Deploying a Software-Defined Data Center (SDDC) is the first step in making use of the VMware Cloud on AWS service. After you deploy the SDDC, you can view information about it and perform management tasks.

There are a number of factors to consider before deploying your SDDC.

Connected AWS account

When you deploy an SDDC on VMware Cloud on AWS, it is created within an AWS account and VPC dedicated to your organization and managed by VMware. You must also connect the SDDC to an AWS account belonging to you, referred to as the customer AWS account. This connection allows your SDDC to access AWS services belonging to your customer account.

If you are deploying a Single Host SDDC, you can delay linking your customer AWS account for up to two weeks. You cannot scale up a Single Host SDDC to a multiple host SDDC until you link an AWS account. If you are deploying a multiple host SDDC, you must link your customer AWS account when you deploy the SDDC.

AWS VPC Configuration and Availability Requirements

The VPC and subnet you use to connect the SDDC to your AWS account must meet several requirements:
  • It must be in an AWS Availability Zone (AZ) where VMC resources are available. Start by creating a subnet in every AZ in the AWS Region where the SDDC will be created. That way, you can identify all the AZs where an SDDC can be deployed and select the AZ that best meets your SDDC placement needs, whether you want to keep your VMC workloads close to or isolated from your existing AWS workloads running in a particular AZ. See Creating a Subnet in Your VPC in the AWS documentation for information about how to use the Amazon VPC console to create a subnet in your VPC.
  • The AWS account being linked must have sufficient capacity to create a minimum of 17 ENIs per SDDC in the region, although we recommend sufficient capacity for 32 ENIs per SDDC to support maximum scalability.
  • If necessary, you can link multiple SDDCs to a VPC as long as the VPC subnet used for ENI connectivity has big enough CIDR block to accommodate them. We recommend a /26 CIDR block (33 IP addresses) per SDDC. At a minim, you need a /27 CIDR block (17 IP addresses) . You can also allocate a separate VPC subnet for each SDDC connection. You must ensure in all cases that the CIDR blocks for the SDDC and the VPC do not overlap.
  • The subnet(s) used for the SDDC, as well as any subnets on which AWS services or instances communicate with the SDDC must all be associated with the VPC's main route table.
  • The IP address range of the subnet must be unique within your enterprise network infrastructure. It cannot overlap the IP address range of any of your on-premises networks.

Workload VMs in the SDDC can communicate over the ENI connection with all subnets in the primary CIDR block of the connected VPC. VMC is unaware of other CIDR blocks in the VPC.

Single Host SDDC starter configuration for VMware Cloud on AWS

You can jump start your VMware Cloud on AWS experience with a Single Host SDDC starter configuration. This is a time-limited offering designed for you to prove the value of VMware Cloud on AWS in your environment. The service life of a Single Host environment is limited to 30 days. At any point during the service life of a Single Host SDDC, you can scale it up to a production configuration with three or more hosts with no loss of data. If you don't scale up the Single Host SDDC before the end of the service life, the SDDC is deleted along with all the workloads and data it contains.

Stretched Clusters for VMware Cloud on AWS

You can create an SDDC with a cluster that spans two availability zones. A vSAN stretched cluster is used to create a single datastore for the cluster and replicate the data across both availability zones. If service in one availability zone is disrupted, workload VMs are brought up in the other availability zone.

The following restrictions apply to stretched clusters:

  • The linked VPC must have two subnets, one in each AZ in the cluster.
  • You can't convert a stretched cluster to a single availability zone cluster, or vice versa.
  • A given SDDC can contain either single availability zone clusters or stretched clusters, but not a mix of both.
  • Currently, a given SDDC can contain only one stretched cluster.
  • You need a minimum of six hosts (three in each AZ) to create a stretched cluster. Hosts must be added in pairs.

SDDC Networking

When you create an SDDC, it includes a Management Network and a Compute Network. The Management Network has two subnets:
Appliance Subnet
A subnet of the CIDR range you specified for the Management Subnet when you created the SDDC. This subnet is used by the vCenter, NSX, and HCX appliances in the SDDC. When you add appliance-based services such as SRM to the SDDC, they also connect to this subnet.
Infrastructure Subnet
A subnet of the CIDR range you specified for the Management Subnet when you created the SDDC. This subnet is used by the ESXi hosts in the SDDC.

The compute network can have up to 16 segments for your workload VMs. In a Single Host SDDC starter configuration, the compute network is created with one routed segment. In SDDC configurations that have more hosts, you'll have to create compute network segments to meet your needs.

A Tier 0 NSX Edge appliance sits between your on-premises networks and your SDDC networks, and routes traffic to either the management network or the compute network as appropriate.

Figure 1. SDDC Network Topology
Tier 0 Edge Appliance
All traffic between your on-premises networks and the SDDC passes through this appliance. Compute Gateway firewall rules, which control access to workload VMs, are applied on its uplink interfaces.
Management Gateway (MGW)
The MGW is an NSX Edge Security gateway that provides north-south network connectivity for the vCenter Server and other management appliances running in the SDDC. The Internet-facing IP address (Public IP #1) is automatically assigned from the pool of AWS public IP addresses when the SDDC is created. Pick an address range (CIDR block) for the management subnet that can support the number of ESXi hosts in your SDDC. If you don't specify a range when you create the SDDC, the system uses a default of
Compute Gateway (CGW)
The CGW provides north-south network connectivity for virtual machines running in the SDDC. In a single-node SDDC, VMware Cloud on AWS creates a default logical network segment (CIDR block to provide networking for these VMs. You can create additional logical networks on the Networking & Security tab.

Before you can connect your on-premises network to your SDDC so you can migrate and run workload VMs in VMware Cloud on AWS, you'll need to configure, VPNs, firewall rules, AWS Direct Connect (optional) and other networking components.