Follow this workflow to configure NSX networking and security in your SDDC. What to read next SDDC Network Administration with NSX Manager You can use either the NSX Web UI or the VMware Cloud Console Networking & Security tab to manage your SDDC networks. Connecting Your On-Premises SDDC to Remote NetworksTo connect your VMware Cloud on AWS SDDC to your on-premises data center or another remote network, you can create a VPN that uses the public Internet, a VPN that uses AWS Direct Connect, or just use AWS Direct Connect alone. Configure Management Gateway Networking and SecurityThe management network and Management Gateway are largely preconfigured in your SDDC, but you'll still need to configure access to management network services like vCenter and HCX and create management gateway firewall rules to allow traffic between the management network and other networks, including your on-premises networks and other SDDC networks. Configure Compute Gateway Networking and SecurityCompute Gateway networking includes a compute network with one or more segments and the DNS, DHCP, and security (gateway firewall and distributed firewall) configurations that manage network traffic for workload VMs. It can also include a layer 2 VPN and extended network that provides a single broadcast domain that spans your on-premises network and your SDDC workload network. Creating and Managing SDDC Deployment Groups with VMware Transit Connect™An SDDC deployment group uses VMware Transit Connect to provide high-bandwidth, low-latency connections between SDDCs in the group. An SDDC group can include VPCs you own. You can also add an AWS Direct Connect Gateway (DXGW) to provide connectivity between group members and your on-premises SDDCs. Add a Custom Tier-1 Gateway to a VMware Cloud on AWS SDDCEvery new VMware Cloud on AWS SDDC includes a default Tier-1 gateway named the Compute Gateway (CGW). You can create and configure additional custom Tier-1 gateways if you need them. Each Tier-1 gateway sits between the SDDC Tier-0 gateway and an arbitrary number of compute network segments. Enabling and Using IPv6 in SDDC NetworksBeginning with SDDC Version 1.22, you can enable dual-stack (IPv4 and IPv6) networking in a new SDDC. Configure a Multi-Edge SDDC With Traffic GroupsIn the default configuration, your SDDC network has a single edge (T0) router through which all North-South traffic flows. This edge supports the default traffic group, which is not configurable. If you need additional bandwidth for the subset of this traffic routed to SDDC group members, a Direct Connect Gateway attached to an SDDC group, VMware HCX Service Mesh, or to the Connected VPC, you can reconfigure your SDDC to be Multi-Edge by creating traffic groups, each of which creates an additional T0 router. Enable AWS Managed Prefix List Mode for the Connected Amazon VPCAWS Managed Prefix List Mode can simplify route table management in a Multi-Edge SDDC and enable support in any SDDC for custom route tables and route aggregation. Aggregate and Filter Routes to UplinksUse route aggregation and egress filtering to control the set of routes advertised to SDDC network uplinks like Direct Connect, VMware Transit Connect and the Connected VPC. You'll need this in cases where you have to reduce the number of entries in a VPC route table or limit the set of routes that are advertised to uplinks. View Routes Learned and Advertised over VMware Transit ConnectIn an SDDC that is a member of an SDDC Group, you can open the Transit Connect page to view routes learned and advertised by the VMware Transit Connect instance created for the group. View Statistics and Manage Settings for UplinksThe Global Configuration page includes controls that allow you to view traffic statistics and manage Maximum Transmissible Unit (MTU) and Unicast Reverse Path Forwarding (URPF) settings for SDDC network uplinks. Working With Inventory GroupsVMware Cloud on AWS network administrators can use NSX inventory objects to define collections of services, groups, context profiles, and virtual machines to use in firewall rules. Managing Workload ConnectionsWorkload VMs on routed segments or HCX extended networks with MON enabled can connect to the Internet by default. NAT rules, Compute Gateway firewall rules, and distributed firewall rules, as well as default routes advertised by a VPN, DX, or VTGW connection all give you fine-grained control over Internet access.
