Follow these instructions to deploy PCG in your AWS VPC.

The VPC in which you deploy a PCG can act as a Transit VPC to which other VPCs can connect (known as Compute VPCs). This VPC can also manage VMs and act as a self-managed VPC.

Follow these instructions to deploy a PCG. If you want to link to an existing Transit VPC, see Link to a Transit VPC or VNet.

If you are using AWS Transit Gateway, see Using PCG with AWS Transit Gateway.

Prerequisites

  • Ensure the VPC is connected with your on-prem NSX-T Data Center.
  • Verify that your AWS account is already added into CSM.

  • Verify that the VPC on which you are deploying PCG has the required subnets appropriately adjusted for High Availability: uplink, downlink, and management.

  • Verify that the configuration for your VPC's network ACL includes an ALLOW inbound rule.

Procedure

  1. Log in to CSM using an account with the Enterprise Administrator role.
  2. Click Clouds > AWS > <AWS_account_name> and go to the VPCs tab.
  3. In the VPCs tab, select an AWS region name, for example, us-west. The AWS region must be the same where you created the compute VPC.
  4. Select a VPC configured for NSX Cloud.
  5. Click Deploy Gateways.
  6. Complete the general gateway details:
    Option Description
    PEM File

    Select one of your PEM files from the drop-down menu. This file must be in the same region where NSX Cloud was deployed and where you created your compute VPC.

    This uniquely identifies your AWS account.

    Manage with NSX Tools Leave in the default disabled state to onboard workload VMs in the Native Cloud Enforced Mode. If you want to install NSX Tools on your workload VMs to use the NSX Enforced Mode, enable this option.
    Quarantine Policy on the Associated VPC

    You can only change the Quarantine Policy setting if you choose to manage workload VMs using NSX Tools (NSX Enforced Mode). Quarantine Policy is always enabled in the Native Cloud Enforced Mode

    Leave this in the default disabled mode when you first deploy PCG. You can change this value after onboarding VMs. See Manage Quarantine Policy in the NSX-T Data Center Administration Guide for details.
    Gateway Connectivity Mode

    The PCG can be accessed from CSM using a public IP address or a private IP address depending on the connectivity mode between your public cloud and your on-premises NSX-T Data Center installation. If you select Auto Detect, they system attempts to connect with CSM over VGW first, and if that fails, over IGW. If the system cannot connect with CSM, the deployment fails.

    See Impact of on-prem and public cloud connectivity mode on PCG's discovery of CSM for details.

    InstanceType
    Select any one of the sizes from the drop-down menu list based on your requirement. There are four Intance Type sizes available:
    • Small
    • Medium
    • Large
    • Extra Large
    See NSX Public Cloud Gateway: Architecture and Modes of Deployment for more information on PCG instance type.
    Note: You can enable Firewall features like Application ID, IDPS, and URL Enforcement only on Large and Extra Large size PCG deployment. However, in NSX-T Data Center 3.2, Firewall features are available in Tech Preview mode. Use these features only for experimental purposes and VMware does not officially provide support for these features.
    Proxy Server Select a proxy server to use for internet-bound traffic from this PCG. The proxy servers are configured in CSM. You can select the same proxy server as CSM if one, or select a different proxy server from CSM, or select No Proxy Server.

    See (Optional) Configure Proxy Servers for details on how to configure proxy servers in CSM.

    Override AMI ID Use this advanced feature to provide a different AMI ID for the PCG from the one that is available in your AWS account.
  7. Click Next.
  8. Complete the Subnet details.
    Option Description
    Enable HA for Public Cloud Gateway The recommended setting is Enable, that sets up a High Availability Active/Standby pair to avoid an unscheduled downtime.
    Primary gateway settings

    Select an Availability Zone such as us-west-1a, from the drop-down menu as the primary gateway for HA.

    Assign the uplink, downlink, and management subnets from the drop-down menu.

    Secondary gateway settings

    Select another Availability Zone such as us-west-1b, from the drop-down menu as the secondary gateway for HA.

    The secondary gateway is used when the primary gateway fails.

    Assign the uplink, downlink, and management subnets from the drop-down menu.

    Public IP on Mgmt NIC Select Allocate New IP address to provide a public IP address to the management NIC. You can manually provide the public IP address if you want to reuse a free public IP address.
    Public IP on Uplink NIC Select Allocate New IP address to provide a public IP address to the uplink NIC. You can manually provide the public IP address if you want to reuse a free public IP address.
    Click Deploy.
  9. Monitor the status of the primary (and secondary, if you selected it) PCG deployment. This process can take 10-12 minutes.
  10. Click Finish when PCG is successfully deployed.

What to do next

Follow instructions at "Using NSX Cloud" in the NSX-T Data Center Administration Guide.