vmtalks méxico profundizandocon vmware cloud: análisisde ......def gw on-prem vm mgw edge vc (2)...

Confidential │ ©2020 VMware, Inc.

Laura GarroSr. Cloud Solutions Architect08-2020

VMtalksMéxico Profundizando con VMware

Cloud: análisis de redes, servicios nativos AWS y casos de uso


Agenda

2

• VMC on AWS Networking Overview

• Networking Options

• DEMO

• Internet Access to/from VMC

• Native AWS services connectivity

• DEMO

Confidential │ ©2020 VMware, Inc. 3

AWS Global Infrastructure

VMware Cloud™ on AWSPowered by VMware Cloud Foundation

AWS Global InfrastructureVMware SDDC

vSphere vSAN NSX

VMware Cloud Foundation

AWS

Amazon EC2

AmazonS3

AmazonRDS

AWS Direct

Connect

AWS IAM

AWS IoT

…

…

…

…

vCentervCenter

• ESXi on Dedicated Hardware

• Support for VMs and Containers

• vSAN on Flash and EBS Storage

• Replication and DR Orchestration

• NSX Spanning on-premises and Cloud

• Advanced Networking & Security Services

AWS Global Infrastructure

Solución completa en la Nube

VMware vRealize Suite


§ Key features from on-premises brought to the cloud

§ Networking

§ Security

§ Scalable and easy to consume networking

§ Simplified Interface

§ API access available

§ Multiple connectivity options

Powered by VMware NSX-TNetworking Inside the SDDC


InternetNSX-T Architecture view

CGW

ENI

25Gbps

Routed Network 1

192.168.1.0/24

Routed Network 2

172.16.2.0/24

VM VMVM VM

VMware Cloud VPC

Amazon EC2

AmazonS3

AmazonRDS

AWS IoT

AWS Native Services

(Customer)

L2 Extended Network

On-PremDef GW

VM

MGW

VCEdge(2)

Ctrl(3)

VPN

Workload LS-1 (Overlay) Workload LS-2 (Overlay)

ESXi hosts

NSXmgr

Edge Appliance

Direct Connect

Management Part Compute Part

Tier 0

Tier 1 Tier 1


Networking Inside the SDDC – A Closer Look

Edge Router

• All connectivity to workloads flows through the Edge

• Configured for Active/Standby to provide High Availability (HA)

Management Gateway

• Management traffic for vCenter, NSX, ESXi hosts, etc.

Compute Gateway

• Workload traffic, including network to network

Programmatic route configuration

• No routing protocol overhead

Pervasive security

• Edge firewall

• Distributed firewall

MGW

CGW

Edge

SDDC

NSX</>

vCenter


VMware Cloud on AWSNetworking Options

VMware Cloud on AWSData Center Interconnection

Direct Connect

Public Internet

L3 VPN / BGP

172.16.10.0/24 172.16.20.0/24L3 VPN

10.10.10.0/24 10.10.10.0/24L2 VPN

192.168.10.0/24 192.168.10.0/24HCX

Traditional IPSec VPN Tunnel over Internet or BGP over DX

Compatible with any on-premises router.

Interconnect two distinct network ranges.

NSX L2 VPN

Stretch networks between private and public cloud.

Requires installation of NSX Standalone Edge Client on-prem (does not require NSX licensing on-prem).

Easy to configure.

HCX

L2VPN (or L3VPN if no requirement to stretch network), combined with WAN Optimization engine and vSphere compatibility back to vSphere 5.0.

Best option for bulk migration.

Highly Secure (IPSec with AES 256 Suite-B encryption)

172.16.10.0/24 172.16.20.0/24BGP (L3 VPN optional)

10.10.10.0/24 10.10.10.0/24L2 VPN

192.168.10.0/24 192.168.10.0/24HCX


Fastest way to get connected and start using VMCRoute and Policy Based VPN

Route Based

Policy Based

BGP

MGW

CGW

Edge

SDDC

Supports any IPSec compliant endpoint

Policy based VPN for simple connectivity requirements

vCenter NSX

9Confidential │ ©2020 VMware, Inc.

DEMO


Outbound Internet AccessVia IPSec VPN


The on-prem router/firewall will advertise 0.0.0.0 to VMC over IPSec.

All traffic from VMC-VM in VMware Cloud on AWS would be sent (encrypted) over IPSec VPN (over the AWS IGW) to exit to the Internet.

Traffic path highlighted in blue line.

Outbound Internet AccessWith IPSec VPN, Internet breakout on-prem

VMware Cloud on AWSOn-Premises Data Center

IPSec VPN

Compute

Storage

Network

Compute

Storage

NetworkvSphere-based SDDC with NSX

CGW

Network A

MGW

Internet FW

NAT

Router

Network 172.16.10.0/24

Network 172.16.20.0/24

Public Internet

Hey VMC - my local networks are 172.16.10.0/24 and

172.16.20.0/24

and I’ll also advertise 0.0.0.0/0 so that all Internet-bound traffic goes through the Internet FW.

VMC-VM

Additional notes:

Traffic can go via standard Internet Proxy.

Use the ‘route-based’ VPN instead of ‘policy-based’ VPN if possible.

BGP Peering Session (if using route-based VPN).


All traffic from VMC-VM in VMware Cloud on AWS would go through the CGW directly to the AWS Internet gateway to the Internet.

Traffic path highlighted in blue line.

Outbound Internet AccessWith IPSec VPN, Internet breakout on AWS


IPSec VPN

Compute

Storage

Network

Compute

Storage


CGW

Network A

MGW

Internet FW

NAT

Router

Network 172.16.10.0/24

Network 172.16.20.0/24

Public Internet

Hey VMC - my local networks

are 172.16.10.0/24

and 172.16.20.0/24

VMC-VM

Additional notes:

Use the ‘route-based’ VPN instead of ‘policy-based’ VPN if possible.

BGP Peering Session (if using route-based VPN).

Public Internet


Inbound Internet AccessVMware Cloud on AWS


If the customer uses his own Public IPs and advertise it to the Internet on-prem, inbound traffic from an Internet user will go through the on-premInternet FW where the destination IP will be natted to the private IP of VMC-VM and transferred across DX/VPN to VMC-VM.

Inbound Internet AccessVia on-prem Internet FW


AWS Direct Connect

Compute

Storage

Network

Compute

Storage


CGW

Network A

MGW

Internet FW

NAT

Router

Network 172.16.10.0/24

Network 172.16.20.0/24

Public Internet

VMC-VM

IPSec VPN

Public IP

Private IP

User


If the customer requests Public IPs via the VMC console, they can NAT them to VMs in VMware Cloud on AWS.

Inbound traffic from an Internet user will go through the AWS IGW and the VMC CGW.

Inbound Internet AccessVia AWS Internet GW


AWS Direct Connect

Compute

Storage

Network

Compute

Storage


CGW

Network A

MGW

Internet FW

NAT

Router

Network 172.16.10.0/24

Network 172.16.20.0/24

Public Internet

VMC-VM

IPSec VPN

Public IP

Private IP

User

Public Internet


VPCVPC = Virtual Private Cloud

Your virtual data center on AWS

Block of IPs that define your network (typically RFC 1918)

Can span multiple AZs

Default VPCsAvailability Zone A Availability Zone B

VPC CIDR: 10.1.0.0 /16


Native AWS Integration

VMware Cloud on AWS SDDC Native AWS Services

vCenter

MGW

CGW

EC2 i3 MetalVPC Subnet

ENIs

VPCEndpoint

S3

NSX

VM VMVM VM

EC2

• Deploy Hybrid Applications across your VMware SDDC and native AWS services

• Sub-Millisecond latency via AWS Elastic Network Interfaces (ENI) and VPC Endpoints

• No Cost ingress/egress data transfers within AZ

• Modernise applications by integrating VMware with breadth of AWS servicesDynamo

Elastic Network Interfaces


DEMO


Thank You

vmtalks méxico profundizandocon vmware cloud: análisisde ......def gw on-prem vm mgw edge vc (2)...

Documents