Attach an AWS Transit Gateway to an SDDC Group to enable SDDC Group members to facilitate network connections between SDDCs in the group and AWS services that run in any VPC in any region.

Attaching an AWS Transit Gateway (TGW) to an SDDC group is a multi-step process that requires you to use both the VMware Cloud Console and the AWS console. You use the VMware Cloud Console to request access to an existing TGW, then you use the AWS console to attach it to the SDDC Group's VTGW. Unlike a VTGW, which is an AWS resource managed by VMware, a TGW is a pure AWS resource that you can consume and manage on your own. See Getting started with transit gateways in the AWS documentation.

Procedure

  1. On the Inventory page of the VMware Cloud Console, click SDDC Groups, then click the Name of the group to which you want to attach the AWS TGW.
  2. On the External TGW tab for the group, click ADD TGW and provide the required parameter and value information.
    Parameter Value
    AWS account ID The AWS account that owns the TGW.
    TGW ID The AWS ID of the TGW. You can use an existing TGW owned by the specified AWS account or create a new one in that account.
    TGW Location The AWS region where the TGW resides.
    VMC on AWS Region The AWS region where the SDDC group resides.
    Routes AWS resource destination prefixes reachable via this peering connection
    Click ADD to add the TGW as a peer to the group's VTGW. When Status column changes to PENDING_ACCEPTANCE, proceed to Step 3
  3. Log in to the AWS console with administrator credentials for the AWS Account ID you specified in Step 2.
    In the AWS console navigate to Transit Gateway Attachments, select the TGW whose TGW ID matches the one you specified in Step 2 and click Accept Transit Gateway Attachment.
  4. In the VMware Cloud Console, return to the External TGW tab for the group and verify that the TGW State has changed to ASSOCIATED.
  5. (Optional) Associate an AWS route table with the attached TGW.
    Peering sessions for the new TGW require the TGW attachment to be associated with an AWS a route table. In some environments, a route table won't be associated with the attachment by default, so you'll need use the AWS console and associate a routing table with the attachment. See "Add routes between the transit gateway and your VPCs" in Getting started with transit gateways.
  6. Create CGW firewall rules to enable workload traffic through the TGW.
    See Add Compute Gateway Firewall Rules to Enable SDDC Group Member Workload Connectivity.
  7. Configure additional source and destination routes in the SDDC or AWS routing tables.

    To create or modify routing from the group's VTGW to the external TGW, open the External TGW tab. Select the AWS Account ID that owns the TGW and expand the row. If no routes have been specified, the Routes column shows the first route and the number of additional routes. Click the pencil icon (pencil icon) to open the Edit Routes page so you can edit this list, or click ADD ROUTES in the Routes column to open the Edit Routes page. Add CIDR prefixes specifying routes to native AWS subnets via the external TGW. Each prefix defines a route from the group's VTGW to the external TGW listed in the TGW Peering Attachment ID column. Each prefix also appears as a Target on the group's Routing tab. You can specify up to 100 routes to each attached TGW.

    As an alternative to manually editing the routes, consider creating a managed prefix list and adding it to the main route table associated with the TGW. See Use a Shared Prefix List to Simplify Routing For External VPC and TGW Objects.

What to do next

See Getting Started with VMware Transit Connect Intra-Region Peering for VMware Cloud on AWS for example topologies and workflow suggestions.