VMware Cloud on AWS enables customers to have a hybrid cloud platform by running their VMware workloads in the cloud while having seamless connectivity to on-premises and AWS native services. In this session, we do a technical deep dive on SDDC networking and NSX-T's recent announcement on full routing over AWS Direct Connect to enable optimized migrations and cloud extension use cases. We also demonstrate a live vMotion for on-premises workload to VMware SDDC cluster on AWS with minimum to no network distribution over AWS Direct Connect.

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Connectivity Options for VMware
Cloud on AWS Software Defined
Data Centers (SDDC)
Haider Witwit
Sr. Solutions Architect
AWS/WWPS
N E T 3 2 1
Humair Ahmed
Sr. Technical Product Manager
VMware/NSBU

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
Quick recap of VMware Cloud on AWS
NSX Networking and Security
Connectivity to native AWS Services
Hybrid Connectivity Architectures
Demo

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VMware Cloud on AWS – service overview
AWS Global Infrastructure
VMware Cloud on AWS
Powered by VMware
Cloud Foundation
AWS Global Infrastructure
Customer
Data Center
vSphere vSAN NSX
Operational
Management
Native
AWS
Services
vRealize Suite, ISV ecosystem
vCentervCenter
• VMware Software Defined
Datacenter on dedicated Amazon
EC2 bare metal instances
• Powered by VMware Cloud
Foundation
• Global AWS footprint, reach,
availability
• Full operational consistency with
on-premises vSphere deployments
• Direct access to native AWS
services
Service Highlights
AWS CLI

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Account Structure
VMware Cloud
SDDC account
Is owned, operated, and paid
Private to VMware Cloud
SDDC. Full access to the
A new AWS account to run
Is owned, operated, and
for all

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VMware Software Defined Datacenter (SDDC)
ENI
Subnet2
10.2.2.0/24
Customer VPC AWS Region
Subnet1
10.2.1.0/24
VPC Network 10.2.0.0/16 VPC Network 10.1.0.0/16
Mgmt. Network (Overlay)
192.168.1.0/24
192.168.2.0/24
Compute Network (Overlay)
Router
MGW
IGW
Amazon EC2
Bare Metal
ESXi
vCenter
VGW
VMware VPC
CGW
Customer Managed VMware Managed

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Single AZ SDDC
Customer Managed
Customer VPC
*Logical networks
10.101.1.0/24
10.101.2.0/24
VMware VPC
Host-1
Host-2
Host-3
Availability Zone Availability Zone
CGW
VPC Network 10.100.0.0/16
MGW
VMware Managed
AWS Region

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Multi-AZ Stretched SDDC
Customer Managed
VMware VPC
Host-1
Host-2
Host-3
Host-4
Host-5
Host-6
Availability Zone Availability Zone
MGW CGW
XMGW CGW
VMware Managed
AWS Region
Availability ZoneAvailability Zone
Customer VPC

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VMware Cloud on AWS - NSX-T SDDC
Similarities to NSX-V SDDC
• Still same MGW and CGW model
• All logical networks automatically connect to CGW
Key Differences to NSX-V SDDC
• MGW and CGW are logical constructs inside edge appliance
• Tier 0 and Tier1 Routers:
* MGW = T1, CGW = T1
* MGW and CGW connected via T0
• DPDK based edge
• Non-NSX Management appliances are on Overlay Segment
VPC Network 10.1.0.0/16
Appliance Mgmt. Network
(Overlay)
192.168.1.0/24
192.168.2.0/24
Compute Network (Overlay)
Router Logical
Switch
MGW
Amazon EC2
Bare Metal
ESXi
vCenter
VMware Managed
IGW
Edge Appliance
CGW

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
GUI layout for NSX-T networking and security
Supported Add-ons:
1. Distributed Firewall
(DFW)
2. Service Insertion
(Futures)
3. Load Balancer (Futures)
Paid Add-Ons
- DFW is free trial initially
- Services will be Enabled via
Paid Add-On in Future

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
New features with NSX-T - Security
CGW
Compute Networks (Overlay)
Micro-segmentation with DFW
• Granular stateful firewall at VM level
• Micro-segmentation within the same L2 network or across different
networks
• Can have create multi-tenant environments (no overlapping IPs)
• Can easily isolate networks (Prod, Test, Dev)
• Can easily create DMZ environments
192.168.2.0/24
192.168.1.0/24
 Customers can now migrate workloads to the cloud and get the
same level of security that they have on-prem.

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
New features with NSX-T - Security
Grouping Objects
• Create groups based on different matching criteria.
192.168.1.0/24
IP Address
VM Instance
VM Name
Security Tag
Web1 Web2
Drop

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
New features with NSX-T - Networking/Connectivity
vCenter
On-Premises
CGW
Compute Networks (Overlay)
Mgmt. Network (Overlay)
Router
MGW
192.168.1.0/24192.168.1.0/2410.3.10.0/24
172.16.10.0/24
Compute Networks
vCenter
Mgmt. Network
VMware Cloud on AWS
SDDC 10.2.0.0/23
VTI 1
172.0.0.2
VTI 1
172.0.0.1
VTI 2
172.1.1.1
VTI 2
172.1.1.2
Route-based IPSec VPN
Entire VPC CIDR advertised
Mgmt Appliance Network
NSX Network Segments
• Single VPN tunnel design
Private and
Public address

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
New features with NSX-T - Networking/Connectivity
VGW
DX Location
AWS Direct
Connect
(DX)
Private
VIF
All traffic supported over AWS Direct Connect (DX) Private
VIF
Entire VPC CIDR advertised
Mgmt Appliance Network
NSX Network Segments
vCenter
CGW
Compute Networks (Overlay)
Mgmt. Network (Overlay)
MGW
192.168.1.0/24192.168.1.0/2410.3.10.0/24
VMware Cloud on AWS
SDDC 10.2.0.0/23
On-Premises
172.16.10.0/24
Compute Networks
vCenter
Mgmt. Network Router

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Extending Networks to On-Premises via L2VPN
Compute Networks (Overlay)
MGW
- Gateway is always on-premises for extended networks
Edge Appliance
On-Premises
10.3.20.0/24
Compute Networks
vCenter
Mgmt. Network
CGW
AWS Direct Connect
(DX)
VLAN or NSX VXLAN
Backed Networks
GW: 10.3.20.254
L2VPN
OVA
Tunnel ID = 50
Tunnel ID = 50
WEB
10.3.20.0/24
GW: 10.3.20.254
VMware Cloud on AWS
Router

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
New features with NSX-T - Networking/Connectivity
vCenter
CGW
Compute Networks (Overlay)
Mgmt. Network (Overlay)
Router
MGW
192.168.1.0/24192.168.1.0/2410.3.10.0/24
SDDC 10.2.0.0/16
Connectivity from Compute to Management network
Local routing between Compute and vCenter Management networks
VMware Cloud on AWS

19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
New features with NSX-T - Networking/Connectivity
Router
192.168.1.0/24192.168.1.0/24
10.3.10.0/24
SDDC 10.2.0.0/16
vCenter Management Network access from connected VPC
ENI
Subnet2 Subnet1
VPC 10.1.0.0/16
Customer connected VPC
Management Workloads
Compute Networks (Overlay)
Mgmt. Network (Overlay)
VMware Cloud on AWS
CGW
MGW

20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
New features with NSX-T - Operations
10.3.20.0/24
10.3.10.0/24
Port Mirroring and IPFIX
VPC 10.1.0.0/16
Subnet2 Subnet1
Customer connected VPC VMware Cloud on AWS
Compute Networks (Overlay)
ENI
Router
MGW

21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
New features with NSX-T
Other new features:
• Network Segment
Creation from Console
• Multiple DNS Zones
• Role Based Access
Control (RBAC)
• NSX-T APIs
- Public and Private
Endpoints

22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security considerations for connectivity between
workloads, connected VPC, and on-prem
CGW FW Rules
InternetDirect
Connect
Customer
Native
AWS VPC
VPN
LS
LS
MGW
CGW
LS
Management
vCenter
Monitoring
App
LS
Workloads
Router
Default Route to T0
MGW FW Rules
Allow

23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Internet access and security
Internet LS
LS
MGW
CGW
LS
Management
LS
Workloads
DNAT
EdgeFW
Routing
SNAT
EdgeFW

Routing Web
- All VMs already have SNAT and
Internet access by default
- Can also configure DNAT for incoming
traffic
Use natted private IPs when configuring Edge and DFW rules
vCenter
Router

24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Services access models
Private
VPC Gateway Endpoints
VPC Interface Endpoints (PrivateLink powered)
Service endpoints within a customer managed VPC
Public
Direct access to public endpoints

26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Services access models
Private
VPC Gateway Endpoints
VPC Interface Endpoints (PrivateLink powered)
Service endpoints within a customer managed VPC
Public
Direct access to public endpoints

27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Services access models
Private
VPC Gateway Endpoints
VPC Interface Endpoints (PrivateLink powered)
Service endpoints within a customer managed VPC
Public
Direct access to public endpoints

28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Gateway Endpoint - Amazon S3
Amazon S3
S3
endpoint
192.168.1.0/24
192.168.2.0/24
Router
ESXi
VMware Managed
IGW
Customer Managed
ENI
Subnet2
10.2.2.0/24
Customer VPC
Subnet1
10.2.1.0/24
VPC Network 10.2.0.0/16
VMware VPC
VPC Network 10.1.0.0/16
Manag. Network (Overlay)
Compute Network (Overlay)
MGW
Amazon EC2
Bare Metal
vCenter
CGW

29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Gateway Endpoints
VPC Interface Endpoints (PrivateLink powered)
Service endpoints within a customer managed VPC
AWS Services access models
Public
Direct access to public endpoints
Private

30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What services can be accessed using PrivateLink?
• AWS Services:
• Amazon CloudWatch Logs
• AWS CodeBuild
• Amazon EC2 API
• Elastic Load Balancing API
• AWS Key Management Service
• Amazon Kinesis Data Streams
• AWS Service Catalog
• Amazon SNS
• AWS Systems Manager
• And more…
• Endpoint services hosted by other AWS accounts
• Supported AWS Marketplace partner services

31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS PrivateLink overview
ENI
Customer VPCService VPC
Interface
endpoint
Service Provider
NLB
Consumer
CGW
192.168.1.0/24
192.168.2.0/24
Compute Network (Overlay)
AWS Region
Router
VMware VPC
ssm.us-east-1.amazonaws.com
Route 53
Resolver
10.1.0.11
10.1.1.11
VPC Network 10.1.0.0/16
AWS
Systems
Manager
VPC .2 resolver
DNS
forwarder
Consumer

32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Gateway Endpoints
VPC Interface Endpoints
Service endpoints within a customer managed VPC
Private
AWS Services access models
Public
Direct access to public endpoints

33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Services within a customer managed VPC
Customer Managed
RDS
CGW
192.168.1.0/24
192.168.2.0/24
Compute Network (Overlay)
Router
VMware Managed
ENIfile share
EFS

34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Customer Managed
ENI
Connected VPC
WorkSpaces
Workspaces VPC
AWS Managed
eth1
eth0
user
PCoIP
(SSL)
Internet
Data
AWS Direct Connect (DX)
On-Premises
CGW
192.168.1.0/24
192.168.2.0/24
Compute Network
(Overlay)
Router
VMware VPC
VMware Managed
AWS Services within a customer managed VPC

35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Application protection using Amazon ALB
Customer Managed
CGW
192.168.1.0/24
192.168.2.0/24
Compute Network (Overlay)
Router
VMware Managed
ENI
WAF
Visitor
Shield
ALBIGW
IP Target Group
• 192.168.1.10
• 192.168.1.11

36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
ENI
ENIVPC1
Shared
Services
VPC2
DXGW
VGW
VGW
VGW
AWS Region
AWS DX Router
Design Architectures
CGW
192.168.1.0/24
Router
MGW
vCenter
SDDC1
Management Network
Compute Networks
VGW
172.16.0.0/24
vCenter
Management NetworkCompute Networks
On-Premises
AWS Direct Connect (DX)
Customer Router
CGW
192.168.2.0/24
Router
MGW
vCenter
SDDC2
Management Network
Compute Networks
VGW
Requirements
1. Connect SDDC1 to
On-Premises
2. Connect SDDC1 to
the Shared
Services VPC
3. Provide similar
connectivity for
SDDC2
4. Connect SDDC1
with SDDC2
5. Connect all VPCs
to On-Premises
6. Connection
resiliency – no SPF.
Peering
Peering

38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
ENI
ENIVPC1
VPC2
VGW
VGW
VGW
AWS DX Router
Design Architectures - Resiliency
CGW
192.168.1.0/24
Router
MGW
vCenter
Management Network
Compute Networks
VGW
172.16.0.0/24
vCenter
Management NetworkCompute Networks
On-Premises
Customer Router
CGW
192.168.2.0/24
Router
MGW
vCenter
Management Network
Compute Networks
VGW
Requirements
6. Connection
resiliency – no SPF.
AWS Direct Connect (DX)
SDDC1
SDDC2
DXGW
AWS Region
Shared
Services
Peering
Peering

39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VGW
Design Architectures - Resiliency
CGW
192.168.2.0/24
Router
MGW
vCenter
Management Network
Compute Networks
Pub. IP1
Pub. IP2
VGW
CGW
192.168.1.0/24
Router
MGW
vCenter
Management Network
Compute Networks
Requirements
6. Connection
resiliency – no SPF.
SDDC2
SDDC1
Shared
Services

40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
ENI
ENI
VGW
VGW
VGW
AWS DX Router
Design Architectures - Resiliency
CGW
192.168.1.0/24
Router
MGW
vCenter
Management Network
Compute Networks
VGW
172.16.0.0/24
vCenter
Management NetworkCompute Networks
On-Premises
Customer Router
CGW
192.168.2.0/24
Router
MGW
vCenter
Management Network
Compute Networks
VGW
Requirements
6. Connection
resiliency – no SPF. VPC1
VPC2
AWS Direct Connect (DX)
SDDC1
SDDC2
DXGW
AWS Region
Shared
Services
Peering
Peering

41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS DX Router
Design Architectures - Encryption
172.16.0.0/24
vCenter
Management NetworkCompute Networks
On-Premises
Customer Router
CGW
192.168.2.0/24
Router
MGW
vCenter
Management Network
Compute Networks
VGW
CGW
192.168.1.0/24
Router
MGW
vCenter
Management Network
Compute Networks
VGW
DX Private VIF
Requirements
6. Connection
resiliency – no SPF.
7. Encrypt
connectivity to On-
Premises
Private IP of
NSX edge
AWS Direct Connect (DX)
SDDC1
SDDC2AWS Region

42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS DX Router
Design Architectures - Encryption
172.16.0.0/24
vCenter
Management NetworkCompute Networks
On-Premises
Customer Router
CGW
192.168.2.0/24
Router
MGW
vCenter
Management Network
Compute Networks
CGW
192.168.1.0/24
Router
MGW
vCenter
Management Network
Compute Networks
VPC1
VPC2
VGW
VGW
VGW
ENI
ENI
Requirements
6. Connection
resiliency – no SPF.
7. Encrypt
connectivity to On-
Premises
8. Scalability
DX Public VIF
Public IP of
NSX edge
AWS Direct Connect (DX)
SDDC1
SDDC2AWS Region
Shared
Services

43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Design Architectures
172.16.0.0/24
vCenter
Management NetworkCompute Networks
On-Premises
Customer Router
CGW
192.168.2.0/24
Router
MGW
vCenter
Management Network
Compute Networks
CGW
192.168.1.0/24
Router
MGW
vCenter
Management Network
Compute Networks
VPC1
VPC2
VGW
VGW
VGW
ENI
ENI
Requirements
6. Connection
resiliency – no SPF.
7. Encrypt
connectivity to On-
Premises
8. Scalability
Transit VPC
AWS Direct Connect (DX)
SDDC1
SDDC2AWS Region
Shared
Services

44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
ENI
ENI
VGW
Design Architectures
CGW
192.168.1.0/24
Router
MGW
vCenter
Management Network
Compute Networks
CGW
192.168.2.0/24
Router
MGW
vCenter
Management Network
Compute Networks
VPC1
VPC2
SDDC1
SDDC2AWS Region
Requirements
6. Connection
resiliency – no SPF.
7. Encrypt
connectivity to On-
Premises
8. Scalability (Bonus)
NLB Shared
Services
PL endpoint
PL endpoint
Peering
Peering

45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Related breakouts
Monday, Nov 26
CMP305-R – [REPEAT] VMware Cloud on AWS: Deep Dive
6:15 PM - 7:15 PM | Venetian, Level 3, Murano 3205
Monday, Nov 29
ENT215-R1 - [REPEAT1] Top Strategic Priorities You Can Tackle
with VMware Cloud on AWS
2:30 PM - 3:30 PM | Venetian, Level 3, San Polo 3405.
Monday, Nov 26
GPSTEC307 - Storage Deep Dive and Data Protection with
VMware Cloud on AWS
4:45 PM - 5:45 PM | MGM, Level 3, Premier Ballroom 319

47. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Humair Ahmed
Sr. Technical Product Manager
hahmed@vmware.com
Haider Witwit
Sr. Solutions Architect
Haiderw@amazon.com

48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.