You must create firewall rules for the Compute Gateway of each SDDC in the group. Without these rules, workloads running on group members cannot use VMware Transit Connect to communicate with each other.
Because all members of an SDDC Group are owned by the same VMware Cloud on AWS organization, network traffic among members of the group can be safely treated as East-West traffic, rather than North-South traffic that might have an external source or destination. But since an SDDC compute gateway's default firewall rules reject external traffic, you'll need to create firewall rules allowing that traffic through the compute gateway of each SDDC in the Group. (SDDC Groups do not currently need to route network traffic through members' management gateways.)
- Transit Connect Customer TGW Prefixes
- Routes learned from customer-owned AWS Transit Gateways.
- Transit Connect DGW Prefixes
- Routes learned from the group's Direct Connect Gateway.
- Transit Connect Native VPCs Prefixes
- Routes learned from the group's attached VPCs.
- Transit Connect other SDDCs Prefixes
- Routes learned from other SDDCs in the group.
For more information, see Add or Modify Compute Gateway Firewall Rules in the VMware Cloud on AWS Networking and Security documentation.
- On the Networking & Security tab, click Gateway Firewall.
- Define inventory groups as needed to provide sources and destinations for workload traffic.
The system-defined inventory groups are useful for creating high-level connectivity among group members and attached VPCs. If you need to create finer-grained firewall rules that to apply to individual workload segments in member SDDCs, you'll need to create inventory groups that define those segments, as shown in the example below.
- On the Gateway Firewall card, click Compute Gateway, then click ADD RULE.
The system-defined inventory groups, along with any compute groups you defined are available as choices in the Sources and Destinations drop-downs. To enable unrestricted group connectivity, you could add a rule like this one, which allows inbound traffic to this SDDC from other group members .
Name Sources Destinations Services Applied To Action Inbound from other SDDCs Transit Connect other SDDCs Prefixes Any Any Direct Connect Interface Allow
Example: CGW Firewall Rules with User-Defined Inventory Groups to Allow Workload Traffic Between Group Members
- Create the Groups
On the Groups card, click COMPUTE GROUPS, then click ADD GROUP and create three groups. You can use any names you want for the groups. The ones we show here are just examples.
- A group named Local Workloads that includes segment prefixes for the SDDC's own workload segments.
- A group named Peer Workloads that includes segment prefixes for workload segments of other SDDCs in the group.
- A group named Peer SDDC vCenters that includes the private IP address of the vCenter in each SDDC in the group.
For each group, click Set Members to open the Select Members tool. In this tool, you can click ADD CRITERA and enter the IP Addresses or MAC Addresses of group members. You ca also click to import these values from a file.
- Create the Rules
As shown in Step 3, open the Gateway Firewall card, click Compute Gateway, then click ADD RULE to create new rules that use the inventory groups you created for their Sources and Destinations. You can use any names you want for the rules. The ones we show here are just examples.
Name Sources Destinations Services Local workload to peer workload Local Workloads Peer Workloads As needed for outbound traffic from local workloads to workloads in other group members Peer workload to local workload Peer Workloads Local Workloads As needed for in traffic to local workloads from workloads in other group members