VMware Cloud on AWS – Networking Reference Architecture – 1

A private virtual interface (VIF) establishes

1
connectivity to the VMware SDDC A in AWS
Region A.
VMware Cloud on AWS connectivity to on-premises site using AWS Direct Connect to a virtual private gateway and AWS Site-to-Site VPNs

2 The AWS Site-to-Site VPN (over internet)

Customer On-Premises AWS Cloud
provides backup connectivity to the private
Region A
VIF to provide resilient connectivity to the
Backup path
8 AWS Site-to-Site VPN VMware SDDC A.
(over Internet)
ESXi
Customer VPC A1 A public VIF enables access to all AWS public
7 Gateway Associations (VGW) 3 services and endpoints using the public IP
VGW
addresses.
VMware Cloud on AWS Organization
The lack of a Direct Connect instance in
4 Region B creates a design constraint; so a
Customer VMware Cloud on AWS – SDDC A
Router Connected VPC A
Backup path site-to-site VPN is established to the VMware
2 AWS Site-to-Site VPN
CGW
SDDC B. This VPN leverages the public VIF
Internet (over Internet)
from the Direct Connect instance in Region A.
Availability Zone 1 Availability Zone 2
Public subnet Public subnet Also, Site-to-Site VPNs over a public VIF can
1 Private VIF
be used to establish a more consistent
AMAZON NSX
MGW
vCSA NSX HCX SRM network experience compared to internet-
3 Public VIF NETWORK Edge Private subnet Private subnet
EDGE based VPNs. Alternatively, redundant Site-to-
ENI Site VPNs (not shown) can be established for
Direct
Connect
resiliency.
Gateway Region B
(DXGW) VMware Cloud on AWS – SDDC B A private VIF to the AWS Direct Connect
Connected VPC B
Private VIF
5 gateway (DXGW) enables the DXGW to
5
4 AWS Site-to-Site VPN
(over Public VIF) CGW establish on-premises communication to
Amazon VPCs in different Regions by
AWS Direct Connect Availability Zone 1 Availability Zone 2

(Region A) 6 Gateway Association Public subnet Public subnet associating the DXGW to the virtual private
Not Supported gateways (VGW).
on SDDC NSX vCSA NSX HCX SRM

Edge MGW Private subnet Private subnet

The private VIF to DXGW cannot be used for

ENI 6 gateway associations to a VMware SDDC. This
feature is not supported on a VMware Cloud
VGW
VGW on AWS.
Customer VPC B1
7 Gateway Associations (VGW)
Backup path Gateway associations can be established
8 AWS Site-to-Site VPN 7 between the DXGW and the VGW to enable
(over Internet)
on-premises communication with Amazon
VPCs in multiple Regions.

Reviewedfor
Reviewed fortechnical
technical accuracy
accuracy May
8/30/2021
19, 2021 AWS Reference Architecture 8 Site-to-Site VPNs are configured as a backup
to the DXGW-VGW associations for more
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
resilient connectivity to Amazon VPCs.
VMware Cloud on AWS – Networking Reference Architecture – 2 1 The Private VIF from the AWS Direct Connect
instance in Region A establishes connectivity
VMware Cloud on AWS connectivity to on-premises site using dual AWS Direct Connect instances with Direct Connect Gateway and AWS Transit Gateway from the on-premises site to the SDDC in
Region A. Similarly, the Private VIF from the
AWS Direct Connect instance in Region B
Customer On-Premises AWS Cloud
establishes connectivity from the on-premises
Region A
site to the SDDC in Region B.
TGW A
4 VPC Attachment(s) Customer VPC A1
ESXi 5
Gateway ENI Dual Transit VIFs establish redundant, resilient
3
Association 2 connectivity from the on-premises site to the
5 VPC Attachment
DXGW.

VPN Attachment
The DXGW is associated with AWS Transit
Customer
Routers
VMware Cloud on AWS Organization 3 Gateway in both Regions to provide on-
ENI
VMware Cloud on AWS – SDDC A premises connectivity to Amazon VPCs.
Connected VPC A
7
The Transit Gateway is a Regional virtual
CGW
4 router that is capable of transitive routing
Availability Zone 1 Availability Zone 2
Public subnet Public subnet between networks connected to it using the
1 Private VIF
Transit VIF
following attachments:
2
NSX vCSA NSX HCX SRM • VPC attachments
Edge MGW Private subnet Private subnet
AWS Direct Connect • VPN attachments
(Region A)

Peering Attachment
ENI • DXGW attachments
Direct
• Peering attachments (inter-region)
Connect
Gateway
(DXGW) Region B VMware Cloud on AWS – SDDC B Amazon VPC attachments enable VPCs to
Connected VPC B
5 establish communication with other VPCs and
NSX
CGW networks connected to the Transit Gateway.
6 Edge
2 Transit VIF Availability Zone 1 Availability Zone 2
The Transit Gateway peering attachment
6
Public subnet Public subnet
1 Private VIF
enables cross-Region communication between
MGW
vCSA NSX HCX SRM
Private subnet Private subnet networks connected to Transit Gateway A and
VPN Attachment

AWS Direct Connect Transit Gateway B.

ENI
(Region B)
ENI The Transit Gateway VPN attachments extend
7 the communication between the VPCs and
7 SDDCs in their respective AWS Regions, and
also between the compute networks residing
Gateway 5 VPC Attachment on SDDC A and SDDC B over the Peering
3
Association
5 VPC Attachment(s) Customer VPC B1 attachment. However, the VPN attachments
4 ENI do not support VMkernel traffic, including
TGW B
ESXi Mgmt., vMotion, vSphere Replication, and
HCX Interconnects. The SDDCs use the Direct
Reviewedfor
Reviewed fortechnical
technical accuracy
accuracy May
8/30/2021
19, 2021 AWS Reference Architecture Connect private VIFs to connect to the on-
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. premises site.
VMware Cloud on AWS – Networking Reference Architecture – 3 Transit VIFs from two separate AWS Direct
1 Connect connections in different Regions are
VMware Cloud on AWS connectivity to on-premises site using Direct Connect Gateway, AWS Transit Gateway, and VMware Transit Connect used to establish resilient and fault-tolerant
connectivity to AWS Regions A and B.
Customer On-Premises AWS Cloud
Region A VPC to VPC traffic flow Each DXGW is associated with a Transit
NOT ALLOWED via VTGW
Customer VPC A1
2 Gateway instance and the VMware Transit
6 VPC Attachment(s)
ENI
Connect (VTGW) to provide on-premises
ESXi 3 TGW A ENI connectivity.
Gateway 5 VPC Attachment(s)
2
Association 5 VPC Attachment The Transit Gateway is a regional virtual
3 router that is capable of transitive routing
VMware Cloud on AWS Organization
between networks connected to it using the
SDDC Group
ENI
following attachments:
Customer VMware Cloud on AWS – SDDC A • VPC attachments
Connected VPC A
Routers • VPN attachments
CGW
• DXGW attachments
VTGW A
Availability Zone 1 Availability Zone 2
• Peering attachments (inter-Region)
Gateway
4 Public subnet
Public subnet
AWS Direct Connect 2
Association 4 The SDDC group uses a VTGW to provide high-
(Region A)
NSX vCSA NSX HCX SRM
Private subnet Private subnet
bandwidth, low-latency connectivity between:
Edge MGW
• SDDCs in an SDDC group
Direct

Peering Attachment
Peering Attachment
ENI • SDDCs and one or more VPCs
1 Transit VIF Connect
Gateway • SDDCs and on-premises via DXGW
(DXGW) A • SDDCs in other Regions (inter-Region)
1 Transit VIF VMware Cloud on AWS – SDDC B
Connected VPC B
VPC attachments enable VPCs to establish
CGW
5 communication with other VPCs and networks
7 8 NSX
Edge connected to the Transit Gateway.
Availability Zone 1 Availability Zone 2
1 Transit VIF Gateway Public subnet Public subnet
2 Amazon VPCs use VPC attachments to connect
Association
4 vCSA NSX HCX SRM
6 to the VTGW to establish communication with
Direct VTGW B MGW Private subnet Private subnet

Connect networks connected to the VTGW. However,

1 Transit VIF
Gateway
ENI VPC to VPC communication using a VTGW is
(DXGW) B not allowed.
ENI
AWS Direct Connect
(Region B) 5 VPC Attachment
Gateway The Transit Gateway peering attachment
2
Association
7 enables cross-region communication between
5 VPC Attachment(s)
3 networks connected to Transit Gateway A and
TGW B ENI
Transit Gateway B.
6 VPC Attachment(s) Customer VPC B1
VPC to VPC traffic flow ENI
Region B NOT ALLOWED via VTGW The SDDC group enables cross-region
8 communication between compute and
Reviewedfor
Reviewed fortechnical
technical accuracy
accuracy May
8/30/2021
19, 2021 AWS Reference Architecture management networks between VTGW A and
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. VTGW B using the VTGW peering attachment.
VMware Cloud on AWS – Networking Reference Architecture – 4 Transit VIFs from two separate AWS Direct
VMware Cloud on AWS connectivity using a Transit VPC to connect AWS Transit Gateway and VMware Transit Connect in the same Region 1 Connect connections in different Regions are
used to establish resilient and fault-tolerant
Customer On-Premises AWS Cloud Region A connectivity to AWS Regions A and B.
VPC Attachment(s) Customer VPC A1
ENI Each DXGW is associated with a AWS Transit
3
TGW A
5 2 Gateway and the VMware Transit Connect
ESXi Gateway VPC 5a ENI
2 Transit VPC A (VTGW) to provide on-premises connectivity.
Association Attachment ENI

5b VMware Cloud on AWS Organization The AWS Transit Gateway is a regional

3 virtual router that is capable of transitive
SDDC Group
routing between networks connected to it

Attachment
using the following attachments:

VPC
Customer VMware Cloud on AWS – SDDC A
Routers Connected VPC A • VPC attachments
• VPN attachments
CGW • DXGW attachments
VTGW A
4
Availability Zone 1 Availability Zone 2 • Peering attachments (inter-Region)
Gateway Public subnet Public subnet
AWS Direct Connect 2
(Region A) Association
The SDDC group uses a VTGW to provide
NSX
Edge MGW
vCSA NSX HCX SRM
Private subnet Private subnet 4 high-bandwidth, low-latency connectivity
Direct
between:

Peering Attachment
Peering Attachment
Transit VIF Connect ENI
1
Gateway • SDDCs in an SDDC Group
(DXGW) A • SDDCs and one or more VPCs
1 Transit VIF VMware Cloud on AWS – SDDC B • SDDCs and on-premises via DXGW
Connected VPC B • SDDCs in other Regions (inter-Region)
NSX CGW
VTGW B
Edge Static routes in a Transit VPC are used to
Gateway
4 Availability Zone 1 Availability Zone 2 5 enable intra-Region transitive routing
1 Transit VIF 2 Public subnet Public subnet
Association between VMware Transit Connect and AWS
MGW
vCSA NSX HCX SRM Transit Gateway in the same Region.
Attachment

Direct Private subnet Private subnet

Connect
VPC

1 Transit VIF
Gateway
ENI A VPC attachment connects the AWS Transit
(DXGW) B 5a Gateway to the Transit VPC. Static routes to
AWS Direct Connect 5b
the SDDC are configured in the AWS Transit
TGW B
(Region B) 3 5 Gateway route tables on the VPC attachment.
Gateway VPC 5a ENI
2 Transit VPC B
Association Attachment ENI
Another VPC attachment connects the
VPC Attachment(s) Customer VPC B1 5b VMware Transit Connect to the Transit VPC.
ENI
Region B Static routes to the Customer VPCs are
configured in the VMware Transit Connect
route tables on this VPC attachment.
Reviewedfor
Reviewed fortechnical
technical accuracy
accuracy May
8/30/2021
19, 2021 AWS Reference Architecture
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.