An SDDC deployment group uses VMware Transit Connect to provide high-bandwidth, low-latency connections between SDDCs in the group and to other VPCs in the same region. You can also add a Direct Connect Gateway (DXGW) to provide centralized connectivity to your on-premises SDDCs.
An SDDC deployment group (SDDC Group) is a logical entity designed to simplify management of your organization's VMware Cloud on AWS resources at scale. Collecting SDDCs into an SDDC Group provides a number of benefits to an organization with multiple SDDCs whose workloads need a high-bandwidth, low-latency connection to each other. All network traffic between group members travels over a VMware Transit Connect network. Routing between compute networks of all SDDCs in a group is managed automatically by VMware Transit Connect as subnets are added and deleted. You control network traffic among group member workloads with compute gateway firewall rules.
Any organization member who has a VMC service role of Administrator or Administrator (Delete Restricted) can create or modify an SDDC Group.
- It must be in the same AWS region as other group members.
- Its management network CIDR block cannot overlap the management CIDR block of any other group member.
- It cannot be a member of another SDDC Group.
- It must be at SDDC version 1.11 or later.
Hybrid Linked Mode over a VPN connection is incompatible with SDDC groups. If you add an SDDC that you've configured to use Hybrid Linked Mode over a VPN connection, the connection will fail and you won't be able to use Hybrid Linked Mode with that SDDC. Hybrid Linked Mode over a DX connection is unaffected when an SDDC is added to a group.
Internal Group Connectivity Using VMware Transit Connect
Peer connectivity among SDDC group members requires a VMware Managed Transit Gateway (VTGW). This is an AWS resource owned and managed by VMware. Adding the first member to an SDDC Group creates one of these resources and assigns it to the group. Creation and operation of a VTGW incurs additional charges on your VMware Cloud on AWS bill.
Members can be added to and removed from a group as needed. You cannot remove a group until all members have been removed. Removing the group also destroys the group's VMware Managed Transit Gateway.
Attaching a VPC to an SDDC Group
Attaching a VPC to an SDDC group simplifies network connections between SDDCs in the group and AWS services that run in that VPC. You use the VMC Console to make the VTGW (an AWS resource) available for sharing, then use the AWS console to accept the shared resource and associate it with the VPCs you'd like to attach to the SDDC Group.
External Group Connectivity Using AWS Direct Connect Gateway
To provide network connectivity between the group and external endpoints such as on-premises SDDCs, associate an AWS Direct Connect Gateway with the VMware Managed Transit Gateway created for the group. Unlike the Direct Connect (DX) configuration that you can use to connect your on-premises SDDC with a standalone VMware Cloud on AWS SDDC, the Direct Connect gateway that you associate with the VTGW provides DX-level connectivity to all SDDC group members.
Routing and Peering
Compute networks in all group members use the VMware Transit Connect route table. Learned routes from this table are added to the route table of the SDDC's Tier-0 router. To view or download a list of VMware Transit Connect routes learned and advertized by a member SDDC, open the SDDC's Networking & Security tab and click Transit Connect. See View Routes Learned and Advertised over VMware Transit Connect in the VMware Cloud on AWS Networking and Security guide.
To view the routes learned and advertised by all SDDCs in the group, click the Routing tab. You can use the drop-down control. Select External to view routes between members or Members to view routes between members and external endpoints like VPCs or Direct Connect Gateways
SDDCs in the group learn routes to the networks advertised by other SDDCs and VPCs in the group, and those advertised over the group's Direct Connect Gateway. Because AWS imposes a limit of 20 prefixes that can be advertised by a Direct Connect Gateway to an external endpoint like an on-premises SDDC, the CIDR block prefixes of all SDDC group members must fall within a range that can be summarized in a way that won't exceed that limit.
- Traffic originating from SDDCs can be routed to other SDDCs as well as to VPCs and Direct Connect Gateways attached to the group.
- Traffic originating from VPCs or Direct Connect Gateways attached to the group can be routed only to SDDCs in the group.
- Traffic between VPCs or between a VPC and the Direct Connect Gateway is blocked.
- Routes advertised by a route-based VPN are preferred over routes advertised by VMware Transit Connect or a Direct Connect Gateway.
- Use of a route-based VPN as a backup to Direct Connect is unsupported when your SDDC Group includes a Direct Connect Gateway. To disable this configuration in your SDDC, select Use VPN as backup to Direct Connect switch to Disabled. and set the
- The jumbo MTU size is decreased to 8500 bytes. See Create a Private Virtual Interface for SDDC Management and Compute Network Traffic in the VMware Cloud on AWS Networking and Security guide for information about how to update this value for your SDDC.