The private virtual interface allows vMotion, ESXi management, management appliance, and workload traffic to flow over the Direct Connect connection between your on-premises environment and your SDDC.

Create one virtual interface for each Direct Connect link you want to make to your SDDC. For example, if you want to create two Direct Connect links for redundancy, create two virtual interfaces.

Each private virtual interface allows you to expose up to 16 logical segments to your on-premises infrastructure.

Prerequisites

Procedure

  1. Log in to the AWS Console and complete the creating a hosted private virtual interface under Create a Hosted Virtual Interface.
    • For the Interface Owner field, use the account shown in the AWS Account ID field of the Direct Connect page of the Networking & Security tab.
    • Select Auto-generate peer IPs and Auto-generate BGP key.
    When the interface has been created, the AWS console reports that it is ready for acceptance.
  2. In the VMC Console, select Networking & Security > Direct Connect and accept the virtual interface by clicking ATTACH.
    Before it has been accepted, a new VIF is visible in all SDDCs in your organization. After you accept the VIF, it is no longer visible in any other SDDC.
    It can take up to 10 minutes for the BGP session to become active. When the connection is ready, the State shows as Attached and the BGP Status as Up in the VMC Console.
  3. Configure DX failover behavior.
    In the default configuration, traffic on any route advertised over BGP by both DX and a route-based VPN uses the VPN by default. To have a route advertised by both DX and VPN use DX by default and failover to the VPN when DX is unavailable, select Networking & Security > Direct Connect and set the Use VPN as backup to Direct Connect switch to Enabled.
    Note: DX failover requires a route-based VPN.
    The system requires a minute or so to update your routing preference. When the operation completes, routes advertised by both DX and VPN default to the DX connection, using the VPN only when DX is unavailable.

Results

Only a subset of management network routes are advertised over BGP.
  • Subnet 1 includes routes used by ESXi host vmks and router interfaces.
  • Subnet 2 includes routes used for Multi-AZ support and AWS integraiton
  • Subnet 3 includes management VMs
The actual CIDR blocks advertised depend on your management subnet CIDR block. The following table provides the CIDR blocks for these routes given the default management network CIDR of 10.2.0.0 in sizes /16, /20. and /22.
Table 1. Advertised Routes for 10.2.0.0 Default MGW CIDR
MGW CIDR Subnet 1 Subnet 2 Subnet 3
10.2.0.0/23 10.2.0.0/24 10.2.1.0/26 10.2.1.128/25
10.2.0.0/20 10.2.0.0/21 10.2.8.0/23 10.2.12.0/22
10.2.0.0/16 10.2.0.0/17 10.2.128.0/19 10.2.192.0/18

What to do next

Ensure the vMotion interfaces are configured to use Direct Connect. See Configure vMotion Interfaces for Use with Direct Connect.