SDDC Networking

VMware Cloud on AWS is based on NSX-T, VMware’s solution for software-defined networking for both on-premises datacenters and cloud. The layout under the Networking and Security tab has been designed to make it easy for users to navigate. The menu is provided to the left with the networking and security sections at the top. Users can easily jump to one of the respective sections: Overview, Network, Security, Inventory, Tools and System.


Network Segments

All networking and security configuration is done through the VMware Cloud on AWS console via the Networking and Security tab, including creating network segments. This provides ease of operations and management by having all networking and security access through the console.

Distributed Firewall

Using VMware Cloud on AWS with NSX-T, users have the capability to implement micro-segmentation with Distributed Firewall. Granular security policies can be applied at the VM-level allowing for east-west segmentation within the same L2 network or across separate L3 networks.

Security Groups

Grouping objects can be leveraged within security policies. Security groups support the following grouping criteria/constructs:

  • IP Address
  • VM Instance
  • Matching criteria of VM Name
  • Matching Criteria of Security Tag

Route Based IPSEC VPN with Redundancy

In addition to Policy Bases IPSEC VPN, Route Based IPSEC VPN is also possible. Users can configure BGP to run over IPSEC so networks are automatically advertised and learned between the VMware Cloud on AWS SDDC and on-prem. This simplifies operations and also prevents manual errors in configuration updates every time a network change needs to be made. In addition, Route Based IPSEC VPN provides redundancy where multiple VPNs can be setup to on-premises datacenters and BGP can be leveraged to configure active/passive paths.

Direct Connect Private VIF for all Traffic

Another feature of NSX-T SDDC is that all traffic is supported over Direct Connect Private VIF. This greatly simplifies connectivity and configuration, and VPNs are no longer required to carry certain traffic.

Connectivity from Compute Overlay to Management Infrastructure

With NSX-T SDDC, workloads on the compute overlay network can access management infrastructure behind the Management Gateway (MGW). The NSX-T architecture provides this inherently. Users can setup automation, monitoring, and other operational tools on compute network segments which can now communicate easily with management infrastructure like vCenter and ESXi hosts.

vCenter Management Access from Connected Native AWS VPC

vCenter Management access is also possible from the Connected Native AWS VPC. In addition to learning the VMware Cloud on AWS network segments, the Connected Native AWS VPC is also notified on how to reach the vCenter Management network which is also an overlay. This enables users to run automation, monitoring, or other applications/appliances in the Connected Native AWS VPC which can access the vCenter Management network.

DNS Zones

There can be multiple DNS zones, thus providing additional flexibility to users who want to use multiple DNS servers based on domain.

Port Mirroring

Port mirroring is possible where a user can deploy a port mirroring appliance like Wireshark on a compute network segment in VMware Cloud on AWS SDDC and have traffic from other workloads mirrored to it.


IPFIX can also be leveraged for monitoring and traffic analysis. A monitoring tool such as Plixer Scrutinizer or another 3rd party tool for traffic analysis can be deployed on a compute network segment in VMware Cloud on AWS SDDC and be configured as a collector.

Detailed procedural information for networking configuration can be found in the Configure Compute Gateway and Workload Networking documentation.

For more information on NSX-T in VMware Cloud on AWS, see this article.


check-circle-line exclamation-circle-line close-line
Scroll to top icon