AWS Services such as S3, ELB, RDS, have IP addresses that cannot be accessed by NSX-managed VMs in overlay-mode. To overcome this limitation, NSX Cloud provides Distributed Services Routing (DSR).

About this task

DSR is a feature that allows services in the overlay network to have direct access to underlay services in AWS. It also allows underlay services to access VMs via the overlay network.

Procedure

  1. To enable only outbound access from your VM, do the following:
    1. Add the nsx:directroute.[n] tag to the VM with the CIDR of the service for which you want to enable access.
  2. To enable outbound and inbound access from and to your VM, do the following:
    1. Add the nsx:directroute.[n] tag to the VM with the CIDR of the service for which you want to enable access.
    2. Add the nsx:directinbound tag to the VM with the value true (case-sensitive).

    You can add multiple outbound service prefixes/CIDRs using the nsx:directroute.[n] tag. The VM will drop all traffic from IP addresses not listed in the tag value.

    When you enable inbound services to this VM by attaching the nsx:directinbound tag, all the outbound services can send traffic to this VM. You cannot choose which services will send inbound traffic to the VM.

DSR example

For example, if you want to enable S3 functionality on your VM in the us-west-2 region, add the following tags:

Table 1.

Key

Value

nsx:directroute.0

54.231.160.0/19

nsx:directroute.1

52.218.128.0/17

nsx:directroute.2

52.92.32.0/22

Table 2. AWS Tags for DSR

What you need to do...

Use this Tag Key(s)

Use this Tag Value

Behind the Scenes

Allow Outbound Traffic from VM

nsx:directroute.[n]

Provide one of the following:

  • IPv4 CIDR, e.g. 10.10.10.0/24

  • The string “vpc-cidr-block”. This is mapped to the CIDR of the VPC this VM belongs to.

Within about a minute, the VM is added to the AWS security group “vm-outbound-bypass-sg”, which permits the appropriate outbound traffic.

Allow Inbound and Outbound Traffic to and from this VM

  1. nsx:directroute.[n]

  2. nsx:directinbound

  1. Provide one of the values for outbound traffic.

  2. Type in true (case-sensitive)

Within about a minute, the VM is added to the AWS Security Group: “vm-inbound-bypass-sg”.