vmware cloud on aws networking and security - … · management. destination enter or select one of...

VMware Cloud on AWSNetworking and Security12 February 2019VMware Cloud on AWS

VMware Cloud on AWS Networking and Security

VMware, Inc. 2

You can find the most up-to-date technical documentation on the VMware website at:

https://docs.vmware.com/

If you have comments about this documentation, submit your feedback to

[email protected]

Copyright © 2017–2019 VMware, Inc. All rights reserved. Copyright and trademark information.

VMware, Inc.3401 Hillview Ave.Palo Alto, CA 94304www.vmware.com

https://docs.vmware.com/

mailto:[email protected]

http://pubs.vmware.com/copyright-trademark.html

Contents

About VMware Cloud on AWS Networking and Security 4

1 Determining Whether Your SDDC Networking is Backed by NSX for vSphere or

NSX-T 5

2 Features Supported with NSX for vSphere and NSX-T 6

3 About VMware Cloud on AWS Networking With NSX for vSphere 7

Use the Configure MGW VPN Wizard to Configure a Management VPN and Gateway 7

Configuring Compute Gateway Networking 15

Using AWS Direct Connect with VMware Cloud on AWS 30

4 About VMware Cloud on AWS Networking with VMware NSX-T 35

Configure NSX Roles 35

Configuring VMware Cloud on AWS Networking Using NSX-T 35

Configure Connectivity to the On-Premises Data Center 36

Configure Management Gateway Networking 41

Configure Compute Gateway and Workload Networking 44

Configure Monitoring and Troubleshooting Features 57

VMware, Inc. 3

About VMware Cloud on AWS Networkingand Security

The VMware Cloud on AWS Networking and Security provides information about configuring networkingand security for VMware Cloud on AWS.

This information guides you in how to configure networking for both NSX for vSphere and NSX-T basedSDDCs.

Intended AudienceThis information is intended for anyone who wants to use VMware Cloud on AWS to create an SDDC thathas the basic features required to run workloads in the cloud and can serve as a starting point for yourexploration of additional features and capabilities. The information is written for readers who have usedvSphere in an on-premises environment and are familiar with virtualization concepts. In-depth knowledgeof vSphere or Amazon Web Services is not required.

VMware, Inc. 4

Determining Whether YourSDDC Networking is Backed byNSX for vSphere or NSX-T 1Your VMware Cloud on AWS SDDC uses networking backed by either VMware NSX® for vSphere® orVMware NSX-T™. The networking configuration steps and capabilities differ between these two versions.

You can determine which type of networking your SDDC uses by logging into the VMC Console, andclicking on the card for the SDDC.

If there is a Network tab present as shown below, the SDDC uses NSX for vSphere.

If there is a Networking & Security tab present as shown below, the SDDC uses NSX-T.

VMware, Inc. 5

Features Supported with NSXfor vSphere and NSX-T 2SDDCs backed by NSX for vSphere and those backed by NSX-T support different sets of features.

Table 2‑1. Features supported with NSX for vSphere and NSX-T.

Feature or Solution NSX for vSphere NSX-T

Policy-based IPsec VPN Yes Yes

Route-based IPsec VPN No Yes

Direct Connect for All Traffic No (ESXi management and vMotiontraffic only)

Yes

L2 VPN Yes Yes

Edge Firewall Yes Yes

Logical Networks, DHCP, DNS, NAT Yes Yes

Distributed Firewall No Yes

IPFIX, Port Mirroring No Yes

Management Appliance and ESXiaccess to and from the overlay networkand AWS VPC

No Yes

Multiple Clusters Yes Yes

Multiple Availability Zone StretchedClusters

Yes Yes

Bi-directional migration with vMotion Yes Yes

VMware Site Recovery Yes Yes

VMware Hybrid Cloud Extension Yes Yes

Horizon Yes Yes

3rd Party Solutions - Storage Partners Yes No

2nd Party Solutions - vRA, vROps Yes Yes

VMware, Inc. 6

About VMware Cloud on AWSNetworking WithNSX for vSphere 3Information in this section explains how to configure networking for an SDDC based on NSX for vSphere.

Your SDDC might be provisioned with networking features based on either NSX for vSphere or NSX-T.This section describes the configuration of SDDCs whose networking is backed by NSX for vSphere.

This chapter includes the following topics:n Use the Configure MGW VPN Wizard to Configure a Management VPN and Gateway

n Configuring Compute Gateway Networking

n Using AWS Direct Connect with VMware Cloud on AWS

Use the Configure MGW VPN Wizard to Configure aManagement VPN and GatewayA new SDDC includes a logical network (the management network) and an NSX Edge gateway thatcontrols access to the network. To provide secure communications between this network and your on-premises management network, use the Configure MGW VPN wizard to create virtual private networks(VPNs) in each location, and configure the management gateway to connect them.

The wizard guides you through the steps to create a VPN in the SDDC, configure the managementgateway with firewall rules, and specify DNS server addresses for the management network. Yournetworking team can configure the on-premises end of the management VPN using information youdownload from the SDDC, then connect it to the SDDC through the management gateway and testnetwork connectivity

Note In addition to creating a management VPN, you can also create a compute VPN and an AWSDirect Connect connection between your on-premises data center and AWS services. For informationabout how to create these connections, see the Networking and Security Guide.

Set Management Gateway Firewall RulesBy default, the firewall for the management gateway is set to deny all inbound and outbound traffic. Addadditional firewall rules to allow traffic as needed.

VMware, Inc. 7

If you have configured a management gateway VPN, you can use the Firewall Rules Accelerator tocreate the firewall rules necessary for communication over the VPN. See Use the Firewall RulesAccelerator to Set Up Firewall Rules.

Note In order to access vCenter Server in your SDDC, you must set a firewall rule to allow traffic to thevCenter Server.

When access to vCenter Server is blocked, the topology diagram on the Network tab shows a dotted linebetween the internet and the management gateway.

After you have added a firewall rule to allow access to vCenter Server, the diagram shows a solid linebetween the internet and the management gateway.

Procedure

1 Log in to the VMC Console at https://vmc.vmware.com.


VMware, Inc. 8

https://vmc.vmware.com

2 Click View Details on the SDDC card.

3 Click Network.

4 Under Management Gateway, click Firewall Rules.

5 Click Add Rule.

6 Enter the rule parameters.

Option Description

Rule Name Enter a descriptive name for the rule.

Action The only action available for management gateway firewall rules is Allow.

Source Enter or select one of the following options for the source:n An IP address, IP address range, or any to allow traffic from that address or

address rangen vCenter to allow traffic from your SDDC's vCenter Server.n ESXi Management Only to allow traffic from your SDDC's ESXi

management.

Destination Enter or select one of the following options for the destination:n An IP address, IP address range, or any to allow traffic to that address or

address rangen vCenter to allow traffic to your SDDC's vCenter Server.n ESXi Management Only to allow traffic to your SDDC's ESXi management.

Service Select one of the following to apply the rule to:n Any (All Traffic)n ICMP (All ICMP)n HTTPS (TCP 443) - applies only to vCenter Server as a destination.n SSO (TCP 7444) - applies only to vCenter Server as a destination.n Provisioning (TCP 902) - applies only to ESXi Management Only as a

destination.n Remote Console (TCP 903) applies only to ESXi Management Only as a

destination.

Ports The port that the selected service uses for communication.

7 Use the up and down arrow icons to change the order of the firewall rules.

Firewall rules are applied in order from top to bottom.

The following graphic shows an example firewall rule that allows all traffic to reach vCenter Server from aparticular IP address.

See Example Management Gateway Firewall Rules for more examples of firewall rules for specific usecases.


VMware, Inc. 9

Example Management Gateway Firewall RulesSome common firewall rule configurations include opening access to the vSphere Client from the internet,allowing access to vCenter Server through the management VPN tunnel, and allowing remote consoleaccess.

Commonly Used Firewall RulesThe following table shows the Service, Source, and Destination settings for commonly-used firewall rules.

Table 3‑1. Commonly-Used Firewall Rules

Use Cases Service Source Destination

Provide access tovCenter Server from theinternet.

Use for generalvSphere Client access as wellas for monitoringvCenter Server

HTTPS public IP address vCenter

Provide access tovCenter Server over VPNtunnel.

Required for ManagementGateway VPN, Hybrid LinkedMode, Content Library.

HTTPS IP address or CIDR blockfrom on-premises data center

vCenter

Provide access from cloudvCenter Server to on-premises services such asActive Directory, PlatformServices Controller, andContent Library.

Any vCenter IP address or CIDR blockfrom on-premises data center.

Provisioning operationsinvolving network file copytraffic, such as cold migration,cloning from on-premisesVMs, snapshot migration,replication, and so on.

Provisioning IP address or CIDR block,either public or from an on-premises data centerconnected by a VPN tunnel

ESXi Management

VMRC remote consoleaccess

Required forvRealize Automation

Remote Console IP address or CIDR block,either public or from an on-premises data centerconnected by a VPN tunnel

ESXi Management

vMotion traffic over VPN Any ESXi Management IP address or CIDR blockfrom on-premises data center


VMware, Inc. 10

Table 3‑1. Commonly-Used Firewall Rules (Continued)

Use Cases Service Source Destination

Ping traffic to vCenter Serverfor network troubleshooting.

ICMP (All ICMP) IP address or CIDR block,either public or from an on-premises data centerconnected by a VPN tunnel

vCenter

Ping traffic to ESXimanagement network fornetwork troubleshooting

ICMP (All ICMP) IP address or CIDR block,either public or from an on-premises data centerconnected by a VPN tunnel

ESXi Management

Set Management Gateway DNSSet a DNS server to allow the management gateway, ESXi hosts, and management VMs to resolve fully-qualified domain names (FQDNs) to IP addresses on the management network.

Unless you intend to use only static routing, the management network requires a DNS service that canresolve IP addresses on both sides of the management gateway to VM FQDNs. You must specify the IPaddress of at least one DNS server when you configure the management gateway. If you specify anoptional backup DNS server, be sure that both servers are configured identically.

Procedure



3 Click Network.

4 (Optional) Modify default DNS settings for the management VPN.

The management VPN is created with two DNS servers configured to resolve names to addresses onthe public Internet. You can change the DNS server addresses and the name resolution scope.

a Under Management Gateway, click DNS.

b Modify the DNS server addresses.

Click Edit and enter the IP addresses for DNS Server 1 and, optionally, DNS Server 2.

c Choose a scope for DNS name resolution.

By default, the gateway DNS is configured to resolve names to addresses on the public Internet(Public IP resolvable from Internet). To limit the scope to addresses on the management VPN.Select Private IP resolvable from VPN and click Save. This configuration change applies toboth DNS Server 1 and DNS Server 2.

IPsec VPN Settings ReferenceThe on-premises end of any IPsec VPN must be configured to reflect the settings you specified for theSDDC end of that VPN.


VMware, Inc. 11


Information in the following tables summarizes the available SDDC IPsec VPN settings. Some of thesettings can be configured. Some are static. Use this information to verify that your on-premises VPNsolution can be configured to match the one in your SDDC. Choose an on-premises VPN solution thatsupports all the static settings and any of the configurable settings listed in these tables.

Phase 1 Internet Key Exchange (IKE) SettingsTable 3‑2. Configurable IKE Phase 1 Settings

Attribute Allowed Values Recommended Value

Protocol IKEv1, IKEv2 any

Encryption Algorithm AES-256, AES-GCM, AES any

Hashing Algorithm SHA-1, SHA-256 any

Diffie Hellman DH Groups 2, 5, 14-16 DH Group 14

Table 3‑3. Static IKE Phase 1 Settings

Attribute Value

ISAKMP mode Main mode (Disable aggressive mode)

ISAKMP/IKE SA lifetime 28800 seconds

IPsec Mode Tunnel

IKE Authentication Pre-Shared Key

Phase 2 SettingsTable 3‑4. Configurable IKE Phase 2 Settings

Attribute Allowed Values Recommended Value

Encryption Algorithm AES-256, AES-GCM, AES any

Perfect forward secrecy (PFS) Enabled, Disabled any

Diffie Hellman DH Groups 2, 5, 14-16 DH Group 14

Table 3‑5. Static IKE Phase 2 Settings

Attribute Value

Hashing Algorithm SHA-1

Tunnel Mode Encapsulating Security Payload (ESP)

SA lifetime 3600 seconds (one hour)


VMware, Inc. 12

On-Premises IPsec VPN ConfigurationFrom the Network tab of your SDDC under Management Gateway, you can download a Remote VPNConfig File that lists all settings of the SDDC side of the management VPN. Use the settings in that file toconfigure the on-premises side of the management VPN.

Note Do not configure the on-premises side of the VPN to have an idle timeout (for example, the NSXSession idle timeout setting). On-premises idle timeouts can cause the VPN to become periodicallydisconnected.

Mapping NSX Parameters to VMC Console VPN ParametersThe table below matches terms for VPN parameters used in NSX Edge configuration to the terms used inthe VMC Console.

NSX Property Name VMC Console Property Name

Name VPN Name

Peer ID On-prem Gateway IP

Peer Endpoint On-prem Gateway IP

Peer Subnets On-prem Network

Local ID Uplink SNAT (not a user-entered value)

Local Endpoint Uplink IP (not a user-entered value)

Local Subnets Local Network

Encryption Algorithm Encryption

Perfect Forward Secrecy Perfect Forward Secrecy

Authentication PSK (not a user-entered value)

Diffie Hellman Group Diffie Hellman

Pre-Shared Key Pre-Shared Key

Enabled True (not a user-entered value)

Create a Management VPN in your SDDCTo create the management VPN, configure an IPsec VPN in the SDDC and another one in your on-premises datacenter. The management gateway connects these two VPNs and provides a common set offirewall rules and DNS services.

Procedure


2 On Network tab of your SDDC, click ACTIONS > Configure Management Gateway.


VMware, Inc. 13


3 Complete the Management Gateway VPN configuration.

Parameter Description

VPN Name Enter a name for the VPN.

Remote Gateway Public IP Enter the IP address of your on-premises gateway.

Remote Gateway Private IP If your on-premises gateway is behind NAT, provide the private IP address of thegateway.

Remote Networks Enter the address of your on-premises management network.

Local Gateway IP Displays the public IP address of the management gateway. This is not aneditable field.

Local Network Displays the CIDR block of the management subnet for the managementgateway. This is not an editable field.

Encryption Select AES-256.

Perfect Forward Secrecy Select Enabled

Diffie Hellman Select a Diffie Hellman group. Ensure that you use a group that your on-premisesVPN gateway supports.

Pre-Shared Key Enter a pre-shared key. The key is a string with a maximum length of 128characters that is used by the two ends of the VPN tunnel to authenticate witheach other.

Click SAVE to save this configuration and create the VPN.

After the system creates the VPN in the SDDC, you can click ACTIONS to Edit or Disable the VPN.When the VPN has a status of Connected, you can click VPN Status Detail to view VPN tunnelstatus and statistics.

4 Download the SDDC management VPN configuration details.

Under Remote VPN Config File, click Download to download a configuration file that you can usewhen you configure the on-premises side of this VPN.

What to do next

Configure the on-premises side of the management VPN.

Use the Firewall Rules Accelerator to Set Up Firewall RulesThe Firewall Rule Accelerator helps create appropriate firewall policies in the management gateway. Thisenables communication over the IPsec VPN tunnel with key management infrastructure components suchas vCenter Server and ESXi from your on-premises data center.

After you set up an IPsec VPN for the Management Gateway, you can use the Firewall Rules Acceleratorto quickly set up the firewall rules. Setting these rules is a prerequisite for using Hybrid Linked Mode,performing workload migrations, and many other tasks.

Prerequisites

Configure a Management Gateway VPN. See Create a Management VPN in your SDDC.


VMware, Inc. 14

Procedure


2 Navigate to the Network tab of your SDDC.

3 Under Management Gateway, click IPsec VPNs.

4 Click Firewall Rule Accelerator.

The Firewall Rules Accelerator opens.

5 From the VPN (Remote Network) drop-down menu, select the remote (on-premises) network thatyou want to create firewall rules for.

The Firewall Rules Accelerator displays the rules that will be created.

6 Click Create Firewall Rules to create these rules.

After the firewall rules are created, they are shown in the Management Gateway Firewall Rules list. Youcan edit or delete any rules as needed.

If you change your remote VPN network, you can use the Firewall Rules Accelerator to create newfirewall rules, but it does not update any already existing rules. You must delete or modify those rulesmanually.

Change the Management Gateway FQDN ResolutionYou can change how the Management Gateway performs FQDN resolution. You can use a private IP,resolvable from the VPN you set up, or to use a public IP from the Internet.

To use features such as migration with vMotion, cold migration, or Hybrid Linked Mode, swtich thevCenter Server resolution to a private IP address resolvable from the VPN.

Prerequisites

Set up the VPN for the Management Gateway. See Create a Management VPN in your SDDC.

Procedure


2 Navigate to the Networking tab of your SDDC.

3 Under Management Gateway, click DNS and then Edit.

4 Select Private IP resolvable from VPN or Public IP resolvable from Internet and click Save.

Configuring Compute Gateway NetworkingThe compute gateway handles network traffic for your workload VMs.

You can configure firewall rules, inbound NAT, VPN connections, DNS, and public IP addresses for yourcompute gateway.


VMware, Inc. 15



Create a Logical NetworkCreate logical networks to provide network access to workload VMs.

VMware Cloud on AWS supports two types of logical networks, routed and extended.

Routed networks are the default type. These networks use the SDDC compute gateway as the defaultgateway. Routed networks have connectivity to other logical networks in the same SDDC and to externalnetwork services such as the SDDC firewall and NAT. Extended networks require a layer 2 Virtual PrivateNetwork (L2VPN), which provides a secure communications tunnel between an on-premises network andone in your cloud SDDC.

Your SDDC starts with a single default logical network, sddc-cgw-network-1. You can use the HTML5vSphere Client to create additional logical networks.

Procedure

1 Log in to the vSphere Client for your SDDC.

2 Select Menu > Global Inventory Lists.

3 Select Logical Networks.

4 Click Add.

5 In the Name text field, enter a name for the logical network.

6 Select whether to create a routed network or an extended network.

Option Description

Routed Network A routed network is used for communication over an IPsec VPN or the internet.Set the following options:

a In the CIDR Block text field, enter a CIDR block in xxx.xxx.xxx.0/YY format.

Prefix length should be between 22 and 30, because your logical networkmust have no more than 1000 ports.

b (Optional) Select Enabled to enable DHCP.

If you enable DHCP on a logical network and you have configured an on-premises DNS server, you must edit your compute gateway VPN to enableDNS queries to be correctly forwarded over the VPN. Select cgw-dns-network as one of the local networks for the VPN.

c If you enabled DHCP, enter the domain name to use with VMs attached tothis logical network in the DNS Domain Name text box.

Extended Network A VMware Cloud on AWS extended network uses a layer 2 Virtual PrivateNetwork (L2VPN) to extend an on-premises network to one in your cloud SDDC.This extended network is a single subnet with a single broadcast domain, so youcan migrate VMs to and from your cloud SDDC without having to change their IPaddresses. See "Configure an Extended Network and Layer 2 VPN" inVMware Cloud on AWS Networking and Security.

Important Workload logical networks must not overlap with the management network CIDR block.


VMware, Inc. 16

7 Click OK.

What to do next

After you have created the logical network, you can attach VMs to it. See Attach a VM to or Detach a VMfrom a Logical Network.

Attach a VM to or Detach a VM from a Logical NetworkYou can connect and disconnect a single or multiple VMs from a logical network.

Procedure

1 Log in to the vSphere Client for your SDDC.



4 In the vCenter Server drop down menu, select the vCenter Server that manages the logical networkyou want to use.

5 Click next to the logical network name to select it.

6 Select whether to attach or detach VMs.

n Click Attach VM to attach VMs to the selected network.

n Click Detach VM to detach VMs from the selected network.

7 Select the virtual machine(s) you want to attach or detach, click >> to move them to the SelectedObjects column, and click Next.

8 For each VM, select the virtual NIC you want to attach and click Next.

9 Click Finish.

Set Compute Gateway Firewall RulesBy default, the firewall for the compute gateway is set to deny all inbound and outbound traffic. Addadditional firewall rules to allow traffic as needed.


VMware, Inc. 17

Procedure



3 Click Network.

4 Under Compute Gateway, click Firewall Rules.

5 Click Add Rule.

6 Enter the rule parameters.

Option Description

Rule Name Give the rule a descriptive name.

Action Select Allow or Deny.

Source Select the source for the network traffic.n Enter an IP address, an IP address range, or Any if you want the rule to

apply to all traffic.n Select All Internet and VPN if you want the rule to apply to all traffic from the

internet and the compute gateway VPN but not to traffic from the connectedAmazon VPC.

n Select All Connected AWS VPC if you want the rule to apply to traffic fromthe connected Amazon VPC but not to traffic from the internet and thecompute gateway VPN.

Destination Select the destination for the network traffic.n Enter an IP address, an IP address range, or Any if you want the rule to

apply to all traffic.n Select All Internet and VPN if you want the rule to apply to all traffic to the

internet and the compute gateway VPN but not to traffic to the connectedAmazon VPC.

n Select All Connected AWS VPC if you want the rule to apply to traffic to theconnected Amazon VPC but not to traffic to the internet and the computegateway VPN.

Service Select one of the following:n Select Any to create a rule that applies to all traffic, regardless of protocol or

port used.n Select a specific service to create a rule that applies to that protocol and port.n Select Custom TCP, Custom UDP, or Custom ICMP to create a rule that

applies to a service and/or port that is not available in the dropdown menu.

Ports If you selected a custom TCP, UDP, or ICMP service, enter the port number usedby this service.

7 Use the up and down arrow icons to adjust the ordering of the firewall rules.


Create a Compute VPNConfigure a compute VPN to allow VMs in your SDDC to communicate securely with VMs in an on-premises data center or within an Amazon VPC.


VMware, Inc. 18


Create a compute gateway VPN allows you to deploy hybrid application architectures in which some VMsin the application are in your on-premises data center or on Amazon EC2, while others are in your cloudSDDC.

Prerequisites

Configuring a compute VPN requires the following:

n An on-premises router or firewall capable of terminating an IPsec VPN, such as Cisco ISR, CiscoASA, CheckPoint Firewall, Juniper SRX, NSX Edge, or any other device capable of IPsec tunneling.

n The router or firewall should be configured with cryptography settings as described in IPsec VPNSettings Reference.

n If your on-premises gateway is behind another firewall, allow IPsec VPN traffic to pass through thefirewall to reach your device by doing the following:

n Open UDP port 500 to allow Internet Security Association and Key Management Protocol(ISAKMP) traffic to be forwarded through the firewall.

n Set IP protocol ID 50 to allow IPsec Encapsulating Security Protocol (ESP) traffic to be forwardedthrough the firewall.

n Set IP protocol ID 51 to allow Authentication Header (AH) traffic to be forwarded through thefirewall.

Procedure

1 Configure the Compute Gateway side of the tunnel.

a Log in to the VMC Console at https://vmc.vmware.com.

b Navigate to the Networking tab of your SDDC.

c Under Compute Gateway, click IPsec VPNs and then Add VPN.


VMware, Inc. 19


d Complete the Compute Gateway VPN configuration.

Parameter Description


Remote Gateway Public IP Enter the public IP address of your on-premises gateway.

Remote Gateway Private IP If your gateway device is behind NAT, enter the private IP address of your on-premises gateway.

Remote Networks Enter the address of your on-premises compute network.

Local Gateway IP Displays the IP address of the SDDC compute gateway. This is not an editablefield.

Local Network Select the logical network to connect to using this VPN. If the logical networkuses DHCP and you have configured an on-premises DNS server, also selectthe cgw-dns-network to allow DNS requests to travel over the VPN.

Encryption Select AES-256.

Perfect Forward Secrecy Select Enabled.

Diffie Hellman Select a Diffie Hellman group. Ensure that you use the same group in your on-premises VPN gateway settings.

Pre-Shared Key Enter a pre-shared key. The key is a string with a maximum length of 128characters that is used by the two ends of the VPN tunnel to authenticate witheach other.

e (Optional) Under VPN Peer Configuration, click Download to download a configuration file

listing the configuration parameters needed to configure your on-premises gateway.

2 Configure the on-premises side of the tunnel.

a Consult the documentation for your gateway or firewall device to learn how to configure it tomatch the VPN settings you've configured.

Configuration of the gateway device in your on-premises data center might need to be performedby a member of your networking team.

b If you selected as Local Network a non-default logical network that uses DHCP, configure theon-premises side of the tunnel of connect to local_gateway_ip/32 in addition to the LocalGateway IP address. This allows DNS requests to be routed over the VPN.

When the VPN tunnel is configured, you should be able to verify connectivity in the VMC Console.

Create a VPN Connection Between the Compute Gateway and anAmazon VPCIf you need to connect VMs in your SDDC with resources in an Amazon VPC that isn't connected to youraccount using a cross-VPC ENI, you can create a VPN connection between your compute gateway andthat VPC.

If the Amazon VPC is connected to your VMware Cloud on AWS, you don't need to create this VPNconnection to access it.


VMware, Inc. 20

Prerequisites

To create this VPN connection , you need:

n A working SDDC in VMware Cloud on AWS

n An AWS account

Procedure



3 Click Network.

4 Note the public IP address of the compute gateway as shown in the network system diagram.

5 Note the CIDR block for the logical network you want to connect to the VPN.

6 In another browser tab, log in to your AWS account.

7 If you don't already have a VPC and subnet you want to use, create them.

a Go to https://console.aws.amazon.com/vpc/ and select Your VPCs.

b Click Create VPC.


VMware, Inc. 21


https://console.aws.amazon.com/vpc/

c Enter a name and an IPv4 CIDR block for the VPC and click Yes, Create.

d Click Subnets and click Create Subnet.

e Enter a name for the subnet.

f Select the VPC for the subnet and click Yes, Create.

8 Create a Customer Gateway.

a Under VPN Connections, select Customer Gateways.

b Click Create Customer Gateway.

c Enter a name for the gateway.

d For the IP address, enter the IP address of your SDDC compute gateway that you noted in Step 4.

9 Create a Virtual Private Gateway and attach it to your VPC .

a Click Virtual Private Gateways and click Create Virtual Private Gateway.

b Enter a name for the Virtual Private Gateway, and click Yes, Create.

c Make sure that the Virtual Private Gateway is selected and click Attach to VPC.

d Select the VPC to attach the gateway to.


VMware, Inc. 22

10 Create the VPN tunnel.

Option Description

Name tag Enter a name for the VPN connection.

Virtual Private Gateway Select the Virtual Private Gateway you created in Step 9.

Customer Gateway Select Existing and then select the Customer Gateway you created in Step 8

Routing Options Select Static.

Static IP Prefixes Enter the CIDR block for the SDDC logical network that you noted in Step 5.

11 Click Yes, Create and then click Download Configuration.

Option Description

Vendor Select Generic.

Platform Select Generic.

Software Select Vendor Agnostic.

12 Open the configuration file and copy the Pre-Shared Key and the Virtual Private Gateway IP address.

13 In the VMC Console, create a VPN connection to the AWS Virtual Private Gateway as described in Create a Compute VPN.

Include the Virtual Private Gateway IP and Pre-Shared Key as indicated in the screenshot below.

14 Verify that the tunnel comes up on the SDDC side by looking for the Connected status.

15 Verify that the tunnel comes up on the AWS side.

a Go to https://console.aws.amazon.com/vpc/ and select VPN Connections.

b Select the VPN.

c Click Tunnel Details and check that the status is UP.

16 Add a route to your SDDC from the AWS console.

a Log in to the AWS console and select VPC.

b Select the route table for your VPC and click the Routes tab.

c Click Edit.

d Click Add another route.

e In the Destination text box, enter the CIDR block range for the logical network in your SDDC.

f In the Target field, select the Virtual Private Gateway you created.


VMware, Inc. 23

https://console.aws.amazon.com/vpc/

Configure an Extended Network and Layer 2 VPNA VMware Cloud on AWS extended network uses a layer 2 Virtual Private Network (L2VPN) to extend anon-premises network to one in your cloud SDDC. This extended network is a single subnet with a singlebroadcast domain, so you can migrate VMs to and from your cloud SDDC without having to change theirIP addresses.

In addition to data center migration, you can use an extended L2VPN network for disaster recovery, or fordynamic access to cloud computing resources as needed (often referred to as "cloud bursting).

An L2VPN on the Compute Gateway can extend up to 25 of your on-premises networks.VMware Cloud on AWS uses NSX for vSphere to provide the L2VPN server in your cloud SDDC. L2VPNclient functions can be provided by:

n NSX Edge 6.1 or later installed in your on-premises data center.

n A standalone NSX Edge that you download and deploy into your on-premises data center.

The VMware Cloud on AWS L2VPN feature supports extending VLAN and VXLAN networks. The L2VPNconnection to the NSX for vSphere server uses SSL (and TCP). The L2VPN extended network is used toextend Virtual Machine networks and carries only workload traffic. It is independent of the VMkernelnetworks used for migration traffic (ESXi management or vMotion), which use IPsec VPN or DirectConnect connections.

Important You cannot bring up an L2VPN tunnel until you have configured the L2VPN client and serverand created an extended network that specifies the tunnel ID you assigned to the client.

Procedure

1 Configure the L2 VPN Server in the SDDC

The Compute Gateway in your cloud SDDC acts as the Layer 2 VPN server. Use the VMC Consoleto configure the server.

2 Configure and Enable the L2 VPN Client

Configure a Layer 2 VPN client in your on-premises data center.

3 Create an Extended Network in Your SDDC and Bring Up the L2VPN Tunnel

Before you can bring up an L2VPN tunnel, you must create an extended network that uses thetunnel ID you specified when configuring the L2VPN client.

Configure the L2 VPN Server in the SDDCThe Compute Gateway in your cloud SDDC acts as the Layer 2 VPN server. Use the VMC Console toconfigure the server.

An L2VPN on the Compute Gateway can extend up to 25 of your on-premises networks. Use thisprocedure to configure the L2 VPN server from the VMC Console.


VMware, Inc. 24

Procedure


2 Navigate to the networking tab of your SDDC.

3 Under Compute Gateway, click L2 VPN and then Add VPN.

4 Configure Layer 2 VPN server settings.

Option Description


Encryption Select On (AES-128) to use AES128-GCM-SHA256 encryption or select Off(Null) to use NULL_SHA256.

Username Set the username that the L2 VPN client will use to connect to the VPN.

Password Set the password that the L2 VPN client will use to connect to the VPN.

The password must meet the following complexity requirements:n The length must be a minimum of 12 characters.n The length must be a maximum of 255 characters.n The password must contain at least one of each of the following types of

characters: upper case letters, lower case letters, numbers, and specialcharacters.

5 Click Save.

It might take some time to save the server configuration.

Configure and Enable the L2 VPN ClientConfigure a Layer 2 VPN client in your on-premises data center.

Prerequisites

Ensure that the following requirements are met in your on-premises data center.

n Your on-premises data center must be running vSphere 5.0 or later. vSphere 5.1 or later isrecommended.

n The source NSX Edge providing L2VPN client services must be NSX 6.1.1 or later. NSX 6.4.0 isrecommended.

Note The L2 VPNs section of Compute Gateway includes an option to download an installationpackage for a standalone NSX Edge appliance. Click Download under Remote Standalone Edge toopen the Download VMware NSX for vSphere Standalone Edge page. Click the Documentation linkon that page to access installation and configuration guidance for adding the appliance to your on-premises datacenter.

n VM networking can be configured to use a vSphere Standard Virtual Switch or Distributed VirtualSwitch. A vSphere Distributed Virtual switch is recommended. If you use vSphere Distributed VirtualSwitch, version 6.0.0 or later is required.


VMware, Inc. 25


n An uplink IP address is required for the NSX Edge instance that serves as the L2 VPN client. Thisaddress must be the Compute Gateway public IP. Create a firewall rule to allow HTTPS traffic fromthis IP address to the cloud SDDC.

Procedure

u In your on-premises data center, configure an NSX Layer 2 VPN client.

If your on-premises environment uses NSX Manager, follow these steps to configure a managed NSXEdge L2VPN client.

a Add a Sub Interface to support the NSX Edge

b Add a VLAN Trunk to the sub interface.

c Configure the NSX L2VPN Client

If your on-premises environment does not use NSX Manager, follow these steps to configure astandalone NSX Edge L2VPN client on either a Distributed Virtual Switch (DVS) or Standard VirtualSwitch (VSS).

a Configure a vSphere virtual switch for use by the standalone NSX Edge L2VPN client.

The configuration procedure depends on the type of virtual switch associated with the NSX Edge.

Type of Virtual Switch Configuration Procedure

Distributed Virtual Switch (DVS) Configure VLAN Tagging

Standard Virtual Switch (VSS) Add a Virtual Machine Port Group

b Configure a Sink Port

c Configure the NSX L2VPN Client

Create an Extended Network in Your SDDC and Bring Up the L2VPN TunnelBefore you can bring up an L2VPN tunnel, you must create an extended network that uses the tunnel IDyou specified when configuring the L2VPN client.

Extended networks require a layer 2 Virtual Private Network (L2VPN), which provides a securecommunications tunnel between an on-premises network and one in your cloud SDDC. Each end of thistunnel has an ID. When the tunnel ID matches on the cloud SDDC and the on-premises side of thetunnel, the two networks become part of the same broadcast domain. Extended networks use an on-premises gateway as the default gateway. Other network services such as DHCP and DNS are alsoprovided on-premises.

You can change a logical network from routed to extended or from extended to routed. For example, youmight configure a logical network as extended to allow migration of VMs from your on-premises datacenter to your cloud SDDC. When the migration is complete, you might then change the network torouted to allow the VMs to use VMware Cloud on AWS networking services.

Procedure

1 Log in to the vSphere Client for your SDDC as a user with cloud administrator privileges.


VMware, Inc. 26

https://docs.vmware.com/en/VMware-NSX-for-vSphere/6.4/com.vmware.nsx.admin.doc/GUID-DB50F343-1AB2-45C0-BE28-02024A7CE201.html

https://docs.vmware.com/en/VMware-NSX-for-vSphere/6.4/com.vmware.nsx.admin.doc/GUID-AF5E5E46-FD36-4AB6-9977-19A05A5B60BB.html

https://docs.vmware.com/en/VMware-NSX-for-vSphere/6.4/com.vmware.nsx.admin.doc/GUID-2308F9E8-3042-4917-AAE6-B02B2F67EC92.html

https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.networking.doc/GUID-D5960C77-0D19-4669-A00C-B05D58A422F8.html

https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.networking.doc/GUID-004E2D69-1EE8-453E-A287-E9597A80C7DD.html

https://docs.vmware.com/en/VMware-NSX-for-vSphere/6.4/com.vmware.nsx.admin.doc/GUID-3CDA4346-E692-4592-8796-ACBEEC87C161.html

https://docs.vmware.com/en/VMware-NSX-for-vSphere/6.4/com.vmware.nsx.admin.doc/GUID-2308F9E8-3042-4917-AAE6-B02B2F67EC92.html



4 Click Add.

5 In the Name text field, enter a name for the logical network.

6 Select Extended Network.

7 In the Tunnel ID text box, enter the same tunnel ID that you specified when configuring the L2 VPNclient.

What to do next

Verify that the tunnel is up.


2 Select the SDDC card and click Networking.

3 Under L2 VPN, click the refresh icon next to the VPN tunnel status.

If the tunnel is up, the status icon shows green and the status is listed as Up. Common issues that canprevent the tunnel from coming up include failure of the network connection (incorrect ports or addressesspecified) or failure of SSL authentication (certificate validity or excessive time skew between the L2VPNclient and server).

View VPN Tunnel Status and StatisticsThe VMC Console provides status and statistics for Management Gateway and Compute Gateway IPsecVPNs and for Compute Gateway L2VPNs.

Procedure


2 Navigate to the Networking tab of your SDDC.

3 Under Compute Gateway, click either IPsec VPNs or L2 VPNs and then VPN Status Detail.

You can retrieve status and statistics for any tunnel that is up.

Operation Icon

Click the Information icon to display a Status Detail message that provides moreinformation about channel (IKE Phase 1 negotiation) and tunnel status. For a VPN witha Status of Disconnected, the Status Detail tab displays any relevant log messages.You can use these messages in conjunction with the Tunnel Statistics and ErrorCounts to help understand channel or tunnel failures.

Click the Refresh icon to refresh tunnel statistics. All VPN statistics are reset to 0 whenthe tunnel is disabled or re-enabled.


VMware, Inc. 27



What to do next

For more information about troubleshooting VPN connection issues, see Troubleshooting Virtual PrivateNetworks in the NSX for vSphere documentation.

Set Compute Gateway DNSSet a DNS server to allow the compute gateway and workload VMs to resolve fully-qualified domainnames (FQDNs) to IP addresses.

Procedure



3 Click Network.

4 Under Compute Gateway, click DNS.

5 Click Edit and enter the IP addresses for DNS Server 1 and, optionally, DNS Server 2.

Note Both DNS servers must be able to resolve all intended FQDNs. Do not add one public DNSserver and one private (on-premises) DNS server. If you do, FQDN resolution becomesunpredictable.

What to do next

If you have configured private DNS servers and you are using a non-default logical network for thecompute gateway that uses DHCP, configure your compute gateway VPN to allow DNS requests over theVPN tunnel. Select cgw-dns-network as one of the local networks for the VPN. See Create a ComputeVPN.

Request Public IP AddressYou can request public IP addresses to assign to workload VMs to allow access to these VMs from theinternet. VMware Cloud on AWS will provision the IP address from AWS.

Prerequisites

Before you create a public IP address, you should assign your VM a static IP address from its logicalnetwork.

Procedure



3 Click Network.

4 Under Compute Gateway, click Public IPs.

5 Click Request Public IP.


VMware, Inc. 28

https://docs.vmware.com/en/VMware-NSX-for-vSphere/6.4/com.vmware.nsx.troubleshooting.doc/GUID-3E4D0B69-B7E7-4C8B-BC78-A3FB3EE5E8BA.html

https://docs.vmware.com/en/VMware-NSX-for-vSphere/6.4/com.vmware.nsx.troubleshooting.doc/GUID-3E4D0B69-B7E7-4C8B-BC78-A3FB3EE5E8BA.html



6 Enter any notes that you want to make about the IP address.

7 Click Save.

After a few moments, the Public IP address is provisioned.

What to do next

After the Public IP address is provisioned, you must configure NAT to direct traffic from the public IPaddress to the internal IP address of a VM in your SDDC. See Configure NAT Settings.

Configure NAT SettingsInbound Network Address Translation (NAT) allows you to map internet traffic to a public-facing IPaddress and port to a private IP address and port inside your SDDC's compute network.

When configuring NAT rules, you have the option of configuring either one-to-one NAT or one-to-manyNAT. Use one-to-one NAT when you want to map a single public IP address and port to a single internalIP address and port. For example, a public IP of 198.51.100.5 and port 443 is mapped to 172.100.100.20and port 443. In some cases, you might choose to map a source port to a different destination port. Forexample, 198.51.100.5 and port 80 might be mapped to 172.100.100.20 and port 8080.

Use one-to-many NAT when a single public IP address and port is mapped to one internal IP address andmultiple ports, or to multiple internal IP addresses and ports.

Prerequisites

Before you can assign a public IP address to a virtual machine, you must assign the virtual machine to alogical network and give it a static IP address.

Procedure



3 Click Network.

4 Under Compute Gateway, click NAT.

5 Click Add NAT Rule.

6 Enter the NAT parameters.

Option Description

Description Enter a description for the NAT rule.

Public IP Select the Public IP address you have provisioned for the VM.

Service Select one of the following.n Select Any for a rule that applies to all inbound traffic.n Select a particular service to create a rule that applies only to traffic using that

protocol and port.n Select Custom TCP, Custom UDP, or ICMP (All ICMP) to create a rule that

applies to a service and/or port that is not available in the dropdown menu.


VMware, Inc. 29


Option Description

Public Ports If you selected a custom TCP or UDP, enter the port to use for that service.

Internal IP Enter the internal (private) IP address to direct the traffic from the public addressto.

Internal Ports If you selected a custom TCP or UDP, enter the port to use for that service.

7 Click Save.

Using AWS Direct Connect with VMware Cloud on AWSAWS Direct Connect is a service provided by AWS that allows you to create a high-speed, low latencyconnection between your on-premises data center and AWS services.

Direct Connect traffic travels over one or more virtual interfaces that you create in your customer AWSaccount. There are two types of virtual interfaces, private and public.

Table 3‑6. Characteristics of Private and Public Virtual Interfaces

Interface Type Functionality Traffic Types Use Cases

Private virtual interface Establishes a privateconnection between your on-premises data center and asingle Amazon VPC.

vMotion and ESXimanagement traffic only

Speed up cold migration andmigration with vMotionbetween your on-premisesdata center and your cloudSDDC.

Public virtual interface Establishes a publicconnection to all AWS publicIP addresses in a givenregion

Any traffic that travels throughthe Internet Gateway

Speed up access to AWSpublic services such as S3buckets and EC2 public IPaddresses.

Speed up management andcompute gateway IPsec VPNtraffic.

You can use either type of interface alone, or use both types at the same time. You can create multipleinterfaces of each type to allow for redundancy and greater availability.

Set Up an AWS Direct Connect ConnectionTo set up an AWS Direct Connect connection, you must place an order through the AWS console.

Refer to Getting Started with AWS Direct Connect for information about how to request an AWS DirectConnect connection.

Prerequisites

Request your Direct Connect access in a region where VMware Cloud on AWS is available.

What to do next

After your AWS Direct Connect connection is established, create a private virtual interface to connect toyour VMware Cloud on AWS SDDC.


VMware, Inc. 30

http://docs.aws.amazon.com/directconnect/latest/UserGuide/getting_started.html

Create a Private Virtual Interface for vMotion and ESXiManagement TrafficThe private virtual interface allows ESXi management traffic and vMotion traffic to flow over the DirectConnect connection between your on-premises environment and your SDDC.

Create one virtual interface for each Direct Connect link you want to make to your SDDC. For example, ifyou want to create two Direct Connect links for redundancy, create two virtual interfaces.

Direct Connect sessions in VMC environment use the following default values for the BGP Local ASN:17493 in the Asia Pacific (Singapore) region, 10124 in the Asia Pacific (Tokyo) region, 9059 in the EU(Ireland) region, and 7224 in other regions.

Prerequisites

n Ensure that you meet the prerequisites for virtual interfaces as described in Prerequisites for VirtualInterfaces.

n Determine the AWS account ID for your VMC AWS account. This is displayed under the DirectConnect section of the Networking tab of your SDDC.

Procedure

1 Log in to the AWS Console.

2 Click Direct Connect and then click Virtual Interfaces.

3 Click Create Virtual Interface.

4 Enter the parameters for the virtual interface.

Option Description

Private Select Private to create a private virtual interface.

Virtual Interface Name Enter a name for the virtual interface.

Virtual Interface Owner Select Another AWS Account.

Account ID Enter the AWS account ID for your VMC AWS account.

5 Complete the other settings as described in Create a Hosted Virtual Interface.

6 Accept the virtual interface in the VMC Console.

Before you accept the virtual interface connection, it is visible to all SDDCs in your environment. Afteryou accept the virtual interface in a particular SDDC, it is available only in that SDDC.

a Log in to the and go to the Networking tab of your SDDC.

b Under Direct Connect, select Virtual Interfaces.

c Next to the virtual interface you created, click Attach.

d Select I understand that I will be responsible for data transfer charges incurred for theinterface and click Accept Virtual Interface.


VMware, Inc. 31

http://docs.aws.amazon.com/directconnect/latest/UserGuide/WorkingWithVirtualInterfaces.html#vif-prerequisites


http://docs.aws.amazon.com/directconnect/latest/UserGuide/createhostedvirtualinterface.html

It can take up to 10 minutes for the BGP session to become active. When the connection is ready, theState shows as "Attached" and the BGP Status as "Up" in the VMC Console.

7 If you currently have an IPsec VPN configured, update the VPN configuration.

After Direct Connect is enabled, the traffic from theESXi management subnet and vMotion subnettravels over Direct Connect rather than the IPsec VPN. This leaves only management appliancesubnet traffic on the IPsec VPN. VPN settings in the VMC Console are updated automatically. Youmust reconfigure the on-premises gateway for the IPsec VPN to use the management appliancesubnet as the remote network.

a Refresh the VPN settings in the VMC Console.

The management subnet in the network topology diagram updates to show the managementappliance subnet address.

The Appliance Subnet value in the network topology diagram shows the address for themanagement appliance subnet.

b Update the remote network in your on-premises gateway to the value for the managementappliance subnet.

After the private virtual interface is attached, any management gateway firewall policies configured forESXi host traffic are not enforced, because such traffic is routed through the Direct Connect connection.

What to do next

Ensure the vMotion interfaces are configured to use Direct Connect. See Configure vMotion Interfaces forUse with Direct Connect.

Configure vMotion Interfaces for Use with Direct ConnectIf you are using a Direct Connect connection between your on-premises data center and your cloudSDDC, you must configure the vMotion interfaces for your on-premises hosts to route vMotion traffic overthe Direct Connect connection.

Prerequisites

Configure Direct Connect and create a private virtual interface.


VMware, Inc. 32

Procedure

1 Select one of the following methods to configure the vMotion interface on each host in your on-premises environment.

Option Description

Override the default gateway (worksfor vSphere 6.5 hosts only)

For each host, edit the VMkernel adapter used for vMotion traffic, and select theoption to override the default gateway. Enter an IP address in your on-premisesvMotion subnet that is capable of routing traffic to the on-premises side of theDirect Connect connection. See Edit a VMkernel Adapter Configuration.

Configure the vMotion TCP/IP stack For each host:

a Remove any existing vMotion VMkernel adapters.

b Create a new VMkernel adapter and select the vMotion TCP/IP stack. See Place vMotion Traffic on the vMotion TCP/IP Stack of an ESXi Host.

c Edit the host vMotion TCP/IP stack to change the routing to use an IPaddress in your on-premises vMotion subnet that is capable of routing trafficto the on-premises side of the Direct Connect connection. See Change theConfiguration of a TCP/IP Stack on a Host.

2 (Optional) Test connectivity between an on-premises host and a cloud SDDC host using vmkping.

See https://kb.vmware.com/s/article/1003728 for more information.

Create a Public Virtual Interface for VPN TrafficYou can configure a public virtual interface to access AWS public services such as S3 to travel over theDirect Connect connection. You can also establish the management and compute gateway VPN tunnelsover the Direct Connect public virtual interface.


Prerequisites


Procedure

1 Log in to the AWS Console.

2 Click Direct Connect and then click Virtual Interfaces.

3 Click Create Virtual Interface.

4 Enter the parameters for the virtual interface.

Option Description

Public Select Public to create a public virtual interface.

Virtual Interface Name Enter a name for the virtual interface.

Virtual Interface Owner Select My AWS Account.


VMware, Inc. 33

https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.networking.doc/GUID-AA3656B0-005A-40A0-A293-4309C5ACF682.html

https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.vcenterhost.doc/GUID-5211FD4B-256B-4D9F-B5A2-F697A814BF64.html

https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.networking.doc/GUID-D4AF4F9F-F274-4ADE-98F4-1CB44ABCC505.html


https://kb.vmware.com/s/article/1003728



5 Enter the rest of the parameters as described in Creating a Virtual Interface.

What to do next

After the public virtual interface is created, configure your management gateway VPN so that the remotegateway IP and remote networks correspond to the device that terminates your Direct Connectconnection in your on-premises data center. See VMware Cloud on AWS Networking and Security.


VMware, Inc. 34

http://docs.aws.amazon.com/directconnect/latest/UserGuide/create-vif.html

About VMware Cloud on AWSNetworking with VMware NSX-T 4Information in this section explains how to configure networking and security for an SDDC environmentbased on VMware NSX-T.

This chapter includes the following topics:

n Configure NSX Roles

n Configuring VMware Cloud on AWS Networking Using NSX-T

n Configure Connectivity to the On-Premises Data Center

n Configure Management Gateway Networking

n Configure Compute Gateway and Workload Networking

n Configure Monitoring and Troubleshooting Features

Configure NSX RolesGrant users in your organization the NSX Admin service role to allow them to view and configure featureson the Networking & Security tab.

Prerequisites

You must be an Organization Owner to grant this role.

Procedure


2 Click the services icon and select Identity & Access Management.

3 Select a user and click Edit Role.

4 Select the NSX Admin service role for the user.

Configuring VMware Cloud on AWS Networking UsingNSX-TFollow this workflow to configure networking in your SDDC using NSX-T.

1 Configure Connectivity to the On-Premises Data Center

VMware, Inc. 35


2 Configure Management Gateway Networking

3 Configure Compute Gateway and Workload Networking

4 Configure Monitoring and Troubleshooting Features

Configure Connectivity to the On-Premises Data CenterStart by choosing how to connect your SDDC to your on-premises data center. You can configure a route-based IPsec VPN or a policy-based IPsec VPN. In addition, you can configure AWS Direct Connect forfaster communication between your on-prem data center and the cloud SDDC.

You create only one IPsec VPN tunnel between your on-premises environment and cloud data center.This will serve as the VPN connection for both management and compute gateways.

Procedure

u Configure the connection to the on-premises data center.

Option Description

IPsec VPN n To create a route-based VPN, see Create a Route-Based VPN.n To create a policy-based VPN, see Create a Policy-Based VPN

Direct Connect To configure AWS Direct Connect, see Using AWS Direct Connect with VMwareCloud on AWS.

Create a Route-Based VPNRoute-based VPN uses the routed tunnel interface as the endpoint of the SDDC network to allow accessto multiple subnets within the network.

When traffic is passing through the tunnel interface, according to the IPsec settings the traffic is encryptedand decrypted.

Procedure


2 Select Networking & Security > VPN > Route Based.

3 Click Add VPN.

4 Enter a route-based VPN name.

5 Select the local IP address of the IPsec VPN from the drop-down menu.

6 Enter the remote public IP address of your on-premises gateway.

7 (Optional) Enter the remote private IP address if the on-premises gateway is configured behind NAT.

8 Click Set BGP Neighbor > Add Neighbor.

The BGP session uses the local tunnel interface.


VMware, Inc. 36


9 Enter the BGP neighbor parameters.

Option Description

IP Address Enter the remote IP address.

BGP Neighbor As Enter the AS attribute for BGP to use.

BGP Secret Set a secret password for BGP neighbor authentication.

Local AS Accept the default setting.

The same local AS is used for all the VPN connections. Any changes affect all theVPN connections.

10 Click Apply.

Local and remote networks are discovered using BGP advertisements.

11 Enter the VTI subnet CIDR block.

Choose a network of size of /30 from the 169.254.0.0/16 subnet. The second and third IP addressesin this range are configured as the remote and local VTI (VPN Tunnel interfaces). For example, in theVTI CIDR block 169.254.111.0/30 (address range 169.254.111.0-169.254.111.3), the local (SDDC)interface is 169.254.111.2/30 and the remote (on-prem) interface 169.254.111.1/30.

Note The following subnets are reserved for internal use, so the VTI CIDR block you choose mustnot overlap either of them.

n 169.254.0.0-169.254.31.255

n 169.254.101.0-169.254.101.3

12 Configure the advanced VPN parameters.

Option Description

Tunnel Encryption Accept the AES-256 default cipher setting for securing tunnel traffic.

Tunnel Digest Algorithm Accept the SHA-2 default hashing algorithm setting.

Perfect Forward Secrecy Accept the Enabled default setting.

Preshared Key Enter the preshared key string.

The maximum key length is 128 characters. This key must be identical for bothends of the VPN tunnel.

IKE Encryption Accept the AES-256 default cipher setting for encryption.

IKE Digest Algorithm Accept the SHA-2 default hashing algorithm setting.

IKE Type Accept the IKE V2 default protocol for the routed VPN connection.

Diffie Hellman Select a Diffie Hellman group that your on-premises VPN gateway can alsosupport.

Note This value must be identical for both ends of the VPN tunnel. Higher groupnumbers offer better protection. The best practice is to select group 14 or higher.

13 Click Save.


VMware, Inc. 37

Depending on your SDDC environment, the VPN creation process might take a few minutes. When theroute-based VPN becomes available, the status changes to Up, and you can take additional actions:

n Click DOWNLOAD CONFIG to download a file that contains VPN configuration details. You can usethese details to configure the on-premises end of this VPN.

n Click VIEW STATISTICS to view packet traffic statistics for this VPN.

n Click VIEW ROUTES to open a display of routes advertised and learned by this VPN.

n Click DOWNLOAD ROUTES to download a list of Advertised Routes or Learned Routes in CSVformat.

What to do next

Create or update compute gateway firewall rules as needed. To allow traffic through the route-basedVPN, specify VPN Tunnel Interface in the Applied to field. The All Uplinks option does not include therouted VPN tunnel.

Create a Policy-Based VPNPolicy-based VPN encrypts and encapsulates traffic flowing through the tunnel interface according to thedefined policy settings.

Policy-based VPN allows access to a subnet of the SDDC network.

Procedure


2 Select Networking & Security > VPN > Policy Based.

3 Click Add VPN.

4 Enter a policy-based VPN name.

5 Select the local IP address of the IPsec VPN.

6 Enter the remote public IP address of your on-premise gateway.

7 (Optional) Enter the remote private IP address if the on-premise gateway is configured behind NAT.

8 Enter the address of your on-premise management network.

9 Enter the CIDR block of the management subnet for the management gateway.

10 Configure the advanced VPN parameters.

Option Description

Tunnel Encryption Accept the AES-256 default cipher setting for securing tunnel traffic.

Tunnel Digest Algorithm Accept the SHA-2 default hashing algorithm setting.

Perfect Forward Secrecy Accept the Enabled default setting.

Preshared Key Enter the preshared key string.

The maximum length 128 character is used by the two ends of the VPN tunnel toauthenticate with each other.


VMware, Inc. 38


Option Description

IKE Encryption Accept the AES-256 default cipher setting for encryption.

IKE Digest Algorithm Accept the SHA-2 default hashing algorithm setting.

IKE Type Accept the IKE V2 default protocol for the routed VPN connection.

Diffie Hellman Select a Diffie Hellman group that your on-premise VPN gateway supports.

11 Click Save.

Depending on your SDDC environment, the VPN creation process might take a few minutes. When thepolicy-based VPN becomes available, the status changes to Up.

Using AWS Direct Connect with VMware Cloud on AWSAWS Direct Connect is a service provided by AWS that allows you to create a high-speed, low latencyconnection between your on-premises data center and AWS services.

Direct Connect traffic travels over one or more virtual interfaces that you create in your customer AWSaccount. For SDDCs in which networking is supplied by NSX-T, all Direct Connect traffic, includingvMotion, management traffic, and compute gateway traffic, uses a private virtual interface. Thisestablishes a private connection between your on-premises data center and a single Amazon VPC.

You can create multiple interfaces to allow for redundancy and greater availability.

Set Up an AWS Direct Connect ConnectionTo set up an AWS Direct Connect connection, you must place an order through the AWS console.

Refer to Getting Started with AWS Direct Connect for information about how to request an AWS DirectConnect connection.

Prerequisites

Request your Direct Connect access in a region where VMware Cloud on AWS is available.

What to do next

After your AWS Direct Connect connection is established, create a private virtual interface to connect toyour VMware Cloud on AWS SDDC.

Create a Private Virtual Interface for vMotion, ESXi Management,Management Appliance, and Workload TrafficThe private virtual interface allows vMotion, ESXi management, management appliance, and workloadtraffic to flow over the Direct Connect connection between your on-premises environment and yourSDDC.


Each private virtual interface allows you to expose up to 16 logical segments to your on-premisesinfrastructure.


VMware, Inc. 39

http://docs.aws.amazon.com/directconnect/latest/UserGuide/getting_started.html

Prerequisites


Procedure

1 Complete the other settings as described in Create a Hosted Virtual Interface.

2 Accept the virtual interface in the VMC Console.

Before you accept the virtual interface connection, it is visible to all SDDCs in your environment. Afteryou accept the virtual interface in a particular SDDC, it is available only in that SDDC.

a Log in to the VMC Console.

b Select Networking & Security > System > Direct Connect.

c (Optional) Edit the default BGP Local ASN.

Direct Connect sessions in VMC environment use the following default values for the BGP LocalASN: 17493 in the Asia Pacific (Singapore) region, 10124 in the Asia Pacific (Tokyo) region, 9059in the EU (Ireland) region, and 7224 in other regions.

You can accept the default value, use the value of an ASN that you own, or pick a private ASNvalue in the range 64512 - 65534.

Important If you are creating a new VIF and choose a private BGP local ASN, you cannotchange the virtual interface later to use a pubic ASN. If you want to change an existing publicASN to a private ASN, you must first open the Network and Security tab and delete any AWSVIF that uses the existing public ASN.

d Next to the virtual interface you created, click Attach.

e Select I understand that I will be responsible for data transfer charges incurred for theinterface and click Accept Virtual Interface.

It can take up to 10 minutes for the BGP session to become active. When the connection isready, the State shows as "Attached" and the BGP Status as "Up" in the VMC Console.

f Depending on your on-premise environment, the following BGP routes might appear.

n Advertised BGP Routes: List of advertised BGP routes over Direct Connect from the SDDCto the on-premise environment.

n Learned BGP Routes: List of learned BGP routes over Direct Connect from the on-premiseenvironment to the SDDC.

What to do next

Ensure the vMotion interfaces are configured to use Direct Connect. See Configure vMotion Interfaces forUse with Direct Connect.


VMware, Inc. 40



http://docs.aws.amazon.com/directconnect/latest/UserGuide/createhostedvirtualinterface.html

Configure vMotion Interfaces for Use with Direct ConnectIf you are using a Direct Connect connection between your on-premises data center and your cloudSDDC, you must configure the vMotion interfaces for your on-premises hosts to route vMotion traffic overthe Direct Connect connection.

Prerequisites

Configure Direct Connect and create a private virtual interface.

Procedure

1 Select one of the following methods to configure the vMotion interface on each host in your on-premises environment.

Option Description

Override the default gateway (worksfor vSphere 6.5 hosts only)

For each host, edit the VMkernel adapter used for vMotion traffic, and select theoption to override the default gateway. Enter an IP address in your on-premisesvMotion subnet that is capable of routing traffic to the on-premises side of theDirect Connect connection. See Edit a VMkernel Adapter Configuration.

Configure the vMotion TCP/IP stack For each host:

a Remove any existing vMotion VMkernel adapters.

b Create a new VMkernel adapter and select the vMotion TCP/IP stack. See Place vMotion Traffic on the vMotion TCP/IP Stack of an ESXi Host.

c Edit the host vMotion TCP/IP stack to change the routing to use an IPaddress in your on-premises vMotion subnet that is capable of routing trafficto the on-premises side of the Direct Connect connection. See Change theConfiguration of a TCP/IP Stack on a Host.

2 (Optional) Test connectivity between an on-premises host and a cloud SDDC host using vmkping.

See https://kb.vmware.com/s/article/1003728 for more information.

Configure Management Gateway NetworkingTo complete configuration of management gateway networking, create management groups and firewallrules and configure DNS.

Procedure

1 Create management groups: Add a Management Group.

Management groups are used in configuring management gateway firewall policies. There are defaultmanagement groups created for management components in your SDDC, but you should createmanagement groups for your on-premises management components.

2 Configure NSX Edge Management Gateway Firewall Rules: Set NSX Edge Management GatewayFirewall Rules.

In order to access vCenter Server, you must set a firewall rule to allow traffic to the vCenter Server.

3 Configure management gateway DNS: Set a Management DNS.


VMware, Inc. 41

https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.networking.doc/GUID-AA3656B0-005A-40A0-A293-4309C5ACF682.html

https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.vcenterhost.doc/GUID-5211FD4B-256B-4D9F-B5A2-F697A814BF64.html



https://kb.vmware.com/s/article/1003728

4 Set vCenter Server FQDN resolution: Set vCenter Server FQDN Resolution.

Add a Management GroupManagement groups contain managed infrastructure components and on-premise infrastructurecomponents.

The infrastructure components that can be used in the management gateway firewall policies havemanagement groups created for them.

Procedure


2 Select Networking & Security > Groups > Management Groups.

3 Click Add Group.

4 Enter a management group name.

The only member type is allowed.

5 Enter single or multiple IP address and subnet of the management group members.

6 Click Save.

Set NSX Edge Management Gateway Firewall RulesBy default, the firewall for the management gateway is set to deny all inbound and outbound traffic. Addadditional firewall rules to allow traffic as needed.

Prerequisites

Verify that management groups and services are configured. See Add a Management Group.

Procedure


2 Select Networking & Security > Edge Firewall > Management Gateway.

3 Click Add New Rule.


VMware, Inc. 42



4 Enter the management gateway rule parameters.

Management gateway controls management traffic that flows in and out of the SDDC.

Option Description

Rule Name Enter a descriptive name for the rule.

Source Click Set Source and enter or select one of the following options:

Select Any to allow traffic from any source address or address range.

Select System Defined Groups and select one of the following source options:n ESXi to allow traffic from your SDDC's ESXi management.n NSX Manager to allow traffic from your SDDC's NSX-T.n vCenter to allow traffic from your SDDC's vCenter Server.

Select User Defined Groups and assign an security group. For example, asecurity group that has ESXi hosts in the on-premise data center.

Destination Click Set Destination and enter or select one of the following options:

Select Any to allow traffic to any destination address or address range.

Select System Defined Groups and select one of the following destinationoptions:n ESXi to allow traffic to your SDDC's ESXi management.n NSX Manager to allow traffic to your SDDC's NSX-T.n vCenter to allow traffic to your SDDC's vCenter Server.

Service Select one of the following to apply the rule to:n Provisioning (TCP 902) applies only to ESXi Management Only as a

destination.n Remote Console (TCP 903) applies only to ESXi Management Only as a

destination.n vMotion (TCP 8000)n HTTPS (TCP 443) applies only to vCenter Server as a destination.n ICMP (All ICMP)n SSO (TCP 7444) applies only to vCenter Server as a destination.

Action The only action available for management gateway firewall rules is Allow.

Logging Enable or disable packet logging for this firewall rule. If enabled, the packet logsare forwarded to the Log Intelligence service. To access the logs, visit the LogIntelligence service console.

For example, you can create a management gateway rule with source ESXi and destination on-premise ESXi hosts. Create another management gateway rule with source on-premise ESXi hostsand destination ESXi with a vMotion service.

With this firewall rule you have successfully created vMotion traffic from the on-premise ESXi hosts tothe ESXi hosts in the SDDC.

5 Select a management gateway rule and click the ellipsis button to add a rule above or below.


6 Click Publish.


VMware, Inc. 43

Set a Management DNSSet a DNS server to allow the management gateway, ESXi hosts, and management VMs to resolve fully-qualified domain names (FQDNs) to IP addresses on the management network.

Unless you intend to use only static routing, the management network requires a DNS service that canresolve IP addresses on both sides of the management gateway to VM FQDNs. Specify the IP address ofat least one DNS server when you configure the management gateway. If you specify an optional backupDNS server, be sure that both servers are configured identically.

Procedure


2 Select Networking & Security > DNS.

3 Under Management Gateway, click the ellipses button.

4 Click Edit and enter the IP addresses for DNS Server 1 and, optionally, DNS Server 2.

If you specify an optional backup DNS server, be sure that both servers are configured identically.

5 Click Save.

Set vCenter Server FQDN ResolutionYou can change how the Management Gateway performs FQDN resolution. You can use a private IP,resolvable from the VPN you set up, or use a public IP from the Internet.

Prerequisites

Set up your IPsec VPN connection. See Create a Route-Based VPN or Create a Policy-Based VPN.

Procedure


2 Navigate to the Settings tab of your SDDC.

3 Expand vCenter FQDN, and click Edit.

4 Select either the public or private resolution address and click Save.

Configure Compute Gateway and Workload NetworkingComplete the configuration of the compute gateway networking by creating logical segments for VMnetworking, configuring security groups and setting compute gateway firewall rules, and setting DNS. Youcan also request public IP addresses for VMs, configure NAT, configure an extended network and layer 2VPN, and set distributed gateway firewall rules.


VMware, Inc. 44



Procedure

1 Create a logical segment: Create a Logical Network Segment.

Your SDDC starts with a default logical segment, but you can create additional segments for VMnetworking.

2 Consider the security groups you want to create. See Add a Security Group

You can use security groups to set firewall rules for the compute gateway. See Set NSX EdgeCompute Gateway Firewall Rules.

3 Set compute gateway DNS: Set a Compute Gateway DNS.

4 (Optional) Request a public IP address for a VM: Request a Public IP Address.

5 (Optional) Configure NAT settings: Configure NAT Settings

6 (Optional) Configure an extended network and layer 2 VPN: Create a Layer 2 VPN.

7 (Optional) Set distributed gateway firewall rules: Set Distributed Firewall Rules.

Create a Logical Network SegmentLogical networks provide network access to workload VMs.

VMware Cloud on AWS supports two types of logical network segments, routed and extended.

Routed networks are the default type. Routed networks have connectivity to other logical networks in thesame SDDC and to external network services such as the SDDC firewall and NAT. Extended networksrequire a layer 2 Virtual Private Network (L2VPN), which provides a secure communications tunnelbetween an on-premises network and one in your cloud SDDC.

Your SDDC starts with a single default logical network, sddc-cgw-network-1. You can use the VMCConsole to create additional logical networks or delete a logical network that is no longer in use.

Procedure


2 Select Networking & Security > Segments > Add Segments.

3 Enter a logical network segment name.


VMware, Inc. 45


4 Select a routed or extended logical network segment type from the drop-down menu.

Option Description

Routed Network Used for communication over an IPsec VPN or the internet. Set the followingoptions:

a In the Gateway/Prefix Length text field, enter the gateway IP address of thelogical network and prefix length of the network in the CIDR format.

You can use any prefix length for your logical network. You cannot connectmore than 1000 VMs to the logical network.

b (Optional) Select Enabled to enable DHCP.

If you enable DHCP on a logical network and you have configured an on-premises DNS server, you must edit your compute gateway VPN to enableDNS queries to be correctly forwarded over the VPN.

c Enter the DHCP IP range.

d If you enabled DHCP, enter the domain name to use with VMs attached tothis logical network in the DNS Suffix text box.

Extended Network If you have already created an L2VPN, see Create an Extended Network in YourSDDC and Bring Up the L2VPN Tunnel. If not, start at Configure an ExtendedNetwork and Layer 2 VPN.

When Layer 2 VPN is configured, the tunnel ID interface connects the computegateway and extended to the on-premise network. You can specify up to 25extended networks.

5 Click Save.

What to do next

Set up an IPFIX collector session. See Configure IPFIX.

Configuring the NSX Edge FirewallComplete the NSX Edge firewall configuration by configuring security groups, setting compute gatewayfirewall rules, and setting distributed gateway firewall rules.

Add a Security GroupSecurity group is a group that categorizes VMs based on VM names, IP addresses, and matching criteriaof VM name and security tag.

Based on the matching criteria, you can apply a configuration to all the VMs in the security group insteadof applying the configuration to the VMs in the SDDC environment individually.

You can use security groups when you configure Edge or distributed firewalls.

Procedure


2 Select Networking & Security > Groups > Workload Groups.

3 Click Add Group.


VMware, Inc. 46


4 Enter a security group name.

5 Select the security group membership from the drop-down menu.

The choices are Virtual Machine, IP address, or Membership Criteria.

6 Enter a definition for your group.

Option Description

Virtual Machine Describe the VM classification tag, such as web_vm.

IP address Enter the IP addresses of the VMs in the group.

Membership Criteria Assign membership criteria such as, Virtual machine name or tag to classify VMsor VM.

For example, web_vm or collector VM.

7 Click Save.

8 Select the newly created group and click the ellipsis button.

Option Description

View Members View the respective members of the security group.

View References View what firewall rules the security group is being used in.

Add a Custom ServicePredefined and custom services can be used when you set the Edge and distribute firewall rules.

Procedure


2 Select Networking & Security > Services.

The predefined services appear.

3 Click Add New Service and type the service name.

4 Select Set Service Entries > Add New Service Entry.

5 Select the service type from the drop-down menu.

6 Assign additional properties of the custom service.

7 Click Save.

Set NSX Edge Compute Gateway Firewall RulesBy default, the firewall for the compute gateway is set to deny all uplink interfaces which include, internet,Amazon Direct Connect, and Amazon VPC interface and VPN tunnel interface traffic. Add additionalfirewall rules to allow workload traffic as needed.

Prerequisites

Verify that multiple security groups and services are configured. See Add a Security Group.


VMware, Inc. 47


Procedure


2 Select Networking & Security > Edge Firewall > Compute Gateway.

3 Click Add New Rule.

4 Enter the compute gateway rule parameters.

Option Description

Rule Name Give the rule a descriptive name.

Source Click Set Source and select an existing security group for the source networktraffic.

Destination Click Set Destination and select an existing security group for the destinationnetwork traffic.

Service Select one of the following:n Select Any to create a rule that applies to all traffic, regardless of protocol or

port used.n Select a specific service to create a rule that applies to that protocol and port.

Action Select Allow or Deny.

Applied To Select one of the following:n Select VPN Tunnel Interface if you want the rule to allow traffic to the

compute gateway VPN.n Select VPC Interface if you want the rule to allow traffic to the connected

Amazon VPC.n Select Internet Interface if you want the rule to allow traffic to the internet.n Select Direct Connect Interface if you want the rule to allow traffic to the

AWS Direct Connect.n All Uplinks if you want the rule to allow all traffic.

Logging Enable or disable packet logging for this firewall rule. If enabled, the packet logsare forwarded to the Log Intelligence service. To access the logs, visit the LogIntelligence service console.

5 Select a compute gateway rule and click the ellipsis button to add a rule above or below.


6 Click Publish.

Set a Compute Gateway DNSSet a DNS server to allow the compute gateway and workload VMs to resolve fully-qualified domainnames (FQDNs) to IP addresses.

You can configure up to five DNS zones for the Computer Gateway DNS.

Procedure


2 Select Networking & Security > DNS.


VMware, Inc. 48



3 Click Add DNS Zone.

4 Enter a DNS rule name for the compute gateway.

5 Enter the FQDN name.

6 Enter the IP addresses for DNS Server 1 and, optionally, DNS Server 2.

Note Both DNS servers must be able to resolve all intended FQDNs. Do not add a public DNS anda private (on-premise) DNS server. If you do, FQDN resolution might become unpredictable.

7 Click Save.

Request a Public IP AddressYou can request public IP addresses to assign to workload VMs to allow access to these VMs from theinternet. VMware Cloud on AWS provisions the IP address from AWS.

As a best practice, release the public IP addresses that are not in use.

Prerequisites

Verify that your VM has a static IP address assigned from its logical network.

Procedure


2 Select Networking & Security > Public IPs.

3 Click Request Public IP.

4 Enter applicable notes about the IP address.

5 Click Save.

After a few moments, the Public IP address is provisioned.

What to do next

After the public IP address is provisioned, configure NAT to direct traffic from the public IP address to theinternal IP address of a VM in your SDDC. See Configure NAT Settings.

Configure NAT SettingsInbound Network Address Translation (NAT) allows you to map internet traffic to a public-facing IPaddress and port to a private IP address and port inside your SDDC's compute network.

When configuring NAT rules, you can configure either one-to-one NAT or one-to-many NAT. Use one-to-one NAT when you want to map a single public IP address and port to a single internal IP address andport.

For example, a public IP of 198.51.100.5 and port 443 is mapped to 172.100.100.20 and port 443. Insome cases, you might choose to map a source port to a different destination port. For example,198.51.100.5 and port 80 might be mapped to 172.100.100.20 and port 8080.


VMware, Inc. 49


Use one-to-many NAT when a single public IP address and port is mapped to one internal IP address andmultiple ports, or to multiple internal IP addresses and ports.

Prerequisites

Before you can assign a public IP address to a virtual machine, you must assign the virtual machine to alogical network and give it a static IP address. See Request a Public IP Address.

Procedure


2 Select Networking & Security > NAT .

3 Enter the NAT parameter details.

Option Description

Name Enter a NAT rule name.

Public IP Provisioned public IP address for the VM is populated.

Service Select one of the following.n Select Any Traffic for a rule that applies to all inbound traffic.n Select a particular service to create a rule that applies only to traffic using that

protocol and port.

Public Ports If you selected Any Traffic, the default public port is Any.

If you selected a particular service, then the designated public port for that serviceappears.

Internal IP Enter the internal (private) IP address to direct the traffic from the public addressto.

Internal Ports If you selected Any Traffic, the default internal port is Any. If you selected aparticular service, then the designated internal port for that service appears.

4 Click Save.

Configure a Layer 2 VPN and Extended NetworkA VMware Cloud on AWS extended network uses a layer 2 Virtual Private Network (L2VPN) to extend anon-premises network to multiple VLAN based networks that can be extended with different tunnel IDs onthe same L2VPN tunnel. This extended network is a single subnet with a single broadcast domain, so youcan migrate VMs to and from your cloud SDDC without having to change their IP addresses.

In addition to data center migration, you can use an extended L2VPN network for disaster recovery, or fordynamic access to cloud computing resources as needed (often referred to as "cloud bursting).

An L2VPN on the Compute Gateway can extend up to 25 of your on-premises networks.VMware Cloud on AWS uses NSX-T to provide the L2VPN server in your cloud SDDC. L2VPN clientfunctions can be provided by a standalone NSX Edge that you download and deploy into your on-premises data center.


VMware, Inc. 50


The VMware Cloud on AWS L2VPN feature supports extending VLAN networks. The L2VPN connectionto the NSX-T server uses an IPsec tunnel. The L2VPN extended network is used to extend VirtualMachine networks and carries only workload traffic. It is independent of the VMkernel networks used formigration traffic (ESXi management or vMotion), which use either a separate IPsec VPN or a DirectConnect connection.

Important You cannot bring up an L2VPN tunnel until you have configured the L2VPN client and serverand created an extended network that specifies the tunnel ID you assigned to the client.

Create a Layer 2 VPNConfigure Layer 2 VPN to allow VMs in your SDDC to communicate securely with VMs in an on-premisedata center or within an Amazon VPC.

Layer 2 VPN supports only one tunnel interface.

Procedure


2 Select Networking & Security > VPN > Layer 2.

3 Click Add VPN Tunnel.

4 Configure the VPN parameters.

Option Description

Local IP Address Enter the AWS public IP address assigned to VMC.

Remote Public IP Enter the remote public IP address of your on-premise IPsec gateway.

Remote Private IP Enter the remote private IP address if the on-premise gateway is configuredbehind NAT.

5 Click Save.

Depending on your SDDC environment, the Layer 2 VPN creation process might take a few minutes.When the Layer 2 VPN tunnel becomes available, the status changes to Up.

Configure Layer 2 VPN Extended SegmentExtended networks require a layer 2 Virtual Private Network (L2VPN), which provides a securecommunications tunnel between an on-premises network and one in your cloud SDDC.

Each end of this tunnel has an ID. When the tunnel ID matches on the cloud SDDC and the on-premisesside of the tunnel, the two networks become part of the same broadcast domain. Extended networks usean on-premises gateway as the default gateway. Other network services such as DHCP and DNS arealso provided on-premises.

You can change a logical network from routed to extended or from extended to routed. For example, youmight configure a logical network as extended to allow migration of VMs from your on-premises datacenter to your cloud SDDC. When the migration is complete, you might then change the network torouted to allow the VMs to use VMware Cloud on AWS networking services.


VMware, Inc. 51


Prerequisites

Verify that Layer 2 VPN is available. See Create a Layer 2 VPN.

Procedure


2 Select Networking & Security > VPN > Layer 2.

3 Click Add Extended Segment.

4 Enter the extended segment name.

5 Enter the L2VPN tunnel ID.

6 Click Save.

7 Click Download Config and download the peer code of the remote side VPN configuration.

Remote side VPN configuration code includes the GRE tunnel and IPSec tunnel information.

Peer code sample,

[{"peer_code":"MCxiYzQ5MWUwLHsic2l0ZU5hbWUiOiJwb2xpY3ktc2Vzc2lvbi1QUk9WSURFUi52bWMuZmRiMmRlODAtO

DlhNC0xMWU4LTk2MDMtZDkyZDAxNjYyYzkwIiwic3JjVGFwSXAiOiIxNjkuMjU0LjY0LjIiLCJkc3RUYXBJcCI6IjE2OS4yNTQu

NjQuMSI

sImlrZU9wdGlvbiI6ImlrZXYyIiwiZW5jYXBQcm90byI6ImdyZS9pcHNlYyIsImRoR3JvdXAiOiJkaDE0IiwiZW5jcnlwdEFuZE

RpZ2Vzd

CI6ImFlcy1nY20vc2hhLTI1NiIsInBzayI6Ik5vbmUiLCJ0dW5uZWxzIjpbeyJsb2NhbElkIjoiMTAuMTQ2Ljk3LjI2IiwicGVl

cklkIjo

iNTQuMjAxLjIyNC4yMzYifV19","transport_tunnel_path":"/infra/providers/vmc/l3vpns/fdb2de80-89a4-11e8-

9603-d9

2d01662c90"}]

Configure the On-Premise Data Center for L2VPNFor L2VPN to work properly, you must configure your on-premises data center.

Follow the instructions in the referenced topics and implement the customization where detailed in thestep.

Procedure

1 Create a vSphere distributed switch.

2 Add multiple hosts to the newly created vSphere distributed switch.


VMware, Inc. 52


https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.networking.doc/GUID-D21B3241-0AC9-437C-80B1-0C8043CC1D7D.html

https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.networking.doc/GUID-E90C1B0D-82CB-4A3D-BE1B-0FDCD6575725.html

3 Add a distributed trunk port group.

Set the mentioned customization on the Configure Settings and Security pages. For all the othersteps follow the instructions in the referenced topic.

Page Configuration Details

Configure Settings n Select VLAN from the drop-down menu.n Select the Customize default policies configuration option.

Security n Set the Promiscuous mode to Reject from the drop-down menu.n Set the MAC address changes to Reject from the drop-down menu.n Set the Forged transmits to Accept from the drop-down menu.

4 Add a distributed uplink port group.

Set the mentioned customization on the Configure Settings and Security pages. For all the othersteps follow the instructions in the referenced topic.


Configure Settings n Select VLAN trunking from the drop-down menu.n Set the VLAN trunk range value to the VLAN IDs that is going to be used for

deploying the standalone NSX Edge.n Select the Customize default policies configuration option.

Security n Set the Promiscuous mode to Reject from the drop-down menu.n Set the MAC address changes to Reject from the drop-down menu.n Set the Forged transmits to Accept from the drop-down menu.

5 Download a standalone NSX Edge client OVF template.

a Go to the VMware NSX for vSphere product download page.

b Unzip the NSX-l2t-client-xxx.ovf file.

c Save the NSX Edge client and VMDK files.


VMware, Inc. 53

https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.networking.doc/GUID-809743E1-F366-4454-9BA5-9C3FD8C56D32.html

https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.networking.doc/GUID-809743E1-F366-4454-9BA5-9C3FD8C56D32.html

6 Deploy a OVF template.

Set the mentioned customization on the Select networks and Customize template pages. For all theother steps follow the instructions in the referenced topics.


Select networks n Connect the Trunk network to the newly created uplink port group.n Connect the Public network to the newly created trunk port group.n Accept the default HA interface setting.

(Optional) Enable HA interface to deploy Standalone NSX Edge in HA mode. Deploy two NSX Edges.

Customize template n Add the peer address and peer code from the VMware Cloud on AWSdownload config file.

n Enter the VLAN ID of the VLAN port group to be extended with the tunnel IDthat it is to be mapped to.

The Tunnel ID should be enclosed in brackets and match what is configuredon the L2VPN server. Use tunnel ID as 10 which is same as Tunnel IDprovided in Extended Logical Network in VMware Cloud on AWS. Forexample, if VLAN trunk range value is set to 100 when creating thedistributed uplink port group, then the Sub Interfaces is 100(10).

n Assign a static IP address.

The DHCP option is not supported.n Assign the unused IP address as the NSX Edge IP address, subnet, and

gateway for internet access.n Enter the admin and root passwords for your appliance.n Select the Power on after deployment option so that the standalone

NSX Edge powers on and connects to the L2VPN using IPsec.

Set Distributed Firewall RulesThe distributed firewall rules are implemented to secure workload groups in the SDDC environment. Afirewall is a network security system that monitors and controls the incoming and outgoing network trafficbased on predetermined firewall rules.

The source of the rule is a single or multiple workload groups. The source matches to the default any ifnot defined. The destination of the rule is a single or multiple workloads. The destination matches to thedefault any if not defined.

Note For any traffic attempting to pass through the firewall, the packet information is subjected to therules in the order shown in the rules table, beginning at the top and proceeding to the rules at the bottom.In some cases, the order of precedence of two or more rules might be important in determining thedisposition of a packet.

The default firewall rules apply to traffic that does not match any of the user-defined firewall rules. Thedefault firewall rules allow all L3 and L2 traffic to pass through all prepared clusters in your infrastructure.The default Layer 3 firewall rule applies to all traffic, including DHCP. If you change the Action to Drop orReject, DHCP traffic is blocked. You must create a rule to allow DHCP traffic.


VMware, Inc. 54

https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.vm_admin.doc/GUID-17BEDA21-43F6-41F4-8FB2-E01D275FE9B4.html

HTTPS://DOCS.VMWARE.COM/EN/VMWARE-NSX-FOR-VSPHERE/6.4/COM.VMWARE.NSX.ADMIN.DOC/GUID-9FE314FF-68B3-4783-B2A3-4207964FCEFE.HTML

Prerequisites

Verify that multiple security groups and services are configured. See Add a Security Group and Add aCustom Service.

Procedure


2 Select Networking & Security > Distributed Firewall.

3 Select a rule from the right-hand column and click Add New Section.

4 Enter a rule section name.

Option Description

Emergency Rules Applies to temporary rules needed in emergency situations.

For example, block traffic to a Web server due to malicious content.

Infrastructure Rules Applies to infrastructure rules only.

Such as, ESXi, vCenter Server or connectivity to on-premise data center.

Environement Rules Applies to broad groups.

Such as, setting rules so that the production environment cannot reach the testenviroment.

Application Rules Applies to specific application rules.

Default Rules The default rules allows all traffic.

5 Click Publish.

6 Select the newly created section and click Add New Rule.

7 Enter a rule name.

8 Select an existing source workload group.

9 Select an existing destination group.

10 Assign one or more predefined services or the default Any service to the rule.


VMware, Inc. 55


11 Select one of the actions from the drop-down menu.

Option Description

Allow Allows all L3 or L2 traffic with the specified source, destination, and protocol topass through the current firewall context.

Packets that match the rule, and are accepted, traverse the system as if thefirewall is not present.

Drop Drops packets with the specified source, destination, and protocol.

Dropping a packet is a silent action with no notification to the source ordestination systems. Dropping the packet causes the connection to be retried untilthe retry threshold is reached.

Reject Rejects packets with the specified source, destination, and protocol.

Rejecting a packet is a more graceful way to deny a packet, as it sends adestination unreachable message to the sender. If the protocol is TCP, a TCPRST message is sent. ICMP messages with administratively prohibited code aresent for UDP, ICMP, and other IP connections. One benefit of using Reject is thatthe sending application is notified after only one attempt that the connectioncannot be established.

12 Select Logging to enable packet logging for this firewall rule.

If enabled, the packet logs are forwarded to the Log Intelligence service. To access the logs, visit theLog Intelligence service console.

13 Click Publish.

Manage Distributed Firewall RulesTraffic packet attempting to pass through the firewall is subjected to the rules in the order shown in therules table, beginning at the top and proceeding to the rules at the bottom of the list.

You can reorder the distributed firewall sections and rules within a section. You can also edit existingdistributed firewall configuration, delete, or clone a firewall rule or section.

When you delete a firewall rule section, all rules in that section are deleted. You cannot delete a sectionand add it again at a different place in the firewall table. To do so, you must delete the section and publishthe configuration. Then add the deleted section to the firewall table and re-publish the configuration.

Prerequisites

Verify that you have multiple distributed firewall sections and rules configured. See Set DistributedFirewall Rules.

Procedure

1 Locate a distributed firewall.

2 Click the vertical ellipses button.

n Reorder the firewall rules within a section or reorder the sections.

n Edit a firewall section or rule configuration.


VMware, Inc. 56

n Clone a distributed firewall rule.

You cannot clone a firewall section.

n Delete a firewall section or a rule within the section.

3 Click Publish.

4 (Optional) Click Revert to undo any recent changes applied to a section or a rule and click Publish.

Configure Monitoring and Troubleshooting FeaturesThe IPFIX and Port Mirroring functionality provided by NSX-T can be used by monitoring andtroubleshooting tools deployed as VMs in your SDDC.

VMware Cloud on AWS SDDCs using NSX-T for networking have IPFIX and Port Mirroring features thatenable the use of monitoring or troubleshooting tools in your SDDC.

By default, the ESXi hosts have access to the overlay network, allowing them to communicate withmonitoring and troubleshooting applications deployed as VM workloads in your SDDC. However, youmust configure the firewall to allow traffic between the ESXi hosts and the logical segment the VMs areattached to.

Procedure

1 Configure IPFIX: Configure IPFIX.

2 Configure port mirroring: Configure Port Mirroring.

3 If necessary, configure the management gateway firewall to allow traffic between ESXi hosts and thelogical segment. See Set NSX Edge Management Gateway Firewall Rules.

Configure IPFIXIPFIX (Internet Protocol Flow Information Export) is a standard for the format and export of network flowinformation for troubleshooting, auditing, or collecting analytics information.

You can configure flow monitoring on a logical segment. All the flows from the VMs connected to thatlogical segment are captured and sent to the IPFIX collector. The IPFIX collector can be in the on-premise data center on one of the logical segment.

You can control sampling rate and timeout parameters and capture specific granularity of data. If youhave large number of flows, you can lower the sampling rate.

After you enable IPFIX, all configured segments send IPFIX messages to the IPFIX collectors using thedefault port UDP 4739. You can also assign another port number.

Prerequisites

Verify that a logical segment is configured. See Create a Logical Network Segment.

Procedure



VMware, Inc. 57


2 Select Networking & Security > IPFIX > Configure Collectors.

3 Enter the collector IP address and port.

The default UDP port is 4739. You can add up to 4 IPFIX collectors.

4 Click Save.

5 Click Add IPFIX Session.

6 Enter IPFIX session name.

7 Set the IPFIX session active and idle timeout in seconds.

The active timeout indicates the time the session must remain active for collecting the data. Idletimeout indicates the time the session can be idle without triggering a session failure.

The minimum timeout duration should be 60 seconds.

8 Enter the sampling probability of the IPFIX session.

Probability Description

100% All the exported data packets are captured.

2% Two percent of the exported data is captured and the rest of the data packets aredropped.

9 Assign a logical segment tag to this IPFIX session.

10 (Optional) Click the ellipses button next to a IPFIX session and click Edit to make configurationchanges.

11 Click Save.

Configure Port MirroringPort mirroring lets you replicate and redirect all of the traffic coming from a source. The mirrored traffic issent encapsulated within a Generic Routing Encapsulation (GRE) tunnel to a collector so that all of theoriginal packet information is preserved while traversing the network to a remote destination.

Port mirroring is used in the following scenarios:

n Troubleshooting - Analyze the traffic to detect intrusion and debug and diagnose errors on a network.

n Compliance and monitoring - Forward all of the monitored traffic to a network appliance for analysisand remediation.

Port mirroring includes a source group where the data is monitored and a destination group where thecollected data is copied to. The source group membership criteria require VMs to be grouped based onthe workload such as web group or application group. The destination group membership criteria requireVMs to be grouped based on IP addresses.

Port mirroring has one enforcement point, where you can apply policy rules to your SDDC environment.

The traffic direction for port mirroring is Ingress, Egress, or Bidirectional traffic.

n Ingress is the outbound network traffic from the VM to the logical network.


VMware, Inc. 58

n Egress is the inbound network traffic from the logical network to the VM.

n Bidirectional is the two-way of traffic from the VM to the logical network and from the logical networkto the VM. This is the default option.

Prerequisites

Verify that workload groups with IP address and VM membership criteria are available. See Add aSecurity Group.

Procedure


2 Select Networking & Security > Segments > Add Port Mirroring Session.

3 Enter a port mirroring session name.

4 Select source VM workload group name.

5 Select a destination IP address for the group.

6 Select a traffic direction from the drop-down menu.

The choices are Bidirectional, Ingress, or Egress.

7 Click Save.

8 Click the ellipses button next to a port mirroring session and select Edit to make configurationchanges.


VMware, Inc. 59


vmware cloud on aws networking and security - … · management. destination enter or select one of...

Documents