VMware Cloud on AWS uses NSX-T to create and manage internal SDDC networks and provide endpoints for VPN connections from your on-premises network infrastructure.
Connecting to your SDDC
- Layer 3 (L3) VPN
- A layer 3 VPN provides a management network that connects your on-premises data center to your SDDC. These IPsec VPNs can be either route-based or policy-based. You can create up to sixteen VPNs of each type, using any on-premises router that supports the settings listed in the IPsec VPN Settings Reference. An L3 VPN can connect your on-premises data center to the SDDC over the public Internet or over AWS Direct Connect.
- Layer 2 (L2) VPN
- A layer 2 VPN provides an extended, or stretched, network with a single IP address space that spans your on-premises data center and your SDDC and enables hot or cold migration of on-premises workloads to the SDDC. You can create only a single L2VPN tunnel in any SDDC. The on-premises end of the tunnel requires NSX. If you are not already using NSX in your on-premises data center, you can download a standalone NSX Edge appliance to provide the required functionality. An L2 VPN can connect your on-premises data center to the SDDC over the public Internet or over AWS Direct Connect.
- AWS Direct Connect (DX)
- AWS Direct Connect is a service provided by AWS that allows you to create a high-speed, low latency connection between your on-premises data center and AWS services. When you configure AWS Direct Connect, VPNs can use it instead of routing traffic over the public Internet. Because Direct Connect implements Border Gateway Protocol (BGP) routing, use of an L3VPN for the management network is optional when you configure Direct Connect. Traffic over Direct Connect is not encrypted. If you want to encrypt that traffic, configure your L3 VPN to use Direct Connect.
- VMware HCX
- VMware HCX, a multi-cloud app mobility solution, is provided free to all SDDCs and facilitates migration of workload VMs to and from your on-premises data center to your SDDC. For more information about installing, configuring, and using HCX, see the Hybrid Migration with HCX Checklist.
SDDC Network Topology
- Appliance Subnet
- A subnet of the CIDR range you specified for the Management Subnet when you created the SDDC. This subnet is used by the vCenter, NSX, and HCX appliances in the SDDC. When you add appliance-based services such as SRM to the SDDC, they also connect to this subnet.
- Infrastructure Subnet
- A subnet of the CIDR range you specified for the Management Subnet when you created the SDDC. This subnet is used by the ESXi hosts in the SDDC.
The Compute Network includes an arbitrary number of logical segments for your workload VMs. In a Single Host SDDC starter configuration, we create a compute network with a single routed segment. In SDDC configurations that have more hosts, you'll have to create compute network segments to meet your needs. See Configuration Maximums for VMware Cloud on AWS for applicable limits.
- Tier 0 is served an by an NSX Edge appliance.
- Tier 1 is served by two NSX Edge firewalls (the Management Gateway and the Compute Gateway) .
- NSX Edge Appliance
- All traffic between your on-premises networks and your SDDC networks passes through this appliance. Compute Gateway firewall rules, which control access to workload VMs, are applied on its uplink interfaces.
- Management Gateway (MGW)
- The MGW is an NSX Edge firewall that provides north-south network connectivity for the vCenter Server and other management appliances running in the SDDC. The Internet-facing IP address of the MGW is automatically assigned from the pool of AWS public IP addresses when the SDDC is created. See Deploy an SDDC from the VMC Console for more about specifying this address range. If you don't specify a range when you create the SDDC, the system uses a default of 10.2.0.0/16.
- Compute Gateway (CGW)
- The CGW is an NSX Edge firewall that provides north-south network connectivity for virtual machines running in the SDDC. In a single-node SDDC, VMware Cloud on AWS creates a default logical network segment (CIDR block 192.168.1.0/24) to provide networking for these VMs. You can create additional logical networks on the Networking & Security tab.
Routing Between Your SDDC and the Connected VPC
All SDDC subnets and any VPC subnets on which AWS services or instances communicate with the SDDC must be associated with the main route table of the connected VPC. Use of a custom route table or replacement of the main route table is not supported.
When you create an SDDC, we connect the ENI of the VPC owned by the AWS account you specify to the NSX Edge Appliance in the SDDC. That VPC becomes the Connected VPC, and the connection supports network traffic between SDDC VMs and AWS instances and native services in the Connected VPC. The main route table of the connected VPC includes all the subnets in the VPC as well as all SDDC (NSX-T network segment) subnets. When you create or delete routed network segments on the workload network, the main route table is automatically updated. When the NSX Edge Appliance in your SDDC is moved to another host, either to recover from a failure or during SDDC maintenance, the main route table is updated to reflect the ENI used by the new NSX Edge host. If you have replaced the main route table or are using a custom route table, that update fails and network traffic can no longer be routed between SDDC networks and the Connected VPC.
For more information, see View Connected VPC Information.
Reserved Network Addresses
The entire address range 100.64.0.0/10 (reserved for carrier-grade NAT per RFC 6598) is reserved by VMware Cloud on AWS for internal use. You cannot access any remote (on-premises) networks in that address range from workloads in the SDDC, and you cannot you use any addresses in that range within the SDDC.
Multicast Support in SDDC Networks
In SDDC networks, layer 2 multicast traffic is treated as broadcast traffic on the network segment where the traffic originates. It is not routed beyond that segment. Layer 2 multicast traffic optimization features such as IGMP snooping are not supported. Layer 3 multicast (such as Protocol Independent Multicast) is not supported in VMware Cloud on AWS.