You can deploy an EC2 instance in your connected Amazon VPC and configure AWS security policies and compute gateway firewall rules to allow it to connect with your workload VMs.

Although this topic focusses on enabling traffic between your SDDC workloads and an EC2 instance in the Connected VPC, the modifications detailed in Step 2 and Step 3 also enable traffic between the EC2 instance and the SDDC management network. Similar AWS Security Group modifications should enable SDDC connectivity to any native AWS service that is reachable at an IP address in the Connected VPC's primary CIDR.

The default AWS Security Group in the connected VPC controls traffic from EC2 instances in the VPC to VMs in the SDDC. This traffic must also pass through the Compute Gateway firewall (and the Distributed Firewall if you're using that). All of these controls must be configured to allow the intended traffic or the connection can't be established.

When you deploy an EC2 instance, the EC2 Launch Wizard associates it with a new Security Group unless you have specified another group. A new AWS Security Group allows all outbound traffic from the instance and no inbound traffic to it. To allow a connection between an EC2 instance and a VM in your SDDC, you typically need only create inbound rules.
  • To allow traffic to be initiated from the EC2 instance to a VM in the SDDC, create an inbound rule on the default Security Group.
  • To allow traffic to be initiated from the VM to the EC2 instance, create an inbound rule on the Security Group applied to the EC2 instance.
VMware Knowledge Base article 76577 has additional information that applies to cases where the default AWS Security Group has a missing or altered allow-all rule for outbound traffic.

Bear in mind that when you use the default AWS Security Group with the instance, its inbound rules are applied to traffic both when it transits the EC2 instance, and when it transits the SDDC. To allow traffic initiated by either the VM in the SDDC or the EC2 instance to reach other, inbound rules must allow inbound traffic from both the EC2 instance and the VM.

Prerequisites

To complete this task, you'll need the following information:
  • The CIDR blocks of the network segments the VMs in your SDDC are connected to. Open NSX Manager and click Segments to list all SDDC network segments.
  • The connected Amazon VPC and subnet. Open NSX Manager and click Connected VPC to open the Connected Amazon VPC page, which provides this information under VPC ID and VPC Subnet.
  • If you have enabled a Managed Prefix List for the Connected VPC, open the NSX Manager Connected VPC page and retrieve the prefix list name, ID, and route tables that include it. You will need this information to complete Step e. See Enable AWS Managed Prefix List Mode for the Connected Amazon VPC for more about Managed Prefix Lists and how to use them.
This information is also available on the legacy VMware Cloud Console Networking & Security tab.

Procedure

  1. Deploy the EC2 instance in your AWS account.
    Keep in mind the following when creating the EC2 instance:
    • The EC2 instance must be in the VPC that you selected during deployment of your SDDC, or a connection can't be established over a private IP address.
    • The EC2 instance can be deployed in any subnet within the VPC, but you might incur cross-AZ traffic charges if it is a different AZ than the one you selected during SDDC deployment.
    • If possible, select a Security Group for your EC2 instance that already has an inbound traffic rule configured as described in Step 2.
    • AWS services or instances that communicate with the SDDC must either be associated with the main route table or with a custom route table that has the Managed Prefix List for the Connected VPC added to it. See "Routing Between Your SDDC and the Connected VPC" in NSX Networking Concepts for information about how you can use an AWS Managed Prefix List to simplify maintenance of this route table when you create or delete routed network segments connected to the default CGW.
    • Workload VMs in the SDDC can communicate over the ENI connection with all subnets in the primary CIDR block of the connected VPC. VMC is unaware of other CIDR blocks in the VPC.
  2. Add inbound rules to the Security Group applied to the instance. Select the EC2 instance that you deployed in Step 1 and configure its Security Group to allow inbound traffic from the logical network or IP address associated with the VM in your SDDC.
    1. Select the instance that you deployed in Step 1.
    2. In the instance description, click the instance's Security Group and click the Inbound tab.
    3. Click Edit.
    4. Click Add Rule.
    5. In the Type dropdown menu, select the type of traffic that you want to allow.
    6. In the Source text box, select Custom and enter the IP addresses or CIDR block of VMs in the SDDC that need to communicate with the instance, or just specify the Managed Prefix List for the Connected VPC if you've created one.
    7. (Optional) Add rules as needed for additional CIDR blocks or traffic type you want to connect to the instance from VMs in your SDDC.
    8. Click Save.
  3. (Optional) If you need to allow traffic initiated by the instance that you deployed in Step 1 to a VM in your SDDC, edit the default Security Group for the connected Amazon VPC to add inbound rules that identify the instances by CIDR block or Security Group.
    1. In the AWS console, select the default Security Group for the Connected Amazon VPC and click the Inbound tab.
    2. Click Edit.
    3. Click Add Rule.
    4. In the Type dropdown menu, select the type of traffic that you want to allow.
    5. In the Source text box, select Custom and enter the IP addresses or CIDR block of VMs in the SDDC that need to communicate with the instance.
      If all the VMs are associated with the same SDDC Inventory Group, you can specify that Group as the Source rather than using an IP address or CIDR block.
    6. (Optional) Add rules as needed for additional CIDR blocks or traffic type you want to connect to the instance from VMs in your SDDC.
    7. Click Save.
  4. Configure the necessary compute gateway firewall rules.
    See Add or Modify Compute Gateway Firewall Rules in VMware Cloud on AWS Networking and Security.
    • To allow inbound traffic from the instances in the connected Amazon VPC, create a rule where the Source is Connected VPC Prefixes and the Destination is an inventory group containing the VMs that require inbound access from the instance.
    • To allow outbound traffic to instances in the connected Amazon VPC, create a rule where the Source is an inventory group containing the VMs that require outbound access to the instance and the Destination is Connected VPC Prefixes.
    Note: In either case, you can limit traffic to or from a subset of EC2 instances by defining a workload inventory group in your SDDC that includes only the IP addresses or CIDR blocks for those instances.
  5. (Optional) Configure distributed firewall rules.
    If any of the VMs that communicate with the instance is protected by distributed firewall, you might need to adjust the rules for that firewall to allow the expected traffic. See Add or Modify Distributed Firewall Rules.