You can use VMware Transit Connect to attach an AWS VPC to an SDDC Group. This simplifies network connections between SDDCs in the group and the AWS services that run in that VPC.

Attaching a VPC to the SDDC group is a multi-step process that requires you to use both the VMC Console and the AWS console. You use the VMC Console to make the VTGW (an AWS resource managed by VMware) available for sharing. You then use the AWS console to accept the shared resource and associate it with the VPCs you'd like to attach to the SDDC Group.

Procedure

  1. On the Inventory page of the VMC Console, click SDDC Groups, then click the Name of the group to which you want to attach the VPC.
  2. On the External VPC tab for the group, click ADD ACCOUNT and specify the AWS account that owns the VPC you want to attach to the group.
    This enables AWS resource sharing in that account for the VTGW.
  3. In the AWS console, open Resource Access Manager > Shared with me to accept the shared VTGW resource.
    The resource Name has the form VMC-Group-UUID and a Status of Pending. Click the resource name to open the resource Summary card, then click Accept resource share and confirm acceptance,
  4. In the VMC Console , return to the VPC Connectivity tab for the group and wait for Status of the resource share you accepted in Step 3 to change from ASSOCIATING to ASSOCIATED.
    VPC resource association can take up to ten minutes. Once the VPC association is complete, you can attach the VTGW.
  5. Return to the AWS console Resource Access Manager to find the resource ID of the shared VTGW resource.
    It will be listed under Shared with me: Shared resources with a Resource ID of the form TGW-UUID and a Resource type of ec2:TransitGateway.
  6. Create the Transit Gateway attachment.
    1. Select the Transit Gateway ID identified in Step 5 and specify an Attachment type of VPC, and select the VPC ID you would like to connect to the SDDC group.
    2. Select a Subnet ID in each Availability Zone (AZ) that requires connectivity to the group.
      You can select only one subnet per AZ, but SDDC group members can communicate with all VPC subnets in that AZ.
    3. If the VPC is an FSx VPC as described in Configure Amazon FSx for NetApp ONTAP as External Storage, you must also select DNS support.
    4. Click Create Transit Gateway Attachment to create the attachment.
  7. In the VMC Console, return to the External VPC tab for the group and ACCEPT the shared VPC attachment.

    When the VPC status changes to PENDING_ACCEPTANCE, click ACCEPT to accept it. The status changes to AVAILABLE after the acceptance process completes. Acceptance can take up to ten minutes.

  8. Configure additional source routes to the VPC.
    In the AWS console, identify the route tables associated with any subnets in the VPC connected to the shared VTGW and need to communicate with the SDDC Group. On the Routes tab of the route table, click Edit Routes and add any CIDRs in the SDDC group as the destination with the target set to the VTGW ID you identified in Step 5. The list of CIDRs for the SDDC group can be found in the VMC Console for the SDDC group on the Routing tab, by selecting External in the Route Table drop-down.
  9. (Optional) Configure additional destination routes to the VPC.
    When you create an SDDC group, the system creates routes for the VPC's primary CIDR and any secondary CIDRs. If you need to have destinations beyond the VPC routed through it (something you might need for a Security VPC or Transit VPC), click ADD ROUTES on the VPC row to open the Edit Routes page, where you can define CIDR blocks to route to the attached VPC. See Manage Routing to an External VPC.

What to do next

  • In the AWS console, create network ACLs to manage traffic between the VPCs you've added to the group and other group members. If you want to access an AWS service running in the VPC, you might need to modify the AWS security policy for the service. See Access an S3 Bucket Using an S3 Endpoint for an example of AWS security policy configuration for the S3 service.