You can use VMware Transit Connect to attach an AWS VPC to an SDDC Group. This simplifies network connections between SDDCs in the group and the AWS services that run in that VPC.
Although VMware Transit Connect handles all compute and management network traffic among SDDC group members, it does not automatically configure AWS route tables to send traffic originating from an external VPC or other AWS object to the SDDC group's VTGW. Network topologies that require this sort of connectivity include creation of a "security VPC" through which all traffic between the SDDC group and the Internet is routed for inspection, and any similar requirement to enable communication between AWS objects and SDDC Group members. This sort of network topology requires you to define the destination routes for traffic from the SDDC group's VTGW to the VPC, as we show in Step 8
Attaching a VPC to the SDDC group is a multi-step process that requires you to use both the VMware Cloud Console and the AWS console. You use the VMware Cloud Console to make the VTGW (an AWS resource managed by VMware) available for sharing. You then use the AWS console to accept the shared resource and associate it with the VPCs you'd like to attach to the SDDC Group.
Procedure
- On the Inventory page of the VMware Cloud Console, click SDDC Groups, then click the Name of the group to which you want to attach the VPC.
- On the External VPC tab for the group, click ADD ACCOUNT and specify the AWS account that owns the VPC you want to attach to the group.
This enables AWS resource sharing in that account for the
VTGW.
- In the AWS console, open to accept the shared VTGW resource.
The resource
Name has the form
VMC-Group-UUID
and a
Status of
Pending. Click the resource name to open the resource
Summary card, then click
Accept resource share and confirm acceptance,
- In the VMware Cloud Console , return to the VPC Connectivity tab for the group and wait for Status of the resource share you accepted in Step 3 to change from ASSOCIATING to ASSOCIATED.
VPC resource association can take up to ten minutes. Once the VPC association is complete, you can attach the
VTGW.
- Return to the AWS console Resource Access Manager to find the resource ID of the shared VTGW resource.
It will be listed under
Shared with me: Shared resources with a
Resource ID of the form
TGW-UUID
and a
Resource type of
ec2:TransitGateway
.
- Create the Transit Gateway attachment.
- Select the Transit Gateway ID identified in Step 5 and specify an Attachment type of VPC, and select the VPC ID you would like to connect to the SDDC group.
- Select a Subnet ID in each Availability Zone (AZ) that requires connectivity to the group.
You can select only one subnet per AZ, but SDDC group members can communicate with all VPC subnets in that AZ.
- If the VPC is an FSx VPC as described in Configure Amazon FSx for NetApp ONTAP as External Storage, you must also select DNS support.
- Click Create Transit Gateway Attachment to create the attachment.
- In the VMware Cloud Console, return to the External VPC tab for the group and ACCEPT the shared VPC attachment.
When the VPC status changes to PENDING_ACCEPTANCE, click ACCEPT to accept it. The status changes to AVAILABLE after the acceptance process completes. Acceptance can take up to ten minutes.
- Configure additional routes to the VPC.
In the AWS console, identify the route tables associated with any subnets in the VPC connected to the shared VTGW and need to communicate with the SDDC Group. On the Routes tab of the route table, click Edit Routes and add any CIDRs in the SDDC group as the destination with the target set to the VTGW ID you identified in Step 5. The list of CIDRs for the SDDC group can be found in the VMC Console for the SDDC group on the Routing tab, by selecting External in the Route Table drop-down.
As an alternative to manually editing the routes, consider creating a managed prefix list and adding it to the main route table associated with the VPC. See Use a Shared Prefix List to Simplify Routing For External VPC and TGW Objects.
- (Optional) Configure additional destination routes to the VPC.
When you create an SDDC group, the system creates routes for the VPC's primary CIDR and any secondary CIDRs. If you need to have destinations beyond the VPC routed through it (something you might need for a Security VPC or Transit VPC), you can define additional CIDR blocks to route to the attached VPC.
To create or modify routing from the group's VTGW to the external VPC, open the External VPC tab and select the AWS Account ID that owns the VPC and expand the row. If no routes have been specified, click ADD ROUTES in the Routes column to open the Edit Routes page and add one or more routes that use this VPC as a Target. Otherwise the Routes column shows the first route and the number of additional routes. Click the pencil icon () to open the Edit Routes page so you can edit this list. Each prefix defines a route from the group's VTGW to the VPC listed in the VPC ID column. Each prefix also appears as a Target on the group's Routing tab. You can specify up to 100 routes to each attached VPC.
What to do next
- In the AWS console, create network ACLs to manage traffic between the VPCs you've added to the group and other group members. If you want to access an AWS service running in the VPC, you might need to modify the AWS security policy for the service. See Access an S3 Bucket Using an S3 Endpoint for an example of AWS security policy configuration for the S3 service.