You can deploy an EC2 instance in your connected Amazon VPC and configure AWS security policies and compute gateway firewall rules to allow it to connect with your workload VMs.
Although this topic focusses on enabling traffic between your SDDC workloads and an EC2 instance in the Connected VPC, the modifications detailed in Step 2 and Step 3 also enable traffic between the EC2 instance and the SDDC management network. Similar AWS Security Group modifications should enable SDDC connectivity to any native AWS service that is reachable at an IP address in the Connected VPC's primary CIDR.
The default AWS Security Group in the connected VPC controls traffic from EC2 instances in the VPC to VMs in the SDDC. This traffic must also pass through the Compute Gateway firewall (and the Distributed Firewall if you're using that). All of these controls must be configured to allow the intended traffic or the connection can't be established.
- To allow traffic to be initiated from the EC2 instance to a VM in the SDDC, create an inbound rule on the default Security Group.
- To allow traffic to be initiated from the VM to the EC2 instance, create an inbound rule on the Security Group applied to the EC2 instance.
Bear in mind that when you use the default AWS Security Group with the instance, its inbound rules are applied to traffic both when it transits the EC2 instance, and when it transits the SDDC. To allow traffic initiated by either the VM in the SDDC or the EC2 instance to reach other, inbound rules must allow inbound traffic from both the EC2 instance and the VM.
Prerequisites
- The CIDR blocks of the network segments the VMs in your SDDC are connected to. Open NSX Manager and click Segments to list all SDDC network segments.
- The connected Amazon VPC and subnet. Open NSX Manager and click Connected VPC to open the Connected Amazon VPC page, which provides this information under VPC ID and VPC Subnet.
- If you have enabled a Managed Prefix List for the Connected VPC, open the NSX Manager Connected VPC page and retrieve the prefix list name, ID, and route tables that include it. You will need this information to complete Step e. See Enable AWS Managed Prefix List Mode for the Connected Amazon VPC for more about Managed Prefix Lists and how to use them.