VMware Transit Connect & AWS Transit Gateway

VMware Managed Transit Gateway (VTGW) with a native AWS Transit Gateway (TGW)

VMware Cloud on AWS uses NSX-T to create and manage SDDC networks

The VMware Cloud on AWS Networking and Security explains how to use the VMC Console Networking & Security tab to manage your SDDC networks. NSX Manager supports a superset of the features found on the Networking & Security tab. The NSX Manager in your VMware Cloud on AWS SDDC is accessible at a public IP address reachable by any browser that can connect to the Internet. You can also access it from your internal network over a VPN or AWS Direct Connect. User interface layout and navigation in the NSX Manager Web UI is similar to that of the VMC Console Networking & Security tab, and you can use either tool to complete most of the procedures in this document. The Networking & Security tab combines NSX Networking features like VPN, NAT, and DHCP with NSX-T Security features like firewalls. When a procedure requires you to use NSX Manager, we note that in the prerequisites to the procedure.

SDDC Network Topology

When you create an SDDC, it includes a Management Network. Single-host trial SDDCs also include a small Compute Network. You specify the Management Network CIDR block when you create the SDDC. It cannot be changed after the SDDC has been created

Appliance Subnet

This subnet is used by the vCenter Server, NSX-T, and HCX appliances in the SDDC. When you add appliance-based services such as SRM to the SDDC, they also connect to this subnet.

Infrastructure Subnet

This subnet is used by the ESXi hosts in the SDDC.

The Compute Network includes an arbitrary number of logical segments for your workload VMs. (Maximum number of logical segments is 2200 per SDDC connected to Default CGW)

High bandwidth and speed connectivity for VMware Cloud on AWS

Maximum number of AWS TGWs associated in the same region (intra-region) - 3

Maximum number of AWS TGWs associated in different regions (inter-region) - 3

It’s not uncommon for our customers to have a footprint of native AWS services in a region that use AWS TGW connectivity in addition to a VMware Cloud on AWS SDDC footprint. Prior to the intra-region peering feature customers would have to either use IPSec VPNs or Transit VPC architectures to provide the connectivity they required. While this works, there is additional protocol and management overhead with either approach and potential bandwidth bottlenecks. With the intra-region peering option, topologies can transition from the one depicted in Figure 1 to the topology illustrated in Figure 2.

Transit VPC Architecture for Intra-Region Connectivity

Intra-Region VTGW to TGW Peering

The elimination of additional connectivity points simplifies the design by reducing the number of hops, route tables that would need management and reduces attachments.

Now that we’ve established the primary use case, we can focus on a specific topology and review the configuration steps. The topology in Figure 3 will be built throughout the remainder of this article.