The rapid adoption of hybrid and multi-cloud infrastructure has provided incredible opportunities for enterprises to go faster with their digital transformation. These new models for IT have been accelerated by COVID-19 and over a year of remote work for many technology workers. While we reap the benefits of multi-cloud, we must continue to follow best practices for security of the infrastructure that we operate.
When a customer creates a VMware Cloud on AWS SDDC, it is secured by default with firewall rules enabled that block all inbound traffic. Customers frequently ask us for advice on how to enable SDDC connectivity for both their cloud administrators and enterprise data centers. While there is no one size fits all blueprint for this, there are some basic guidelines that should be followed to help keep your infrastructure safe. The diagrams below describe common deployment models for small and medium sized customers.
We will consider a scenario with a cloud administrator who is working from home. S/he uses a company-provided laptop on her home network with a WIFI router connected to the internet. Below you will find three options for providing connectivity to vCenter deployed in the SDDC to this user: Internet, Remote Access VPN, and End-to-End VPN.
Internet Connection Alone
Let’s start with the internet connection as depicted with the red line in the diagram below. While it may seem simple to configure a basic “Allow Any” firewall rule on the SDDC to allow her to connect directly over the internet, this is a very poor security practice as it allows not just our cloud administrator, but anyone to connect to the SDDC and attempt to log in. This connectivity option should never be used.
Remote Access VPN
In our second scenario we are providing controlled connectivity to our user via our corporate network as seen in the diagram below. Here we have our cloud administrator authenticate and connect to the enterprise network using an SSL-VPN or Virtual Desktop and then create a set of firewall rules on the SDDC Management Gateway to only allow traffic that originates from the enterprise. This configuration greatly reduces the attack surface of the SDDC as all traffic coming from the internet is blocked except for that originating from the trusted enterprise network. In addition, by integrating vCenter authentication with the corporate identity provider (SSO) we can enforce enterprise policies for user management and passwords.
Remote Access VPN with Direct Connect
Another approach is to use a combination of private connections as depicted in the purple lines below. Cloud administrator first logs on to the enterprise network via an SSL-VPN or Virtual Desktop connection between her laptop and a VPN gateway deployed in the data center. Once connected to the enterprise network, s/he can reach the VMware Cloud on AWS SDDC by traversing dedicated network connections – AWS Direct Connect and VMware Transit Connect that have been configured between the firewall deployed in the enterprise data center and the Management Gateway that is deployed in the SDDC.
An even better option, and our recommended approach, is to have our cloud administrator access the SDDC via end-to-end VPN connections as depicted in the purple lines below. S/he first logs on to the enterprise network via an SSL-VPN or Virtual Desktop connection between her laptop and a VPN gateway deployed in the data center. Once connected to the enterprise network, cloud administrator can reach the VMware Cloud on AWS SDDC by traversing an that provides encrypted transport over the top of AWS Direct Connect and VMware Transit Connect networks that have been configured between the firewall deployed in the enterprise data center and the Management Gateway that is deployed in the SDDC.
The table below summarizes the advantages and disadvantages of each of the connectivity scenarios described above. When evaluating the trade-offs of convenience and security we encourage customers to favor strong security.
|Internet Only||Remote Access VPN||Remote Access VPN + Direct Connect||End-to-End VPN with Direct Connect|
|Encryption layers||TLS||TLS + SSL||TLS + SSL||TLS + SSL, TLS + IPsec|
For more information on SDDC security please refer to the following resources:
- VMware Cloud on AWS Getting Started Guide
- VMware Cloud Firewall Security Best Practices
- Configure a VPN Connection Between Your SDDC and On-Premises Data Center
- Configure AWS Direct Connect Between Your SDDC and On-Premises Data Center
- Add an SSO Identity Source to the SDDC
- Configuring Enterprise Federation (SSO) for VMware Cloud Service Console
If you would like to learn more about VMware Cloud on AWS, please check out the resource below
- You can learn more about our VMware Cloud on AWS service at the VMware Cloud on AWS websiteor by viewing VMware Cloud on AWS: Overview.
- Obtain the VMware Cloud on AWS Solution Briefand VMware Cloud on AWS TCO 1-pager.
- Visit VMware Cloud Tech Zonefor technical articles, guides, videos and more
- Listen to latest episodes of VMware Cloud on AWS Unplugged Podcast
- Try the VMware Cloud on AWS Lightening Labfor a first-hand immersive experience.
- Follow us on Twitter @vmwarecloudaws and give us a shout with #VMWonAWS.
- Read our latest VMware Cloud on AWS blogs.
- Follow the VMware Cloud on AWS release noteson continuing updates.
- Watch informative demos, overview videos, webinars and hear from our customers: VMware Cloud on AWS on YouTube.
- Check out Cloud Customer Success Community, engage with your peers and get your questions answered.