VMware Cloud on AWS uses VMware NSX-T™ Data Center to create and manage internal SDDC networks and provide endpoints for VPN connections from your on-premises network infrastructure.
SDDC Network Topology
When fully configured, an SDDC on VMware Cloud on AWS includes two internal networks: a management network for hosts and management appliances, and a compute network for workload VMs. An NSX-T Edge appliance provides connectivity between your on-premises networks and VMware Cloud on AWS SDDC networks. The NSX-T Edge appliance routes the traffic to either the management network or the compute network as appropriate. The SDDC has two NSX-T Edge appliances that are configured in active-standby mode for high availability.
The NSX-T Edge appliance includes a management gateway (MGW), a compute gateway (CGW), and a router. The NSX-T Edge appliance also provides access to services, such as a gateway firewall. There are two gateway firewalls, a MGW firewall and a CGW firewall, which provide a north-south protection. For an east-west protection, there is a distributed firewall across all hosts in the SDDC.
The MGW in the NSX-T Edge appliance downlinks to the management network and uplinks to the router in the NSX-T Edge appliance. This configuration provides a north-south network connectivity for the vCenter Server and other management VMs running in the VMware Cloud on AWS SDDC.
During the SDDC creation, the Internet-facing IP address (Public IP #1) is automatically assigned from the pool of AWS public IP addresses. When you create the SDDC on VMware Cloud on AWS, configure the management subnet with a range of IP addresses (CIDR block) that can support the number of ESXi hosts in the SDDC. If you do not configure a range during the SDDC creation, the system uses a default of 10.2.0.0/16.
The CGW in the NSX-T Edge appliance downlinks to the compute network and uplinks to the router in the NSX-T Edge appliance. This configuration provides a north-south network connectivity for workload virtual machines running in the SDDC on VMware Cloud on AWS.
In a single-node SDDC, VMware Cloud on AWS creates a default logical network segment (CIDR block 192.168.1.0/24) to provide networking for these VMs. You can use the VMC Console to create additional logical networks.
The router in the NSX-T Edge appliance provides connectivity to the external environment, so all traffic between your on-premises networks and your SDDC on VMware Cloud on AWS passes through this router. The router also connects the MGW and the CGW, so all traffic between the workload VMs and the management components in the VMware Cloud on AWS SDDC also passes through this router. Only VMware cloud administrators can view and manage the router.
The MGW and CGW firewall rules are applied on the uplink interfaces of the router.
AWS Direct Connect
The AWS Direct Connect (DX) service provides a dedicated high-speed, low latency connection between your on-premises data center and your AWS VPC. You can use DX alone or with a VPN.
DX is used over a private virtual interface (VIF) to carry workload and management traffic, including VPN and vSphere vMotion traffic, between your on-premises data center and your connected VPC. Use DX over a public VIF to connect to AWS public endpoints, such as EC2 and S3.
You can use a DX connection over a private VIF for all traffic between your on-premises data center and your SDDC on VMware Cloud on AWS. The connection terminates in your connected Amazon VPC, provides a private IP address space, and uses BGP to advertise routes in your SDDC and learn routes in your on-premise data center.
A DX connection over a public VIF is typically used only for traffic between your on-premises data center and public AWS services, which you cannot access over a private VIF. The connection terminates at the AWS region level in the region occupied by your connected Amazon VPC and uses BGP to advertise AWS global routes.
The use of Direct Connect is beneficial, but not required for the Hybrid Cloud functionality, therefore optional for this VMware Validated Design. Even if a Direct Connect is established, a VPN is still necessary to complete the traffic flow between the VMware Cloud on AWS and on-premises SDDC infrastructure.