This short post will provide some information around leveraging VPN and Direct Connect together with VMware Cloud on AWS.
You might want to read the VMware Cloud on AWS Direct Connect Deep Dive post first if you haven’t already.
Ever since I joined the VMware Cloud on AWS team about 18 months ago, I have been impressed by our product team’s ability to build features based on customer demand (some of the other product teams I have seen in my career have had the tendency to build stuff customers were not necessarily asking for).
Not only that, but we also publish our roadmap publicly.
Here is an example – a few weeks ago, I had one of my customers (an enterprise architect working for a public sector organization in the North West of England) asked me the following question:
Can I use a VPN and a Direct Connect together from the same site to VMware Cloud on AWS and use VPN as a back-up?
Yes, but until our new 1.7 release (came out on 13th May 2019), it wasn’t possible the way you wanted it to be.
If you use a VPN and a Direct Connect from the same site to your VMware Cloud on AWS, what you would ideally want is traffic to go over the Direct Connect primarily and traffic to fail-over to the VPN as a back-up.
Until today, there were some restrictions in the way the service was designed whereby the VPN would take precedence over the Direct Connect, traffic would flow over the VPN and only fail back to the Direct Connect if the VPN were to fail.
With the new VMC release 1.7, it works the way you would expect things to be:
You still need to enable the option in the VMware Cloud on AWS Networking and Security tab, in the Direct Connect section. Note that ESXi and vMotion traffic will always go over Direct Connect regardless or not you toggle this option. This option only applies to ‘data’ traffic.
It takes about a minute to enable:
Then you are good to go!
Enabling this makes Direct Connect the Active circuit and VPN the standby one.
While many customers will get two Direct Connect circuits to provide resiliency (bypassing the need for a back-up VPN), this customer (and I’m sure many more) can’t really afford to have two so having the VPN as a back-up is a good alternative.
Thanks for reading.