An essential advantage of levering AWS bare-metal to run our VMware software is that it essentially colocates a VMware hypervisor right next to the AWS native services.
We therefore wanted to make sure VMware Cloud on AWS would be directly plugged into the AWS networks.
Aarthi Raju and Haider Witwit from the AWS Partner Team published a great article detailing the connectivty options between VMware Cloud on AWS and native AWS services (see link) – the section below uses some of that content, with some updated screenshots and images.
During the onboarding process, customers have the ability to choose a VPC and the subnets they want to connect to their SDDC cluster.
Customers will also run an AWS CloudFormation template, which grants VMware Cloud Management Services across account roles with a managed policy. This managed policy allows VMware to perform operations like creating Elastic Network Interfaces (ENIs) and route tables.
Once the role has been created and assigned, VMware Cloud Management Services assumes a role in the customer account and creates ENIs in the subnet the customer chooses. These ENIs are directly attached to the ESXi hosts in the VMware SDDC account.
Of all the attached ENIs, only one of them is in use.
The active Compute Gateway lives on a single ESXi host, and this decides the ENI that’s in active state. This ENI allows for connectivity between the SDDC cluster and customer VPC.
In the event of a host failure, VMware vMotions the Compute Gateway to a new host and the customer route table is updated to point to the new active ENI. Customers will be able to see these ENIs in their account with a description set to ‘VMware VMC Interface.’
VMware also makes it easy to update customer route tables based on the logical networks that are created. The default route table has updated routes to all customer logical networks, and this paves the way for services running in the VPC to communicate to the logical networks.
Here is the partial view of route table of the VPC attached to VMware Cloud on AWS. The 192.168.1.0/24, 192.168.10.0/24, 192.168.20.0/24 and 192.168.30.0/24 network segments were created on VMware Cloud on AWS and the VPC is immediately updated with these routes with a target of the ENI attached to the CGW.
From a routing perspective, everything is updated but customers would then need to have the right security group and Network Access Control List (ACL) rules on the AWS front AND the right security rules on the CGW to allow traffic between VMware Cloud on AWS and the customer VPC.
Customers can view details about the connected account from their VMware Cloud on AWS console. Connectivity between the SDDC and VPC will not incur any data egress costs if the ENI created for this service and SDDC are in the same Availability Zones (AZs). If they are in different AZs, you will incur standard data transfer charges.