VMware Cloud on Public Cloud uses NSX to create and manage SDDC networks. NSX provides an agile software-defined infrastructure to build cloud-native application environments.

You can access the NSX Manager in your VMware Cloud on Public Cloud SDDC in several ways:
  • By using a public IP address reachable by any browser that can connect to the Internet.
  • By using a private IP address through a VPN or a dedicated high bandwidth, low latency connection.
  • By using a jump server located in the hyperscaler native cloud instance.
For information on which of the options are applicable to your VMware Cloud on Public Cloud SDDC, see the hyperscale cloud provider documentation.

SDDC Network Topology

When you create an SDDC, it includes a Management Network. Single-host trial SDDCs also include a small Compute Network. You specify the Management Network CIDR block when you create the SDDC. It cannot be changed after the SDDC has been created. The Management Network has two subnets:
Appliance Subnet
This subnet is used by the vCenter Server, and NSX appliances in the SDDC. When you add appliance-based services such as SRM to the SDDC, they also connect to this subnet.
Infrastructure Subnet
This subnet is used by the ESXi hosts in the SDDC.

The Compute Network includes an arbitrary number of logical segments for your workload VMs. See VMware Configuration Maximums for current limits on logical segments. Depending on your hyperscale cloud provider, as part of the Single Host SDDC starter configuration, we might create a compute network with a single routed segment. In SDDC configurations that have more hosts, you must create compute network segments to meet your needs. See VMware Configuration Maximums for applicable limits.

An SDDC network has two notional tiers:
  • Tier 0 handles north-south traffic (traffic leaving or entering the SDDC, or between the Management and Compute gateways). In the default configuration, each SDDC has a single Tier-0 router.
  • Tier 1 handles east-west traffic (traffic between routed network segments within the SDDC). In the default configuration, each SDDC has a single Tier-1 router. You can create and configure additional Tier-1 gateways if you need them. See Add a Tier-1 Gateway.
    Note:

    If the option to create and configure additional Tier-1 gateways is not active in your SDDC, and you want to activate it, contact your account team.

NSX Edge Appliance

The default NSX Edge Appliance is implemented as a pair of VMs that run in active/standby mode. This appliance provides the platform on which the default Tier 0 and Tier 1 routers run, along with IPsec VPN connections. All north-south traffic goes through the default Tier 0 router. To avoid sending east-west traffic through the appliance, a component of each Tier 1 router runs on every ESXi host that handles routing for destinations within the SDDC.

Management Gateway (MGW)
The MGW is a Tier 1 router that handles routing and firewalling for vCenter Server and other management appliances running in the SDDC. Management gateway firewall rules run on the MGW and control access to management VMs. In a new SDDC, the Internet connection remains blocked until you create a Management Gateway Firewall rule allowing access from a trusted source. See Add or Modify Management Gateway Firewall Rules. Depending on your hyperscale cloud provider, to connect to your SDDC, you might have to follow additional steps. For more information, see your hyperscale cloud provider documentation.
Compute Gateway (CGW)
The CGW is a Tier 1 router that handles network traffic for workload VMs connected to routed compute network segments. Compute gateway firewall rules, along with NAT rules, run on the Tier 0 router. In the default configuration, these rules block all traffic to and from compute network segments (see Configure Compute Gateway Networking and Security).

Reserved Network Addresses

Certain IPv4 address ranges are unavailable for use in SDDC compute networks. Several are used internally by SDDC network components. Most are reserved by convention on other networks as well. SDDC networks also observe the conventions for special Use IPv4 address ranges enumerated in RFC 3330

Multicast Support in SDDC Networks

In SDDC networks, layer 2 multicast traffic is treated as broadcast traffic on the network segment where the traffic originates. It is not routed beyond that segment. Layer 2 multicast traffic optimization features such as IGMP snooping are not supported. Layer 3 multicast (such as Protocol Independent Multicast) is not supported in VMware Cloud on Public Cloud.

Connecting Your On-Premises SDDC to Your Cloud SDDC

To connect your on-premises data center to your VMware Cloud on Public Cloud SDDC, you can create a VPN that uses the public Internet, a VPN that uses a dedicated high bandwidth, low latency connection, or just a dedicated high bandwidth, low latency connection alone.

Layer 3 (L3) VPN
A layer 3 VPN provides a secure connection between your on-premises data center and your VMware Cloud on Public Cloud SDDC over the public Internet or a dedicated high bandwidth, low latency connection. These IPsec VPNs can be either route-based or policy-based. If you use an NSX VPN with an on-premises endpoint, you can use any device that supports the settings listed in the IPsec VPN Settings Reference. If you use the native VPN services of your hyperscale cloud provider, consult the hyperscale cloud provider documentation for more information.
Layer 2 (L2) VPN
A layer 2 VPN provides an extended, or stretched, network with a single IP address space that spans your on-premises data center and your SDDC and enables hot or cold migration of on-premises workloads to the SDDC. You can create only a single L2VPN tunnel in any SDDC. The on-premises end of the tunnel requires NSX. If you are not already using NSX in your on-premises data center, you can download a standalone NSX Edge appliance to provide the required functionality. An L2 VPN can connect your on-premises data center to the SDDC over the public Internet . If your SDDC does not have a public IP address, you can connect to it by using a private IP address through a VPN or a dedicated network connection.
Note:

If L2VPN is not activated in your SDDC, and you want to activate it, contact your account team.