An SDDC deployment group uses VMware Transit Connect to provide high-bandwidth, low-latency connections between SDDCs in the group. An SDDC group can include VPCs you own. You can also add an AWS Direct Connect Gateway (DXGW) to provide connectivity between group members and your on-premises SDDCs.

An SDDC deployment group (SDDC Group) is a logical entity designed to simplify management of your organization's VMware Cloud on AWS resources at scale. Collecting SDDCs into an SDDC Group provides a number of benefits to an organization with multiple SDDCs whose workloads need a high-bandwidth, low-latency connection to each other. All network traffic between group members travels over a VMware Transit Connect network. Routing between compute networks of all SDDCs in a group is managed automatically by VMware Transit Connect as subnets are added and deleted. You control network traffic among group member workloads with compute gateway firewall rules. For a detailed discussion of VMware Transit Connect and SDDC Group architecture and planning see the VMware Tech Zone designlet VMware Transit Connect for VMware Cloud on AWS.

Any organization member who has a VMC service role of Administrator or Administrator (Delete Restricted) can create or modify an SDDC Group.

Group Membership

SDDC groups are an organization-level object. An SDDC group cannot contain SDDCs from more than one organization. An SDDC group can include members from up to three AWS regions. An administrator can also create connections among SDDC groups in the organization. These group interconnections can span up to three regions and include up to three groups.

An SDDC must meet several criteria to be eligible for group membership:
  • Its management network CIDR block cannot overlap the management CIDR block of any other group member.
  • It cannot be a member of another SDDC Group.
While you can create a group with a single member, most practical applications of SDDC Groups require two or more members.

Hybrid Linked Mode over a VPN connection is incompatible with SDDC groups. If you add an SDDC that you've configured to use Hybrid Linked Mode over a VPN connection, the connection will fail and you won't be able to use Hybrid Linked Mode with that SDDC. Hybrid Linked Mode over a DX connection is unaffected when an SDDC is added to a group.

Internal Group Connectivity Using VMware Transit Connect

Peer connectivity among SDDC group members requires a VMware Managed Transit Gateway (VTGW). This is an AWS resource owned and managed by VMware. Adding the first member to an SDDC Group creates one of these resources and assigns it to the group. Creation and operation of a VTGW incurs additional charges on your VMware Cloud on AWS bill. When a group has members in more than one region, a VTGW is created in each of those regions.

Figure 1. VMware Transit Connect Connects SDDCs in the Group With Each Other
Diagram of an SDDC group with two SDDCs connected through the VTGW.

Members can be added to and removed from a group as needed. You cannot remove a group until all members have been removed. Removing the group also destroys the group's VMware Managed Transit Gateway.

Attaching a VPC to an SDDC Group

Attaching a VPC to an SDDC group simplifies network connections between SDDCs in the group and AWS services that run in that VPC. You use the VMware Cloud Console to make the VTGW (an AWS resource) available for sharing, then use the AWS console to accept the shared resource and associate it with the VPCs you'd like to attach to the SDDC Group. VTGW connections to attached VPCs do not span regions in a multi-region group.

Figure 2. Using VMware Transit Connect to Attach a VPC to an SDDC Group
Diagram of an SDDC group with two SDDCs and an AWS VPC, connected through the vTGW

External Group Connectivity Using AWS Direct Connect Gateway

To provide network connectivity between the group and external endpoints such as on-premises SDDCs, associate an AWS Direct Connect Gateway (DXGW) with the VMware Managed Transit Gateway created for the group. Unlike the Direct Connect (DX) configuration that you can use to connect your on-premises SDDC with a standalone VMware Cloud on AWS SDDC, the DXGW that you associate with the VTGW provides DX-level connectivity to all SDDC group members.

Figure 3. An AWS Direct Connect Gateway Connects the SDDC Group to On-Premises SDDCs
Diagram showing an AWS Direct Connect Gateway providing connections between an SDDC group and an on-premises SDDC.

Group SDDCs from Multiple Regions

A multi-region SDDC group provides the same kinds of connectivity as a single-region SDDC group, including connections to VPCs and on-premises data centers, although connections to VPCs do not span regions. When a group has members in more than one region, group creation provisions a VTGW in each of those regions and connects it to the group members in that region. This VTGW is peered with the other VTGWs in the group to provide a single IP address space that includes all group members. VPC associations to a group are valid only within the region occupied by the VPC. SDDC group members in other regions cannot access the VPC over the VTGW
Figure 4. Multi-Region SDDC Group
Diagram showing two SDDCs in different regions. Their VTGWs are connected to each other, and to a DX gateway connected to an on-premises data center.

Group-to-Group Connections

An organization that has SDDC groups spread across two or three AWS regions can improve administrative control over routing between workloads in those SDDC groups by peering the groups' VTGWs with each other. The Connectivity between SDDC Groups workflow automates peering of up to three VTGW instances. See Connect SDDC Groups in VMware Cloud on AWS.

Routing and Peering

SDDC group members advertise their local network segments, which are added to the route tables of the SDDC's Tier-0 router and the group's VTGW. To view or download a list of VMware Transit Connect routes learned and advertized by a member SDDC, open NSX Manager or the legacy Networking & Security tab and click Transit Connect. See View Routes Learned and Advertised over VMware Transit Connect. Peering between VTGW instances is supported within the same region or across different regions.

To view the routes learned and advertised by all SDDCs in the group, click the Routing tab. You can use the drop-down control. Select External to view routes between members or Members to view routes between members and external endpoints like VPCs or Direct Connect Gateways. External routes carry traffic originating from an external endpoint like a VPC or DXGW to an SDDC group member. Members routes carry traffic originating in a member SDDC and include SDDC group members and external endpoints.

SDDCs in the group learn routes to the networks advertised by other SDDCs in the group and those advertised over the group's DXGW. They also learn the CIDRs for any VPCs attached to the group. Because AWS imposes a limit of 20 prefixes that can be advertised by a DXGW to an external endpoint like an on-premises SDDC, the CIDR block prefixes of all SDDC group members must fall within a range that can be summarized without exceeding that limit.

VMware Transit Connect enforces several routing policies:
  • Traffic originating from member SDDCs can be routed to other member SDDCs as well as to VPCs and Direct Connect Gateways attached to the group in the same region as the originating SDDC.
  • Traffic originating from VPCs or Direct Connect Gateways attached to the group can be routed only to SDDCs in the group that are in the same region as the originating SDDC.
  • Traffic between VPCs or between a VPC and the Direct Connect Gateway is blocked.
When an SDDC becomes a member of an SDDC group, several aspects of existing SDDC networking change:
  • Routes advertised by a route-based VPN are preferred over routes advertised by VMware Transit Connect or a DXGW. However, all outbound traffic from hosts to destinations outside the SDDC network is routed to the VTGW or private VIF regardless of other routing configurations in the SDDC. This includes vMotion and vSphere replication traffic. You must ensure that inbound traffic to ESXi hosts is also routed over the DXGW interface so that the inbound and outbound traffic paths are symmetrical.
  • If the same route is advertised over the VTGW and DX, the VTGW path is preferred. This includes routes from a DXGW connected to the VTGW.
  • The maximum MTU for intranet traffic among group members is limited to 8500 bytes. An MTU of up to 8900 bytes can still be used for traffic internal to the SDDC, or over DX. See Create a Private Virtual Interface for SDDC Management and Compute Network Traffic.