To begin using VMware Cloud on AWS to run workloads in your SDDC, you'll need to set up a secure network connection between your on-premises data center and the SDDC. This network can include a dedicated connection over AWS Direct Connect, an IPsec VPN, or both.
To learn more about the options for setting up that connection, use the Networking and Security Dashboard. If you just want to quickly set up a route-based VPN connecting your on-premises data center to your SDDC over the Internet, follow these steps.
Procedure
- Create a route-based VPN in the SDDC.
A route-based VPN creates an IPsec tunnel interface and routes traffic through it as dictated by the SDDC routing table. A route-based VPN provides resilient, secure access to multiple subnets. When you use a route-based VPN, new routes are added automatically when new networks are created. See
Create a Route-Based VPN in the
VMware Cloud on AWS Networking and Security guide.
- Configure an on-premises IPsec VPN.
You can use NSX or any other device that can terminate an IPsec VPN.
Important:
The SDDC end of an IPsec VPN supports only time-based rekeying. Your on-premises device must disable lifebytes rekeying.
Do not configure the on-premises side of the VPN to have an idle timeout (for example, the NSX Session idle timeout setting). On-premises idle timeouts can cause the VPN to become periodically disconnected.
- If your on-premises VPN gateway is behind a firewall, you must configure that firewall to forward IPsec protocol traffic:
- Open UDP port 500 to allow Internet Security Association and Key Management Protocol (ISAKMP) traffic to be forwarded through the firewall.
- Set IP protocol ID 50 to allow IPsec Encapsulating Security Protocol (ESP) traffic to be forwarded through the firewall.
- Set IP protocol ID 51 to allow Authentication Header (AH) traffic to be forwarded through the firewall.
- Download the SDDC IPsec VPN configuration file.
See the
IPsec VPN Settings Reference in the
VMware Cloud on AWS Networking and Security guide for more about what's in this file and how to use it to help you configure your on-premises VPN endpoint.
- (Optional) Create a network segment.
A Single Host Starter SDDC is created with a single routed network segment named sddc-cgw-network-1. Multi-host SDDCs are created without a default network segment, so you must create at least one for your workload VMs. See
Create a Network Segment in the
VMware Cloud on AWS Networking and Security guide.
- Create some basic firewall rules on the management gateway.
By default, the management gateway blocks traffic to all destinations from all sources. Add Management Gateway firewall rules to allow traffic as needed. See
Add or Modify Management Gateway Firewall Rules in the
VMware Cloud on AWS Networking and Security guide.
- Configure management network private DNS.
Specify the addresses of your private DNS servers so that the management gateway, ESXi hosts, and management VMs resolve fully-qualified domain names (FQDNs) to IP addresses on the management network. To use features such as migration with vMotion cold migration, or Hybrid Linked Mode, switch the vCenter Server resolution to a private IP address resolvable from the VPN. See
Set HCX FQDN Resolution Address in the
VMware Cloud on AWS Networking and Security guide.