You can deploy an EC2 instance in your connected Amazon VPC and configure AWS security policies and compute gateway firewall rules to allow a connection between VMs in your SDDC and that instance.

The default AWS Security Group in the connected VPC controls traffic from EC2 instances in the VPC to VMs in the SDDC. This traffic must also pass through the Compute Gateway firewall (and the Distributed Firewall if you're using that). All of these controls must allow the intended traffic for a connection to be established.

When you deploy an EC2 instance, the EC2 Launch Wizard associates it with a new Security Group unless you have specified another group. A new AWS Security Group allows all outbound traffic from the instance and no inbound traffic to it. To allow a connection between an EC2 instance and a VM in your SDDC, you typically need only create inbound rules.
  • To allow traffic to be initiated from the EC2 instance to a VM in the SDDC, create an inbound rule on the default Security Group.
  • To allow traffic to be initiated from the VM to the EC2 instance, create an inbound rule on the Security Group applied to the EC2 instance.

Bear in mind that when you use the default AWS Security Group with the instance, its inbound rules are applied to traffic both when it transits the EC2 instance, and when it transits the SDDC. To allow traffic initiated by either the VM in the SDDC or the EC2 instance to reach other, inbound rules must allow inbound traffic from both the EC2 instance and the VM.

Prerequisites

To complete this task, you need the following information:

  • The CIDR blocks of the network segments the VMs in your SDDC are connected to. Click Segments on the Networking & Security tab to list all segments.
  • The connected Amazon VPC and subnet. Click Connected VPC in the System category on the Networking & Security tab to open the Connected Amazon VPC page, which provides this information under VPC ID and VPC Subnet.

Procedure

  1. Deploy the EC2 instance in your AWS account.
    Keep in mind the following when creating the EC2 instance:
    • The EC2 instance must be in the VPC that you selected during deployment of your SDDC, or a connection can't be established over a private IP address.
    • The EC2 instance can be deployed in any subnet within the VPC, but you might incur cross-AZ traffic charges if it is a different AZ than the one you selected during SDDC deployment.
    • If possible, select a Security Group for your EC2 instance that already has an inbound traffic rule configured as described in Step 2.
    • The VPC subnet(s) used for the SDDC, as well as any VPC subnets on which AWS services or instances communicate with the SDDC must all be associated with the VPC's main route table.
    • Workload VMs in the SDDC can communicate over the ENI connection with all subnets in the primary CIDR block of the connected VPC. VMC is unaware of other CIDR blocks in the VPC.
  2. Add inbound rules to the Security Group applied to the instance. Select the EC2 instance that you deployed in Step 1 and configure its Security Group to allow inbound traffic from the logical network or IP address associated with the VM in your SDDC.
    1. Select the instance that you deployed in Step 1.
    2. In the instance description, click the instance's Security Group and click the Inbound tab.
    3. Click Edit.
    4. Click Add Rule.
    5. In the Type dropdown menu, select the type of traffic that you want to allow.
    6. In the Source text box, select Custom and enter the IP addresses or CIDR block of VMs in the SDDC that need to communicate with the instance.
    7. (Optional) Add rules as needed for additional CIDR blocks or traffic type you want to connect to the instance from VMs in your SDDC.
    8. Click Save.
  3. (Optional) If you need to allow traffic initiated by the instance that you deployed in Step 1 to a VM in your SDDC, edit the default Security Group for the connected Amazon VPC to add inbound rules that identify the instances by CIDR block or Security Group.
    1. In the AWS console, select the default Security Group for the Connected Amazon VPC and click the Inbound tab.
    2. Click Edit.
    3. Click Add Rule.
    4. In the Type dropdown menu, select the type of traffic that you want to allow.
    5. In the Source text box, select Custom and enter the IP addresses or CIDR block of VMs in the SDDC that need to communicate with the instance.
      If all the VMs are associated with the same SDDC Inventory Group, you can specify that Group as the Source rather than using an IP address or CIDR block.
    6. (Optional) Add rules as needed for additional CIDR blocks or traffic type you want to connect to the instance from VMs in your SDDC.
    7. Click Save.
  4. Configure the necessary compute gateway firewall rules.
    See Add or Modify Compute Gateway Firewall Rules in VMware Cloud on AWS Networking and Security.
    • To allow inbound traffic from the instances in the connected Amazon VPC, create a rule where the Source is Connected VPC Prefixes and the Destination is an inventory group containing the VMs that require inbound access from the instance.
    • To allow outbound traffic to instances in the connected Amazon VPC, create a rule where the Source is an inventory group containing the VMs that require outbound access to the instance and the Destination is Connected VPC Prefixes.
    Note: In either case, you can limit traffic to or from a subset of EC2 instances by defining a workload inventory group in your SDDC that includes only the IP addresses or CIDR blocks for those instances.
  5. (Optional) Configure distributed firewall rules.
    If any of the VMs that communicate with the instance is protected by distributed firewall, you might need to adjust the rules for that firewall to allow the expected traffic. See Add or Modify Distributed Firewall Rules.