Follow this workflow to configure NSX-T networking and security in your SDDC. Assign NSX Service Roles to Organization MembersGrant users in your organization an NSX service role to allow them to view or configure features on the Networking & Security tab. Configure AWS Direct Connect Between Your SDDC and On-Premises Data CenterUse of AWS Direct Connect is optional. If traffic between your on-premises network and your SDDC workloads requires higher speeds and lower latency than you can achieve with a connection over the public Internet, configure VMware Cloud on AWS to use AWS Direct Connect. Configure a VPN Connection Between Your SDDC and On-Premises Data CenterConfigure a VPN to provide a secure connection to your SDDC over the public Internet or AWS Direct Connect. Route-based and policy-based IPsec VPNs are supported. Either type of VPN can connect to the SDDC over the Internet. A route-based VPN can also connect to the SDDC over AWS Direct Connect. Configure Management Gateway Networking and SecurityThe management network and Management Gateway are largely preconfigured in your SDDC, but you'll still need to configure access to management network services like vCenter and HCX and create management gateway firewall rules to allow traffic between the management network and other networks, including your on-premises networks and other SDDC networks. Configure Compute Gateway Networking and SecurityCompute Gateway networking includes a compute network with one or more segments and the DNS, DHCP, and security (gateway firewall and distributed firewall) configurations that manage network traffic for workload VMs. It can also include a layer 2 VPN and extended network that provides a single broadcast domain that spans your on-premises network and your SDDC workload network. Configure a Multi-Edge SDDC With Traffic GroupsIn the default configuration, your SDDC network has a single edge (T0) router through which all North-South traffic flows. This edge supports the default traffic group, which is not configurable. If you need additional bandwidth for the subset of this traffic routed to SDDC group members, a Direct Connect Gateway attached to an SDDC group, HCX Service Mesh, or to the connected VPC, you can reconfigure your SDDC to be Multi-Edge by creating traffic groups, each of which creates an additional T0 router. Working With Inventory GroupsUse VMware Cloud on AWS Networking & Security inventory to create groups of VMs and network services that you can use when you create firewall rules. Managing Workload ConnectionsWorkload VMs on routed segments or HCX extended networks with MON enabled can connect to the Internet by default. NAT rules, Compute Gateway firewall rules, and distributed firewall rules, as well as default routes advertised by a VPN, DX, or SDDC Group connection all give you fine-grained control over Internet access.