Deployment of an SDDC in VMC on AWS has dependencies on the VPC, AWS account, subnets, and Elastic IPs.

AWS VPC Configuration and Availability Requirements

The VPC, subnet, and AWS account you use must meet several requirements:

  • The subnet must be in an AWS Availability Zone (AZ) where VMware Cloud on AWS is available.

  • The subnet must exist in the connected AWS account. It cannot be one owned by and shared from another account.

  • The AWS account being linked must have sufficient capacity to create a minimum of 17 ENIs per SDDC in each region where an SDDC is deployed.


    Although you cannot provision more than 16 hosts in a vSphere Cluster, SDDC operations including planned maintenance and Elastic DRS can require temporarily adding as many as 16 more hosts. As such it is recommended to use an AWS account that has sufficient capacity for 32 ENIs per SDDC.

  • It is recommended to dedicate a /16 CIDR block to each SDDC and not use that subnet for any other AWS services or EC2 instances.

  • Any VPC subnets on which AWS services or instances communicate with the SDDC must be associated with the main route table of the connected VPC.

  • If necessary, you can link multiple SDDCs to a VPC if the VPC subnet used for ENI connectivity has a large enough CIDR block to accommodate them. Because all SDDCs in a VPC use the same main route table, make sure that network segments in those SDDCs do not overlap with each other or the VPC's primary CIDR block. Workload VMs on routed SDDC networks can communicate with all subnets in the VPC's primary CIDR block but are unaware of other CIDR blocks that might exist in the VPC.

AWS Elastic IP Requirements

Every SDDC consumes at least 4 AWS Elastic IP (EIP) addresses that are not displayed on the VMC Console. These EIPs are required for core SDDC operations. Here's a summary of how these core EIPs are used in a new SDDC:
Table 1. Core EIP Usage




Provides VMware support with access to your SDDC.

Management Gateway (MGW) SNAT

Provides the SNAT address for traffic egressing the MGW to the Internet.

Compute Gateway (CGW) SNAT

Provides the default SNAT address for traffic egressing the CGW to the Internet.

vCenter Server Public IP

Provides the IP address used for vCenter Server when the vCenter FQDN is set to Public IP. This EIP is always consumed, even if the vCenter Servers FQDN is configured to resolve to a Private IP.