rearchitecting for AWS Availability.
SDDC Version 1.14v6
Performance Optimizations for Erasure Coding for bursty writes
In version 1.14, you can view an improved performance and CPU efficiency of RAID 5/6. This enables the space efficiency of erasure coding while enhancing application performance and reducing CPU cost per I/O, particularly for bursty writes. Improved additional buffer tier performance.
Stretched Cluster/ Multi-AZ Improvements: vSAN DRS awareness
VMware Cloud on AWS version 1.14 introduces integration with data placement and DRS so that after a recovered failure condition, DRS will keep the VM state at the same site until data is fully re-synchronized, which ensures all read operations not to traverse the Inter Site Link (ISL). Once the data is fully re-synchronized, DRS moves the VM state to the required site with DRS rules accordingly. The improvement can dramatically reduce unnecessary read operations occurring across the ISL, and free up ISL resources to continue with its efforts to complete any re-synchronizations post-site recovery.
Automatic adjustment of vSAN policy for improved data availability
The automatic adjustment of vSAN policy for improved data availability feature will automatically assign the default policy for your VMs to ensure that your workloads are SLA compliant. You can deploy your cluster, and based on the number of hosts, a policy will be automatically assigned. If a host limit is crossed which requires a different policy, then the policy is automatically changed so that your clusters remain SLA compliant. If you want to set the policies yourselves, you can override this function.
The policies settings which will be applied by automatic adjustment of vSAN policy for improved data availability are:
Standard Cluster:
=< 5 hosts: Failure to tolerate 1 - RAID-1
>= 6 hosts: Failure to tolerate 2 - RAID-6
Stretched Cluster:
Dual Site Mirroring, Failure to tolerate 1 - RAID-1
Note: This feature is enabled for SDDC versions 1.10 and higher.
SDDC Version 1.12v5
Network Performance
This release provides improvements for i3en.metal network performance for north-south communication (approximately twice the performance compared to i3.metal) to the SDDC, as well as east-west communication within the SDDC. You can notice higher network throughput for your workloads driving TCP traffic and for UDP traffic across i3en edge nodes.
Increased Scale Attributes for NSX Distributed Firewall (DFW)
VMware Cloud on AWS supports higher scale attributes for NSX Distributed Firewall (DFW) for SDDCs running version 1.12 and higher. VMware Cloud on AWS SDDC now supports up to 40,000 DFW rules across all sections. Also, the number of security groups supported is now increased to 12,000 and the number of VMs per security group in the SDDC is increased to 1,800. The complete list of configuration maximums for Networking and Security can be found here.
Firewall
Advanced search and filtering capability in the UI - Users can search firewall rules using a number of criteria including rule ID, rule name, Group membership, source/ destination IP address, protocol, service, action and rule status.
Rule ID is now directly available in the UI.
Distributed Firewall
Time-based Scheduling of DFW Rules- Users can now schedule enforcement of specific rules for specific time intervals. This option can be accessed through the clock symbol in the UI.
Advanced search and filtering capability in the UI - Users can search firewall rules using a number of criteria including rule ID, rule name, Group membership, source/ destination IP address, protocol, service, action and rule status.
Rule ID is now directly available in the UI.
VPN
MSS Clamping is now supported for Policy-based/ Route-based VPN. This option allows the user to set the maximum segment size IPSec traffic to avoid fragmentation. VPN UI is streamlined to group together all required fields above the Advanced Parameters fold.
DHCP
Users can create custom DHCP profiles for DHCP Relay/ Server. DHCP server can be configured at Gateway (all segments) or Local (individual segment) level as well as Relay mode. Users can view DHCP Relay/ Server configuration stats under Tier-1 Gateways (CGW) tab in the UI.
Network Segments
Segment level metrics - Fine grained network stats are available at the individual segment level. Counters for packets transmitted/ received/ dropped are available via the UI. Users can view all related Groups where individual segment is referenced.
Segment Profiles - Users can view the segment profiles that apply to individual segments during segment creation. Users can set bindings for DHCP addresses.
Segments UI enhancement - Users can view all related Groups where the individual segment is referenced.
SDDC Version 1.10v5
Flexible vCenter Permissions during upgrades
Flexible vCenter permissions model for role-based access. Existing SDDCs that do not currently support flexible vCenter permissions will now get the feature as part of the next upgrade. This capability enables cloud administrators to create custom roles and assign more granular permissions to users and groups. These permissions can be assigned to users and groups globally or for specific vCenter objects.
Networking
Enhancements to DNS UI. Users can now enter the DNS server IP addresses in the DNS service section. Previously, users had to configure the server in the DNS zones section. Users can now insert a description to the DNS service, add tags and view stats on the DNS service section.
Resolved Issues:
This release resolves an issue with IP address range expansion, which caused the server to become overloaded, which in turn caused the API and UI to be unreachable.
i3en.metal instance type is now available
i3en.metal instances are now available for new SDDC and cluster deployments on VMware Cloud on AWS. These instances come with Intel Xeon Cascade Lake processors @2.5GHz, 96 vCPUs with hyper-threading enabled, 768 GiB memory & 45.84 TiB (50TB) raw storage capacity, with additional 6.55 TiB cache storage capacity. Additionally i3en instances include in-transit hardware encryption of east-west traffic for improved security. I3en.metal hosts are FedRAMP High compliant and must be selected when deploying new SDDC’s that require FedRAMP High compliance.
N/A
vTPM Support
Windows 11 Desktop Operating System Support – vTPM
Microsoft introduced new minimum virtual hardware requirements with the Windows 11 operating system. Microsoft requires a Virtual Trusted Platform Module (vTPM) device to be present during Windows 11 virtual machine installation and upgrades. SDDCs created using version 1.20 and later automatically include provisioning vSphere Native Key Provider in vCenter to support new vTPM devices. This feature was in Preview earlier.
Add a vTPM device to a virtual machine
VMware Cloud on AWS enables you to add a new Virtual Trusted Platform Module (vTPM) device to virtual machines running Windows Server 2008 and later, Windows desktop 7 and later, or Linux. SDDCs created using version 1.20 and later automatically include the provisioning of vSphere Native Key Provider in vCenter to support new vTPM devices.
VMware Cloud on AWS SDDCs are preinstalled with the VMware Native Key Provider to support new vTPM devices. When you add a vTPM device to a VM running on VMware Cloud on AWS GovCloud, virtual machine “home” files will be encrypted (memory, swap, NVRAM files).
vSphere Virtual Machine Encryption is a separate vSphere feature and is not supported on VMware Cloud on AWS GovCloud.
VMware Native Key Provider is not authorized for FedRAMP or DoD impact level (IL) authorizations.
I4i.metal instance type is now available for VMware Cloud on AWS GovCloud regions
I4i.metal instances are now available for existing SDDC(s) and existing cluster deployments on VMware Cloud on AWS. You must upgrade the SDDCs to latest version of 1.18 to get i4i capabilities. New i4i clusters can be deployed on existing VMC on AWS SDDCs after upgrade is completed successfully. These instances come with Intel Xeon Ice Lake processors @3.5GHz (Turbo), 128 vCPUs with hyper-threading enabled, 1024 GB memory & approximately 20.46 TiB usable storage capacity. I4i instances include default support for host-to-host encryption and data-at-rest encryption powered by vSAN. I4i.metal instance type is currently available in 12 regions, with support for more regions coming soon. For more information, see FAQ, Blog, and i4i Host Types.
Introduction of NSX 4.0.0 & vSphere 8.0
The new release of VMware Cloud on AWS introduces NSX-T 4.0.0 & interoperability with the next major release of vSphere 8.0. These new major releases will provide many features for enhanced security and networking functionality in VMware Cloud on AWS.
vCenter Server in VMware Cloud privilege enhancements
The CloudAdminGroup, SSO group, and CloudAdmin user roles are updated on specific management objects. This role update enables the CloudAdmin user and any users in the CloudAdminGroup to grant other users or groups read-only access to VMware Cloud on AWS vCenter management objects such as the Management-ResourcePool, Management VMs folder, Discovered Virtual Machines folder, vmc-hostswitch, and vsanDatastore. For more details, see vSphere Permissions and Privileges.
Live Traffic Analysis
Live Traffic Analysis (LTA) is now enabled in VMware Cloud on AWS. LTA provides helpful insight into tracing live traffic and bi-directional packet tracing. Traffic analysis monitors live traffic at a source or between the source and destination, along with the packet capture. You can identify error flows between the source and the destination. Live Traffic Analysis is supported on segments inside a single SDDC.
VPN Enhancements
FIPS 140-2 Validated Cryptographic Modules Refresh:
NSX utilizes several FIPS 140-2 cryptographic modules to perform various networking functions in FIPS-compliant mode. FIPS-validated modules are eventually sunset when the module reaches its expiry date or NIST/CMVP chooses to no longer re-validate certain module(s). When FIPS 140-2 cryptographic modules are sunset, you must replace those modules as necessary to maintain the FIPS validation of their platforms.
The FIPS 140-2 cryptographic modules leveraged in release 1.18 (VMware's VPN Crypto Module version 1.0) have been sunset.
The current release introduces (VMware's VPN Crypto Module version 2.0) to maintain FIPs 140-2 Validation
More information on Validation Status can be found here: Cryptographic Module Validation Program.
NAT Support for Policy-Based VPNs on Tier-1 Gateways:
VPNs terminated on Tier-1 gateways can now support NAT rules which allows two remote sites that share the same CIDR to use the same VPN.
DHCP UI enhancement
The DHCP UI enhancement provides an intuitive workflow and seamless user experience for the Cloud Admin to configure DHCP. The DHCP statistics for Gateway DHCP and Segment DHCP are exposed to help monitor DHCP messages.
Filtering Default CGW prefixes
By suppressing more specific route prefixes and instead only advertising aggregated routes for their default CGW workload segments, you can significantly reduce the Transit Connect or Direct Connect, or Connected VPC route table size.
The new feature introduces the ability to filter out prefixes of segments connected to the default CGW. When the route filtering feature is enabled on Intranet (DX/TGW) or Services (Connected VPC) endpoints, prefixes behind the default CGW will not be advertised.
This feature is available for VMware Cloud on AWS GovCloud SDDCs version 1.20 and higher.
Shared Prefix Lists for SDDC Groups
This feature is useful in connecting Transit Connect to external VPC and AWS TGW scenarios. Before enabling this feature, you must manually configure return routes for SDDC prefixes on the external VPC and AWS TGW to route traffic to the SDDC group. This manual process can be cumbersome and error-prone over time as SDDC group memberships change and subnets are added or removed from SDDCs.