VMware Cloud (VMC) on AWS is a joint venture solution developed by VMware and AWS in order to facilitate hybrid cloud operations by extending customer data centres or facilitating migration from on-prem to cloud. The solution consists of a single or group of Software Defined Data Centres (SDDC) that run on AWS bare metal EC2 instances inside a Virtual Private Cloud (VPC) owned and managed by VMware. This SDDC can extend the on-premises data centre as well as connect to another VPC owned and maintained by the customer. Hence the SDDC can integrate easily with the native AWS services that are deployed inside the customer VPC.
In this post, we will briefly touch on SDDC in VMC on AWS. Next, we will dive into the details of how it can integrate with native AWS services, using an example of connecting a web server hosted in SDDC which uses an RDS database running in a customer VPC.
What is SDDC in VMWare Cloud on AWS
As briefly touched on in the intro, VMware Cloud on AWS is a solution built jointly by VMware and AWS to allow the customers to extend their data centres to support hybrid cloud operating model as well as to migrate their workloads into AWS cloud. The solution consists of a Software Defined Data Centre that runs within a VPC owned and managed by VMware. The customer creating SDDC has no control over configuration of this VPC. It is then possible to connect this VPC to an on-premises customer data centre via Virtual Private Network (VPN) or AWS Direct Connect or both with VPN being the backup. It can also connect to other VPCs owned and operated by the customer via an Elastic Network Interface (ENI) which offers high bandwidth, low latency connection. If the SDDC VPC and customer VPC are in the same AZ, there are no charges for traffic between the two VPCs. The traffic flowing via ENI can be controlled via Customer Gateway (NSX edge) firewall rules on SDDC side and using Security groups in customer VPC.
It’s quite likely that there are multiple SDDC that need to consume native AWS services. The inter-SDDC connectivity and VPC connectivity is provided by VMware transit connect, which is VMware managed transit gateway. Inter SDDC connectivity is beyond the scope of this article.
Since the VMC on AWS sits on AWS global infrastructure, it integrates tightly with the native AWS services as depicted below:
In this article, we will only consider connectivity via ENI. The inter-SDDC and VPC connectivity is beyond scope of this article.
There are a lot of practical use cases which require connectivity of VMC SDDC with native AWS services. For the purpose of this article, we consider a web server that is hosted in VMC SDDC which connects to an RDS database, which is hosted in a customer VPC. For minimizing cross-region traffic charges, it’s recommended to have both SDDC and customer VPC within the same AWS AZ.
In the diagram above, the web server resides in the compute segment, which is logically separated network within SDDC fronted by a Compute Gateway (CG) protected by it’s own firrewall. The edge device is the entry point into SDDC which is protected by a Gateway firewall. The management gateway is an entry point to SDDC management devices such as vCenter, NSX and HCX. The details of these devices are beyond the scope of this article and aren’t discussed here.
To allow communication between SDDC and connected VPC, we need to allow traffic through the ENI. The ENI comes into the SDDC at the Compute Gateway (NSX Edge). Hence, we need to configure NSX Firewall rules to allow traffic from the ENI; which is disallowed by default; no ENI traffic can enter the SDDC. For AWS services, Security Groups are used to control the flow of traffic.
Enabling Traffic from Connected VPC to SDDC
For the webserver to be able to talk to the RDS instance, we need to make some changes to the Gateway firewall rule. Moreover, the web server also needs to have a public routable IP address. This can be requesting a public IP address, which VMC will provision from AWS, and using NAT for address translation.
For most purposes, it makes sense to have the VMs in the SDDC grouped together so that firewall rules can be applied to the group. However, for this post, we are using a single VM for a web server in compute groups, so we do not need to create any resource groups.
Next, we need to create a rule in the gateway firewall to allow bidirectional traffic between the connected VPC and the webserver. Since no traffic can enter SDDC unless allowed otherwise, we also need to add a rule to make the web server publicly accessible. In order to achieve that, we need to add rules to Compute Gateway, under Gateway firewall settings. These options are available under the Networking and Security tab in the SDDC console.
Enable/Disable Rule Switch
Connected VPC prefixes
Connected VPC prefixes
Table 1. Gateway Firewall rules to allow Connectivity between RDS in Customer VPC and SDDC.
Once the above rules are published, they come into effect immediately.
The next step is to request a public IP address for the webserver and enable NAT translation. For this, the private IP address of the web server can be found in vCenter. The public IP can then be requested from Networking and Security settings for the SDDC. Finally, under the same settings, there is an option to set NAT translation. You will need to create a new rule for NAT, and optionally enable logging for this rule. The NAT rule looks like this:
<public IP from previous step>
<Internal IP of webserver>
Match Internal Address
Table 2. Enabling NAT for Web Server
Enabling Traffic from Connected SDDC into RDS
This setup is also pretty straightforward. All you need to do is to update the security group for RDS to allow traffic from SDDC. The settings should look like below:
Security Group Rule
<External IP of Webserver>
Table 3. Security Group Inbound Rule
Security Group Rule
Table 4. Security Group Outbound Rule
Test and Validation
It’s simple to test the setup. Access the web server using its public IP address, and if it can get data from the database, we have established the connectivity. However, if it does not work, there are a few thing you can do for troubleshooting.
- Check for NAT mapping to make sure the private IP of the web server is mapped to the Public IP.
- The network ACL on the connected VPC to ensure there is no rule blocking the traffic
- The network path followed is compute network segment >> compute gateway >> SDDC Edge >> Connected VPC. If traceroute traffic is allowed on all the firewall along this route, and network ACL of VPC does not block it, then verify network connectivity using traceroute. In most of the cases, it’s one of the firewalls that is not properly configured to allow traffic.
- Finally, if traceroute is not allowed, check firewall rule logs of each of the hops as above.
In this post we discussed how to integrate native AWS services with the SDDC. A web server running within SDDC was enabled to connect to the database which is hosted within a subnet in a connected VPC outside of SDDC. It is worthwhile to note that although native AWS service running in connected VPC can be accessed by VMs running in SDDC, this setup does not allow VMs on an extended L2 network to consume native AWS services via the method discussed in this post. That setup is beyond the scope of this article.
If you are considering adopting AWS or migration of existing data centres to VMC on AWS or already using it, please reach out to us to know more about how we can help.