VMware Cloud on AWS – Access an Amazon Simple Email Service (SES) Using VPC Endpoint

When you run workloads on VMware Cloud on AWS, you gain the advantage of being able to tap into a rich pool of AWS services. Here, we look at one of these services – Amazon Simple Email Service – to show how easy it is to set up, even when rigorous security policies are in place.

 

As any customer who runs workloads in VMware Cloud on AWS will tell you, the ability to integrate with AWS services is one of the most appealing benefits of using the platform. 

One of my customers recently shared such a story. A multinational conglomerate and one of the largest listed companies on the Singapore Exchange by market capitalisation, this company hosts its multiple strategic modern applications running as microservices in Red Hat OpenShift Kubernetes clusters on VMware Cloud on AWS. With a need to send transactional messages, they chose Amazon Simple Email Service (SES) as it is a trustworthy, flexible and cost-effective email service provider for developers. 

 

This customer operates in a heavily regulated industry – there are strict corporate security policies in place which limit the ability of internal systems to connect to the public internet. This means they cannot use the public Amazon SES endpoints. To work within these restrictions, they can access Amazon SES from their VMware Cloud workload – by directly connecting an Elastic Network Interface (ENI) to the virtual private cloud (VPC), without having to go over a VMware Cloud internet gateway. 

 

As the above diagram illustrates, the VMware stack not only sits next to the AWS services, but is tightly integrated with them. 

 

Benefits of Amazon SES

As well as being flexible and cost-effective, Amazon SES comes with enhanced security and compliance features. You can configure DKIM using your own RSA key pair, and there is support for HIPAA eligibility and FIPS 140-2 compliant endpoints.

For VMware Cloud customers, it offers the best of both worlds. You can run mission-critical modern apps on VMware Cloud, with a direct connection from these workloads to Amazon SES through a VPC endpoint, powered by AWS PrivateLink, in a secure and scalable manner.

 

How to set up Amazon SES with VMware Cloud

In just a few steps, you can enable communication between the VMware stack and AWS native service using Amazon SES.

Step 1 – Create a security group 

  • Set the private IP of your instance in the EC2 console
  • Use 192.168.1.0/24 as the VMC segment

Step 2 – Create the VPC endpoint for Amazon SES

  • Use the Creating an Interface Endpoint procedure in the VPC console 
  • Select the service name com.amazonaws.region.email-smtp 
  • Attach the security group that you just created
  • Choose the Subnet ID of the VPC Subnet shown in VMC Console (find the VPC Subnet info from VMC Console > Networking & Security > Connected VPC)

 

Step 3 – Click on the VPC Endpoint ID link

Step 4 – Click on Subnets to find the ENI IP Address

 

 

Step 5 – Open Compute Gateway Firewall

  • Best practice: specify ‘Sources’ as specific segments or IP addresses
  • Best practice: specify ‘Services’ only to SMTP (TCP25) and SMTPS (TCP465)

Step 6 – After your endpoint is available, test your connection or send an email through the endpoint from VMware Cloud workload VMs.

 

 

Note that VPC endpoints currently do not support cross-region requests. With this in mind, make sure you create your endpoint in the same region in which you plan to issue your API calls to Amazon SES.

 

Amazon SES for VPC endpoints is generally available and you can use it in all regions where Amazon SES is available. There is no additional charge to use this feature. Interface VPC endpoint charges apply. 

 

To learn more, take a look at the Amazon SES product page and quick start documentation.

 

For other information related to VMware Cloud on AWS, here are some more learning resources for you:

About the Authors

Nay Myo Htet

Cloud Customer Success Architect at VMware

Nay is a Specialist Solution Architect for VMware Cloud on AWS within the Cloud Customer Success Team at VMware. He focuses on helping customers realize ultimate success with innovative solutions using VMware Cloud services. Before VMware, he worked at multinational information technology services companies, including SoftwareONE, Dimension Data, and Fujitsu, the world's fourth-largest IT services provider. Nay has over 14 years of extensive experience with a strong background in transformative technology solutions on end-user computing, datacentre transformation, and cloud computing. Nay is a certified enterprise architect and holds over 47 tech certifications, including multiple VCPs, TOGAF, CCSP, CKA, and CKAD.

Leave a Reply

Your email address will not be published. Required fields are marked *