The Connected Amazon VPC contains your SDDC and all its networks. Information about this VPC, including the active ENI, VPC subnet, and VPC ID, is available on the Connected VPC page.

VMware Cloud on AWS uses AWS account linking and AWS CloudFormation to obtain the permissions it needs to access a your AWS account. When the accounts are linked, VMware Cloud on AWS runs a CloudFormation template that creates IAM roles and grants permissions for several VMware accounts to assume those roles. The role names are listed on the SDDC's Connected VPC page. Details about those roles and permissions are published in AWS Roles and Permissions in the VMware Cloud on AWS Operations Guide.

Assuming these roles grants VMware Cloud on AWS the rights to create, delete and assign ENIs and modify route tables in your VPC. The roles also permit enumeration of the subnets and VPCs in the account so that VMware Cloud on AWS can map the available resources and present them in the SDDC creation process. These capabilities are needed at the beginning of the SDDC creation workflow, whenever an SDDC is upgraded, and may be needed at other times during the life of the SDDC when VPCs and their subnets need to be verified, and when route tables and ENIs need to be examined and modified. If an organization member compromises the connected VPC by doing things like deleting or modifying IAM roles or modifying the main route table, it can have a variety of impacts on SDDC operations, including:
  • VMware Cloud on AWS will be unable to add, replace, or remove hosts in the SDDC management cluster.
  • VMware Cloud on AWS will be unable to update the main route table when routes change or the active NSX Edge changes hosts during an upgrade. This can break connectivity between the SDDC and native AWS services. See Routing Between Your SDDC and the Connected VPC for details.
  • The affected organization will no longer be able to deploy SDDCs linked to that account.
Note: Re-running the VMware Cloud on AWS CloudFormation template does not affect existing SDDCs, which continue to use the IAM roles shown on their Connected Amazon VPC page. If an existing SDDC is exhibiting any of these symptoms, contact VMware Support.


  1. Log in to VMware Cloud Services at
  2. Click Inventory > SDDCs, then pick an SDDC card and click VIEW DETAILS.
  3. Click OPEN NSX MANAGER and log in with the NSX Manager Admin User Account shown on the SDDC Settings page. See SDDC Network Administration with NSX Manager.
    You can also use the VMware Cloud Console Networking & Security tab for this workflow.
  4. Click Connected VPC to open the Connected Amazon VPC page.
    This page includes the following information:
    AWS Account ID
    The AWS account ID you specified when you created your SDDC.
    VPC ID
    The AWS ID of this VPC.
    VPC Subnet
    The AWS ID of the VPC subnet you specified when you created your SDDC.
    Active Network Interface
    The identifier for the ENI used by VMC in this VPC.
    IAM Role Names
    AWS Identity and Access Management role names defined in this VPC. See AWS Roles and Permissions in the VMware Cloud on AWS Operations Guide.
    Cloud Formation Stack Names
    The name of the AWS Cloud Formation stack used to create your SDDC
    Service Access
    A list of AWS services enabled in this VPC.