The Connected Amazon VPC contains your SDDC and all its networks. Information about this VPC, including the active ENI, VPC subnet, and VPC ID, is available on the Connected VPC page.
VMware Cloud on AWS uses AWS account linking and AWS CloudFormation to obtain the permissions it needs to access a your AWS account. When the accounts are linked, VMware Cloud on AWS runs a CloudFormation template that creates IAM roles and grants permissions for several VMware accounts to assume those roles. The role names are listed on the SDDC's Connected VPC page. Details about those roles and permissions are published in AWS Roles and Permissions in the VMware Cloud on AWS Operations Guide.
Assuming these roles grants
VMware Cloud on AWS the rights to create, delete and assign ENIs and modify route tables in your VPC. The roles also permit enumeration of the subnets and VPCs in the account so that
VMware Cloud on AWS can map the available resources and present them in the SDDC creation process. These capabilities are needed at the beginning of the SDDC creation workflow, whenever an SDDC is upgraded, and may be needed at other times during the life of the SDDC when VPCs and their subnets need to be verified, and when route tables and ENIs need to be examined and modified. If an organization member compromises the connected VPC by doing things like deleting or modifying IAM roles or modifying the main route table, it can have a variety of impacts on SDDC operations, including:
- VMware Cloud on AWS will be unable to add, replace, or remove hosts in the SDDC management cluster.
- VMware Cloud on AWS will be unable to update the main route table when routes change or the active NSX Edge changes hosts during an upgrade. This can break connectivity between the SDDC and native AWS services. See Routing Between Your SDDC and the Connected VPC for details.
- The affected organization will no longer be able to deploy SDDCs linked to that account.
Note: Re-running the
VMware Cloud on AWS CloudFormation template does not affect existing SDDCs, which continue to use the IAM roles shown on their
Connected Amazon VPC page. If an existing SDDC is exhibiting any of these symptoms, contact VMware Support.