The Connected Amazon VPC contains your SDDC and all its networks. Information about this VPC, including the active ENI, VPC subnet, and VPC ID, is available on the Networking & Security tab.

About the Connected VPC

VMware Cloud on AWS uses AWS account linking and AWS CloudFormation to obtain the permissions it needs to access a customer AWS account. When the accounts are linked, VMware Cloud on AWS runs a CloudFormation template that creates IAM roles and grants permissions for several VMware accounts to assume those roles. The role names are listed on the SDDC's Connected Amazon VPC page. Details about those roles and permissions are published in AWS Roles and Permissions in the VMware Cloud on AWS Operations Guide.

Assuming these roles grants VMware Cloud on AWS the rights to create, delete and assign ENIs and modify route tables in the customer's VPC. The roles also permit enumeration of the subnets and VPCs in the account so that VMware Cloud on AWS can map the available resources and present them in the SDDC creation process. These capabilities are needed at the beginning of the SDDC creation workflow, whenever an SDDC is upgraded, and may be needed at other times during the life of the SDDC when VPCs and their subnets need to be verified, and when route tables and ENIs need to be examined and modified. If an organization member compromises the connected VPC by doing things like deleting or modifying IAM roles or modifying the default route table, it can have a variety of impacts on SDDC operations, including:
  • VMware Cloud on AWS will be unable to add, replace, or remove hosts in the SDDC management cluster.
  • VMware Cloud on AWS will be unable to update the main route table when routes change or the active NSX-T Edge changes hosts during an upgrade. This can break connectivity between the SDDC and native AWS services. See Routing Between Your SDDC and the Connected VPC for details.
  • The affected organization will no longer be able to deploy SDDCs linked to that account.
Note: Re-running the VMware Cloud on AWS CloudFormation template does not affect existing SDDCs, which continue to use the IAM roles shown on their Connected Amazon VPC page. If an existing SDDC is exhibiting any of the symptoms listed here, contact VMware Support.

View Connected VPC Information

Click Connected VPC in the System category on the Networking & Security tab to open the Connected Amazon VPC page, which provides the following information:
AWS Account ID
The AWS account ID you specified when you created your SDDC.
The AWS ID of this VPC.
VPC Subnet
The AWS ID of the VPC subnet you specified when you created your SDDC.
Active Network Interface
The identifier for the ENI used by VMC in this VPC.
IAM Role Names
AWS Identity and Access Management role names defined in this VPC. See AWS Roles and Permissions in the VMware Cloud on AWS Operations Guide.
Cloud Formation Stack Names
The name of the AWS Cloud Formation stack used to create your SDDC
Service Access
A list of AWS services enabled in this VPC.