Before you undertake any network design, you must always consider the business requirements and use cases. Your chosen network design will be largely influenced by the chosen use cases.
You must ask yourself:
- Do I need to stretch networks? Do I need to maintain the same IP address?
- Do I need a Direct Connect?
- Where are applications accessed from?
- What is the North-South security policy?
- Do I need a centralized security policy? Do I need to inspect all traffic coming to/from the Internet from a singe point?
- How will I operate it and which tools should I use?
Below is a list of summary best practices around the networking concepts of VMware Cloud on AWS:
- Identify which use case is relevant for you and leverage the appropriate network tools.
- Leverage a simple IPsec VPN if you don’t need to stretch networks.
- If you need to stretch a network, ask yourself whether it’s for temporary purposes (migration) or for a permanent scenario. Remember that the default gateway stays on-premises while a network is stretched between on-premises and the Cloud.
- Prefer Route-Based VPN to Policy-Based VPN
- Set up multiple route-based VPNs for resilience.
- Leverage the Distributed Firewall to create DMZ within your VMware Cloud on AWS infrastructure
- Build a Zero-Trust Security Policy (deny all by default and only allow the traffic flows that are required)
- Use a Direct Connect if possible.
- Use multiple Direct Connect links for resilience.
- Prefer Private VIF over a Public VIF
- Leverage HCX to swiftly migrate DCs with minimal effort
- Leverage the connection between the VMware Cloud on AWS SDDC and native AWS services via the ENI as it provides a free-of-charge low-latency and high-throughput link. This is typically used to store VM back-ups into S3 buckets.
- Take into consideration egress data costs in your cloud budget.