To begin using VMware Cloud on AWS to run workloads in your SDDC, you'll need to set up a network connecting your on-premises data center to the SDDC. This network can include a dedicated connection over AWS Direct Connect, an IPsec VPN, or both.

While routing IPsec VPN traffic over Direct Connect can provide better performance at lower costs, you can start by setting up an IPsec VPN that connects to your SDDC over the Internet, then reconfigure that VPN to use Direct Connect later.

When you open the Networking & Security tab of a new SDDC, you can run the Setup Networking and Security wizard to guide you through the steps needed to configure Direct Connect and a VPN, access the vCenter in your SDDC, and change the default DNS server if you want to.

If you just want to set up a route-based VPN connecting your on-premises data center to your SDDC over the Internet, you can follow these steps.

Prerequisites

You must have the NSX Admin service role to view and configure features on the Networking & Security tab. See Assign NSX Service Roles to Organization Members in the VMware Cloud on AWS Networking and Security guide.

Procedure

  1. Create a route based VPN in the SDDC.
    A route-based VPN creates an IPsec tunnel interface and routes traffic through it as dictated by the SDDC routing table. A route-based VPN provides resilient, secure access to multiple subnets. When you use a route-based VPN, new routes are added automatically when new networks are created. See Create a Route-Based VPN in the VMware Cloud on AWS Networking and Security guide.
  2. Configure an on-premises IPsec VPN.
    You can use NSX or any other device that can terminate an IPsec VPN.
    Important:

    The SDDC end of an IPsec VPN supports only time-based rekeying. Your on-premises device must disable lifebytes rekeying.

    Do not configure the on-premises side of the VPN to have an idle timeout (for example, the NSX Session idle timeout setting). On-premises idle timeouts can cause the VPN to become periodically disconnected.

    1. If your on-premises VPN gateway is behind a firewall, you must configure that firewall to forward IPsec protocol traffic:
      • Open UDP port 500 to allow Internet Security Association and Key Management Protocol (ISAKMP) traffic to be forwarded through the firewall.
      • Set IP protocol ID 50 to allow IPsec Encapsulating Security Protocol (ESP) traffic to be forwarded through the firewall.
      • Set IP protocol ID 51 to allow Authentication Header (AH) traffic to be forwarded through the firewall.
    2. Download the SDDC IPsec VPN configuration file.
      See the IPsec VPN Settings Reference in the VMware Cloud on AWS Networking and Security guide for more about what's in this file and how to use it to help you configure your on-premises VPN endpoint.
  3. (Optional) Create a network segment.
    A Single Host Starter SDDC is created with a single routed network segment named sddc-cgw-network-1. Multi-host SDDCs are created without a default network segment, so you must create at least one for your workload VMs. See Create a Network Segment in the VMware Cloud on AWS Networking and Security guide.
  4. Create some basic firewall rules on the management gateway.
    By default, the management gateway blocks traffic to all destinations from all sources. Add Management Gateway firewall rules to allow traffic as needed. See Add or Modify Management Gateway Firewall Rules in the VMware Cloud on AWS Networking and Security guide.
  5. Configure management network private DNS.
    Specify the addresses of your private DNS servers so that the management gateway, ESXi hosts, and management VMs resolve fully-qualified domain names (FQDNs) to IP addresses on the management network. To use features such as migration with vMotion, cold migration, or Hybrid Linked Mode, switch the vCenter Server resolution to a private IP address resolvable from the VPN. See Set HCX FQDN Resolution Address in the VMware Cloud on AWS Networking and Security guide.