Reference architecture for getting started with VMware Cloud on AWS is now available, helping you to visualize how to use AWS services in the most efficient way. This article walks you through the main points of the reference architecture so you can hit the ground running.
Are you ready to start deploying standard hybrid applications on VMware Cloud on AWS, so that end users can access them on-premises? Reference architecture is now available to help you visualize what’s required. Often, the first challenge is working out how the existing service can integrate with, or be moved to, VMware Cloud on AWS; then, how to utilize native AWS services in the most efficient way.
Please note, all the networking information depicted here is generic and should be customized to meet your organization’s specific needs.
The reference architecture shows an on-premises (on-prem) environment which is connected to the VMware Cloud on AWS SDDC over an Internet VPN (which would route via the red “Internet” cloud and the Internet Gateway even though it is shown logically between its end points), or the AWS Direct Connect service (again shown logically rather than physically).
Once the connection is in place, some Access Control changes may need to be made to allow / control which devices at either end can connect to each other. The reference architecture includes example firewall rules in each part of the solution.
The VMware Cloud on AWS SDDC is split into two parts – Management and Workload / Compute. There is an additional firewall in front of the management part, so anything which needs to connect to the vCenter or other devices in that area will need to be allowed through the Management Gateway with an appropriate rule created in the VMware Cloud on AWS console. All VMware Cloud on AWS management components are managed by VMware and no other device can be manually added in this security zone – it’s recommended to create a dedicated segment for infrastructure components not managed by VMware as well as the appropriate firewall rules.
Although the change is made on the SDDC’s NSX layer, you don’t need to use an NSX interface, but advanced users can make some changes to the networking layers through the NSX Policy API. This can be really useful for automated changes or collecting information.
When you create your SDDC you connect it to a special AWS Virtual Private Cloud (VPC). This VPC has really high-speed, low-latency access to the SDDC and is ideal for native AWS services which are used by things running in the SDDC. Although the diagram shows the VPC’s Internet Gateway, the connected VPC has its “Default Gateway” pointed back to the SDDC. This means other than some specific AWS infrastructure ranges, all the traffic coming out of the VPC will go via the SDDC.
This is really important when firewalls are involved. You shouldn’t try to access the connected VPC from, say, other native AWS VPCs or you’ll end up with unexpected results. That said, you can access many AWS services – including regional ones like S3 – from the connected VPC, and many of our customers do just that in areas such as SDDC backup solutions.