Your DX connection requires a private virtual interface to enable vMotion, ESXi Management, Management Appliance, and workload traffic to use it.
Create one virtual interface for each Direct Connect link you want to make to your SDDC. For example, if you want to create two Direct Connect links for redundancy, create two virtual interfaces. See VMware Configuration Maximums for limits on the number of segments supported by each private VIF.
When you connect a DX private virtual interface to an SDDC network, all outbound traffic from ESXi hosts to destinations outside the SDDC network is routed over that interface, regardless of other routing configurations in the SDDC. This includes vMotion and vSphere replication traffic. You must ensure that inbound traffic to ESXi hosts is also routed over the DX interface so that the inbound and outbound traffic paths are symmetrical.
Although routes learned from a route-based VPN are advertised to other route-based VPNs over BGP, an SDDC advertises only its own networks over DX, not any learned from VPNs. See AWS Direct Connect quotas in the AWS Direct Connect User Guide for detailed information about limits imposed by AWS on Direct Connect, including limits on routes advertised and learned over BGP.
- Log in to the AWS Console and complete the Creating a Hosted Private Virtual Interface procedure under Create a Hosted Virtual Interface.
If you are using a hosted VIF, work with your AWS partner to create the VIF in an AWS account you own, then skip to Step 2 of this procedure. If you are using a dedicated connection or hosted VIF, take these steps first.
When the interface has been created, the AWS console reports that it is ready for acceptance.
- For the Interface Owner field, use the account shown in the AWS Account ID field of the Direct Connect page of the Networking & Security tab.
- Select Auto-generate peer IPs and Auto-generate BGP key.
- (Optional) Enable Jumbo MTU.
The default MTU for all SDDC networks is 1500 bytes. To enable DX traffic to this private VIF to use a larger MTU, select Enable under Jumbo MTU (MTU size 9001). After the VIF has been created, you'll also need to open the Global Configuration page of the Networking & Security tab and set a higher MTU value under Intranet Uplink, as described in Specify the Direct Connect MTU.
- In the VMC Console, select and accept the virtual interface by clicking ATTACH.
Before it has been accepted, a new VIF is visible in all SDDCs in your organization. After you accept the VIF, it is no longer visible in any other SDDC.It can take up to 10 minutes for the BGP session to become active. When the connection is ready, the State shows as Attached and the BGP Status as Up.
- (Optional) Configure a route-based VPN as the backup to Direct Connect.
In the default configuration, traffic on any route advertised over BGP by both DX and a route-based VPN uses the VPN by default. To have a route advertised by both DX and VPN use DX by default and failover to the VPN when DX is unavailable, select Use VPN as backup to Direct Connect switch to Enabled.and set theNote: This configuration requires a route-based VPN. You cannot use a policy-based VPN as a backup to Direct Connect.The system requires a minute or so to update your routing preference. When the operation completes, routes advertised by both DX and VPN default to the DX connection, using the VPN only when DX is unavailable.
- Subnet 1 includes routes used by ESXi host vmks and router interfaces.
- Subnet 2 includes routes used for Multi-AZ support and AWS integration.
- Subnet 3 includes management VMs.
The actual CIDR blocks advertised depend on your management subnet CIDR block. The following table shows the CIDR blocks for these routes in an SDDC that uses the default management network CIDR of 10.2.0.0 in block sizes /16, /20, and /22.
|MGW CIDR||Subnet 1||Subnet 2||Subnet 3|
What to do next
Ensure the vMotion interfaces are configured to use Direct Connect. See Configure vMotion Interfaces for Use with Direct Connect.