check-circle-line exclamation-circle-line close-line

Understanding Integrations with AWS Services

As the above diagram illustrates, the VMware stack not only sits next to the AWS services, but is tightly integrated with these services. This introduces a new way of thinking about how to design and leverage AWS services with your VMware SDDC. Some integrations our customers are using include:

  • VMware front-end and RDS backend
  • VMware back-end and EC2 front-end
  • AWS Application Load Balancer (ELBv2) with VMware front-end (pointing to private IPs)
  • Lambda, Simple Queueing Service (SQS), Simple Notification Service (SNS), S3, Route53, and Cognito
  • AWS Lex, and Alexa with the VMware Cloud APIs

These are only a few of the integrations we've seen. There are many different services that can be integrated into your environment. 

How is this possible?

In addition to sitting within the AWS Infrastructure, there is an Elastic Network Interface (ENI) connecting VMware Cloud on AWS and the customer's Virtual Private Cloud (VPC), providing a high-bandwidth, low latency connection between the VPC and the SDDC. This is where the traffic flows between the two technologies (VMware and AWS). There are no EGRESS charges across the ENI within the same Availability Zone and there are firewalls on both ends of this connection for security purposes.

How do I secure the traffic across the ENI?

Think of the connectivity between AWS and VMware like a road between each location, each side with a security gate.

From the VMware side (see image below), the ENI comes into the SDDC at the Compute Gateway (NSX Edge). This means, on this end of the technology we allow and disallow traffic from the ENI with NSX Firewall rules. By default, no ENI traffic can enter the SDDC. Think of this as a security gate blocking traffic to and from AWS Services on the ENI until the rules are modified.


On the AWS Services side (see image below), Security Groups are utilized. For those who are not familiar with Security Groups, they act as a virtual firewall for different services (VPC’s, Databases, EC2 Instances, etc). This should be configured to deny traffic to and from the VMware SDDC unless otherwise configured.


Now that the security-side of the interconnectivity between VMware Cloud on AWS and AWS services has been covered, let’s walk through what it looks like if we do it right now.



After logging into the VMware Cloud console, click on the ‘Network’ tab. Youu will see a diagram of the VMware Cloud on AWS networking. Scrolling down below the diagram, you can configure the firewall for the Compute Gateway, which is where all the customer workloads are found.

As you can see here, we can configure settings for the Management and Compute gateways. The majority of customer rules will be in the Compute Gateway.


When adding the inbound and outbound firewall rules for the ENI, instead of inputting a specific IP, range, or CIDR, click the drop-down option ‘All Connected Amazon VPC’. This allows the firewall to manage ENI traffic whereas the other options will configure the firewall for traffic going in and out of the Internet Gateway.


Add the destination IP range of my logical networks which are all 192.168.x.x so the destination address to cover all my networks would be The type of traffic can also be selected. In this case, all types of traffic passed over the ENI between the SDDC and AWS services so we will go ahead and select ‘All Traffic’.


From here, do the same thing for the outbound traffic to the AWS services. The only difference between these two rules are swapping the Source and Destination.


The rules now appear in the UI and can be verified that they both are set to ‘Allow’


Now that the SDDC side has been configured. the same rules need to do be configured in the AWS Security Groups.

AWS Security Groups

If you are not familiar with AWS, the Security Groups are found under VPC > Security.


Select your Security Group and head to the ‘Inbound Rules’. Here you will add rules not only for the AWS connectivity through the Internet Gateway, but for traffic coming from the SDDC as well.


Once all the ports needed are configured, you can save the rules.


Summary of the default outbound rules.