You can deploy an EC2 instance in your connected Amazon VPC and configure security policies and firewall rules to allow a connection between that instance and a VM in your SDDC.

When you deploy an instance, it uses the default security group unless you have specified a custom security group. The default security group is associated with the SDDC ENI, so inbound rules in this group control traffic flows to the SDDC and outbound rules control traffic flows to the instance. For other security groups associated with the instance, inbound rules control traffic flows from the SDDC to the instance, and outbound rules control traffic flows from the instance to the SDDC.

Prerequisites

To complete this task, you need the following information:

  • The CIDR block for the logical network or networks that the VMs in your SDDC are using. You can find this in the Logical Networks section of the Networking tab in the VMC Console. The Logical Networks section of the Networking tab, showing the logical networks and their CIDR blocks.

  • The Amazon VPC and subnet that you connected to your SDDC during SDDC deployment. You can find this in the Connected Amazon VPC section of the Networking tab in the VMC Console.The Connected Amazon VPC section of the Networking tab, showing the connected AWS VPC and subnet

Procedure

  1. Deploy the EC2 instance in your AWS account.

    Keep in mind the following when creating the EC2 instance:

    • The EC2 instance must be in the VPC that you selected during deployment of your SDDC, or a connection can't be established over a private IP address.

    • The EC2 instance can be deployed in any subnet within the VPC, but you might incur cross-AZ traffic charges if it is a different AZ than the one you selected during SDDC deployment.

    • If possible, select a security group for your EC2 instance that already has an inbound traffic rule configured as described in Step 2.

    • The VPC subnet(s) used for the SDDC, as well as any VPC subnets on which AWS services or instances communicate with the SDDC must all be associated with the VPC's main route table.

  2. Add inbound rules to the default security group. Select the EC2 instance that you deployed in Step 1 and configure its default security group to allow inbound traffic from the logical network or IP address associated with the VM in your SDDC.

    Do not modify any outbound rules in this group.

    1. In the instance description, click the instance's security group and click the Inbound tab.
    2. Click Edit.
    3. Click Add Rule.
    4. In the Type dropdown menu, select the type of traffic that you want to allow.
    5. In the Source text box, select Custom and enter the CIDR block for instances that communicate with VMs in your SDDC.

      If it's easier to identify the instances by a security group than by a CIDR block, you can specify the security group as the Source.

    6. (Optional) Add rules as needed for additional CIDR blocks or traffic type you want to connect to VMs in your SDDC.
    7. Click Save.
  3. (Optional) If you need to enable traffic from the instance that you deployed in Step 1 to access a VM in your SDDC, configure a custom security group for the instance that allows traffic to and from the logical network associated with the VM in your SDDC, then follow the procedure in steps Step b through Step g to add inbound rules that identify the instances by CIDR block or security group.
  4. Configure a compute gateway firewall rule to allow inbound traffic from the connected Amazon VPC.
    1. Select Networking & Security > Edge Firewall > Compute Gateway.
    2. Click Add New Rule.
    3. Give the new rule a Name.
    4. For the Source, enter the CIDR block for instances that communicate with VMs in your SDDC.
    5. For the Destination select Connected VPC Prefixes.
    6. Specify the protocols you want to allow and set the Action to Allow.
    7. For Applied to select VPC Interface.
    8. Publish the rule.
  5. Configure a compute gateway firewall rule to allow outbound traffic to the connected Amazon VPC.
    1. Select Networking & Security > Edge Firewall > Compute Gateway.
    2. Click Add New Rule.
    3. Give the new rule a Name.
    4. For the Source, enter Connected VPC Prefixes
    5. For the Destination enter the CIDR block for instances that communicate with VMs in your SDDC.
    6. Specify the protocols you want to allow and set the Action to Allow.
    7. For Applied to select VPC Interface.
    8. Publish the rule.