An SDDC deployment group uses VMware Transit Connect to provide high-bandwidth, low-latency connections between SDDCs in the group. An SDDC group can include VPCs you own. You can also add an AWS Direct Connect Gateway (DXGW) to provide connectivity between group members and your on-premises SDDCs.

An SDDC deployment group (SDDC Group) is a logical entity designed to simplify management of your organization's VMware Cloud on AWS resources at scale. Collecting SDDCs into an SDDC Group provides a number of benefits to an organization with multiple SDDCs whose workloads need a high-bandwidth, low-latency connection to each other. All network traffic between group members travels over a VMware Transit Connect network. Routing between compute networks of all SDDCs in a group is managed automatically by VMware Transit Connect as subnets are added and deleted. You control network traffic among group member workloads with compute gateway firewall rules.

Any organization member who has a VMC service role of Administrator or Administrator (Delete Restricted) can create or modify an SDDC Group.

Group Membership

SDDC groups are an organization-level object. An SDDC group cannot contain SDDCs from more than one organization. An SDDC must meet several criteria to be eligible for group membership:
  • It must be at SDDC version 1.11 or later.
  • Its management network CIDR block cannot overlap the management CIDR block of any other group member.
  • It cannot be a member of another SDDC Group.
While you can create a group with a single member, most practical applications of SDDC Groups require two or more members.
Note:

Hybrid Linked Mode over a VPN connection is incompatible with SDDC groups. If you add an SDDC that you've configured to use Hybrid Linked Mode over a VPN connection, the connection will fail and you won't be able to use Hybrid Linked Mode with that SDDC. Hybrid Linked Mode over a DX connection is unaffected when an SDDC is added to a group.

Internal Group Connectivity Using VMware Transit Connect

Peer connectivity among SDDC group members requires a VMware Managed Transit Gateway (VTGW). This is an AWS resource owned and managed by VMware. Adding the first member to an SDDC Group creates one of these resources and assigns it to the group. Creation and operation of a VTGW incurs additional charges on your VMware Cloud on AWS bill.

Figure 1. VMware Transit Connect Connects SDDCs in the Group With Each Other
Diagram of an SDDC group with two SDDCs connected through the vTGW

Members can be added to and removed from a group as needed. You cannot remove a group until all members have been removed. Removing the group also destroys the group's VMware Managed Transit Gateway.

Attaching a VPC to an SDDC Group

Attaching a VPC to an SDDC group simplifies network connections between SDDCs in the group and AWS services that run in that VPC. You use the VMC Console to make the VTGW (an AWS resource) available for sharing, then use the AWS console to accept the shared resource and associate it with the VPCs you'd like to attach to the SDDC Group.

Figure 2. Using VMware Transit Connect to Attach a VPC to an SDDC Group
Diagram of an SDDC group with two SDDCs and an AWS VPC, connected through the vTGW

External Group Connectivity Using AWS Direct Connect Gateway

To provide network connectivity between the group and external endpoints such as on-premises SDDCs, associate an AWS Direct Connect Gateway (DXGW) with the VMware Managed Transit Gateway created for the group. Unlike the Direct Connect (DX) configuration that you can use to connect your on-premises SDDC with a standalone VMware Cloud on AWS SDDC, the DXGW that you associate with the VTGW provides DX-level connectivity to all SDDC group members.

Figure 3. An AWS Direct Connect Gateway Connects the SDDC Group to On-Premises SDDCs
Diagram showing an AWS Direct Connect Gateway providing connections between an SDDC group and an on-premises SDDC.

Routing and Peering

SDDC group members advertise their local network segments, which are added to the route tables of the SDDC's Tier-0 router and the group's VTGW. To view or download a list of VMware Transit Connect routes learned and advertized by a member SDDC, open the SDDC's Networking & Security tab and click Transit Connect. See View Routes Learned and Advertised over VMware Transit Connect in the VMware Cloud on AWS Networking and Security guide.

To view the routes learned and advertised by all SDDCs in the group, click the Routing tab. You can use the drop-down control. Select External to view routes between members or Members to view routes between members and external endpoints like VPCs or Direct Connect Gateways. External routes carry traffic originating from an external endpoint like a VPC or DXGW to an SDDC group member. Members routes carry traffic originating in a member SDDC and include SDDC group members and external endpoints.

SDDCs in the group learn routes to the networks advertised by other SDDCs in the group and those advertised over the group's DXGW. They also learn the CIDRs for any VPCs attached to the group. Because AWS imposes a limit of 20 prefixes that can be advertised by a DXGW to an external endpoint like an on-premises SDDC, the CIDR block prefixes of all SDDC group members must fall within a range that can be summarized without exceeding limit.

VMware Transit Connect enforces several routing policies:
  • Traffic originating from member SDDCs can be routed to other member SDDCs as well as to VPCs and Direct Connect Gateways attached to the group.
  • Traffic originating from VPCs or Direct Connect Gateways attached to the group can be routed only to SDDCs in the group.
  • Traffic between VPCs or between a VPC and the Direct Connect Gateway is blocked.
Note:
When an SDDC becomes a member of an SDDC group, several aspects of existing SDDC networking change:
  • Routes advertised by a route-based VPN are preferred over routes advertised by VMware Transit Connect or a DXGW. However, all outbound traffic from hosts to destinations outside the SDDC network is routed to the VTGW or private VIF regardless of other routing configurations in the SDDC. This includes vMotion and vSphere replication traffic. You must ensure that inbound traffic to ESXi hosts is also routed over the DXGW interface so that the inbound and outbound traffic paths are symmetrical.
  • If the same route is advertised over the VTGW and DX, the VTGW path is preferred. This includes routes from a DXGW connected to the VTGW.
  • The maximum MTU for intranet traffic among group members is limited to 8500 bytes. An MTU of up to 8900 bytes can still be used for traffic internal to the SDDC, or over DX. See Create a Private Virtual Interface for SDDC Management and Compute Network Traffic in the VMware Cloud on AWS Networking and Security guide.