architecture and design for extending vmware validated ... · the aws cloud running on an amazon...

Architecture and Design for ExtendingVMware Validated Design to VMwareCloud on AWS

03 SEP 2019VMware Validated Design 5.1VMware Cloud on AWS

You can find the most up-to-date technical documentation on the VMware website at:

https://docs.vmware.com/

If you have comments about this documentation, submit your feedback to

[email protected]

VMware, Inc.3401 Hillview Ave.Palo Alto, CA 94304www.vmware.com

Copyright © 2019 VMware, Inc. All rights reserved. Copyright and trademark information.

Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS

VMware, Inc. 2

https://docs.vmware.com/

mailto:[email protected]

http://pubs.vmware.com/copyright-trademark.html

Contents

About Architecture and Design for Extending VMware Validated Design to VMwareCloud on AWS 4

1 Applying the Guidance for Extending VMware Validated Design to VMware Cloud onAWS 6

2 Architecture Overview 7Physical Infrastructure Architecture for Extending the SDDC to VMware Cloud on AWS 7

Availability Zones and Regions 8

Virtual Infrastructure Architecture for Extending the SDDC to VMware Cloud on AWS 8

Operations Management Architecture for Extending the SDDC to VMware Cloud on AWS 10

Cloud Management Architecture for Extending the SDDC to VMware Cloud on AWS 11

3 Detailed Design 12Physical Infrastructure Design for Extending the SDDC to VMware Cloud on AWS 12

Physical Design Fundamentals of the SDDC Infrastructure on VMware Cloud on AWS 13

Physical Networking Design of the SDDC Infrastructure on VMware Cloud on AWS 15

Virtual Infrastructure Design for Extending the SDDC to VMware Cloud on AWS 24

Hybrid Linked Mode Design 24

Resource Reservation Design 26

Operations Management Design for Extending the SDDC to VMware Cloud on AWS 26

vRealize Operations Manager Design for the SDDC Infrastructure on VMware Cloud on AWS 27

vRealize Log Insight and Log Intelligence Design for the SDDC Infrastructure on VMware Cloud onAWS 30

Cloud Management Design for Extending the SDDC to VMware Cloud on AWS 32

VMware, Inc. 3

About Architecture and Design forExtending VMware Validated Design toVMware Cloud on AWS

The Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWSdocumentation provides a detailed design for extending your on-premises VMware Validated Design™

SDDC to a hybrid SDDC by adding and configuring an SDDC on VMware Cloud™ on AWS as a thirdregion, Region C.

VMware Cloud on AWS is an integrated cloud offering jointly developed by Amazon Web Services andVMware delivering a highly scalable, secure, and innovative service. With VMware Cloud on AWS,organizations can seamlessly migrate and extend their on-premises VMware vSphere® environments tothe AWS Cloud running on an Amazon EC2 bare metal infrastructure.

The VMware Validated Design for SDDC traditionally uses on-premises data centers to host separateregions. Having multiple regions enables features, such as high availability, disaster recovery, datalocality or sovereignty, and the ability to scale out capacity of the SDDC. If your organization does nothave the ability to deploy infrastructure in any additional data center, you can extending your on-premisesSDDC to a hybrid SDDC. To extend your VMware Validated Design SDDC to a hybrid SDDC, you canimplement one or more regions by connecting your on-premises infrastructure with VMware Cloud onAWS.

PrerequisitesYou must have a VMware Validated Design for Software-Defined Data Center 5.x deployed in at least asingle region. See the VMware Validated Design documentation page.

Intended AudienceThis design is intended for architects and administrators who want to use VMware Cloud™ on AWS fortenant workloads.

Required VMware SoftwareArchitecture and Design for Extending VMware Validated Design to VMware Cloud on AWS is compliantand validated with certain product versions. See VMware Validated Design Release Notes for moreinformation about supported product versions.

n Software components for VMware Validated Design™ for Software-Defined Data Center 5.x

VMware, Inc. 4

https://docs.vmware.com/en/VMware-Validated-Design/index.html

n VMware vCenter Cloud Gateway


VMware, Inc. 5

Applying the Guidance forExtending VMware ValidatedDesign to VMware Cloud onAWS 1The content in Architecture and Design or Extending VMware Validated Design to VMware Cloud onAWS supplements Architecture and Design in VMware Validated Design for Software-Defined DataCenter, also referred to as the Standard SDDC.

Before You Design the Virtual Infrastructure for Extendingthe SDDC to VMware Cloud on AWSBefore you follow this documentation, you must deploy the components for the Standard SDDC accordingto VMware Validated Design for Software-Defined Data Center. See Architecture and Design, Planningand Preparation, Deployment for Region A, and Deployment for Region B in the VMware ValidatedDesign documentation.

n VMware ESXi™

n VMware Platform Services Controller™ pair and Management vCenter Server®

n VMware NSX® Data Center for vSphere®

n VMware vRealize® Lifecycle Manager™

n vSphere® Update Manager™

n VMware vRealize® Operations Manager™

n VMware vRealize® Log Insight™

n VMware vRealize® Automation™ with embedded vRealize® Orchestrator™

n VMware vRealize® Business™ for Cloud

Designing a Virtual Infrastructure for Extending the SDDCto VMware Cloud on AWSNext, directly follow this guidance to design the virtual infrastructure for your new region on VMwareCloud™ on AWS:

VMware, Inc. 6

https://docs.vmware.com/en/VMware-Validated-Design/5.1/sddc-architecture-and-design/GUID-44471514-D818-424F-AB32-57108003806C.html

https://docs.vmware.com/en/VMware-Validated-Design/5.1/sddc-planning-and-preparation/GUID-75126B85-2186-46F9-9EA0-00FC55451A1F.html

https://docs.vmware.com/en/VMware-Validated-Design/5.1/sddc-planning-and-preparation/GUID-75126B85-2186-46F9-9EA0-00FC55451A1F.html

https://docs.vmware.com/en/VMware-Validated-Design/5.1/sddc-deployment-of-region-a/GUID-657DB777-D919-4C23-BA5E-B98D8A91CA8B.html

https://docs.vmware.com/en/VMware-Validated-Design/5.1/sddc-deployment-of-region-b/GUID-FB89668F-66DB-44BB-B9AC-AA206EDF1E5A.html

http://docs.vmware.com/en/VMware-Validated-Design/index.html

http://docs.vmware.com/en/VMware-Validated-Design/index.html

Architecture Overview 2By extending your deployed VMware Validated Design SDDC to VMware Cloud on AWS, you can extendand integrate your on-premises environment to the VMware Cloud on AWS service.

This chapter includes the following topics:

n Physical Infrastructure Architecture for Extending the SDDC to VMware Cloud on AWS

n Virtual Infrastructure Architecture for Extending the SDDC to VMware Cloud on AWS

n Operations Management Architecture for Extending the SDDC to VMware Cloud on AWS

n Cloud Management Architecture for Extending the SDDC to VMware Cloud on AWS

Physical Infrastructure Architecture for Extending theSDDC to VMware Cloud on AWSThe physical infrastructure architecture includes details for the physical properties of the SDDC onVMware Cloud on AWS implementation as Region C in this design.

Each SDDC on VMware Cloud on AWS contains at least a single vSphere HA and a DRS cluster thatruns all management virtual machines and customer workload virtual machines. The initial clustercontains at least three ESXi hosts. Each ESXi host provides 36 cores running at 2.3 GHz, 512 GB RAM,and 16 TB all-flash NVMe devices to the cluster. The workload virtual machines running inside the SDDCcluster consume a dedicated cluster-wide vSAN datastore. A cluster can be expanded up to 16 hosts, allof which have identical hardware capabilities.

Each ESXi host provides 25 Gb/s of network bandwidth within the SDDC on VMware Cloud on AWS.Network I/O Control prioritizes the bandwidth between the several network traffic streams if contentionoccurs. The SDDC cluster uses native NSX technology that integrates AWS networking infrastructure.The customer can create logical networks to provide VMs network connectivity to other networks and theInternet if necessary. The management virtual machines, such as the vCenter Server, NSX Manager, andNSX Edge virtual machines run inside the cluster and are grouped in a separate vSphere DRS resourcepool.

VMware, Inc. 7

Each SDDC cluster is dedicated to a single customer. Existing AWS controls ensure customersegregation by using dedicated AWS accounts and AWS Virtual Private Connections (VPC) for eachSDDC deployment on VMware Cloud on AWS. Because vSAN is built out of instance local storage andeach ESXi host is dedicated to a single customer, there is no sharing of resources across differentcustomers inside the SDDC compute, network, or storage layers.

n Availability Zones and Regions

In an SDDC, availability zones are collections of infrastructure components. Availability zones areisolated from each other to prevent the propagation of failure or outage across the data center. Useregions to place workloads closer to your customers, comply with data privacy laws and restrictions,and support disaster recovery solutions for the entire SDDC.

Availability Zones and RegionsIn an SDDC, availability zones are collections of infrastructure components. Availability zones are isolatedfrom each other to prevent the propagation of failure or outage across the data center. Use regions toplace workloads closer to your customers, comply with data privacy laws and restrictions, and supportdisaster recovery solutions for the entire SDDC.

This hybrid cloud design uses an on-premises protected region (Region A) for SDDC managementcomponents with one or two availability zones, an on-premises recovery region (Region B) with a singleavailability zone, and a region on VMware Cloud on AWS (Region C) with a single availability zone. Youcan place workloads in each availability zone and region. You can expand the design to include multipleavailability zones.

Figure 2-1. Availability Zones and Regions

AvailabilityZone

AvailabilityZone 1

AvailabilityZone 2

FutureAvailability

ZoneFuture

AvailabilityZone

Region B: LAXRegion A: SFO

AvailabilityZone

FutureAvailability

Zone

Region C: VMC

Virtual Infrastructure Architecture for Extending theSDDC to VMware Cloud on AWSThe architecture of the virtual components and services that are available in the SDDC on VMware Cloudon AWS as Region C supports the integration with the on-premises SDDC. The architecture allocates allresources required for the operation of the SDDC and isolates the management components in the cloudfrom the tenant workloads.

An SDDC on VMware Cloud on AWS can contain up to 10 clusters. VMware manages the vSphere HA,DRS, and vSAN settings, therefore your cloud administrator has a read-only view of the clusterconfiguration settings. Cloud administrators can configure only per-VM DRS rules, such as VM-VM anti-affinity and VM-Host affinity rules, by using compute policies.


VMware, Inc. 8

By default, each cluster contains two vSphere DRS resource pools as follows:

n The resource pool named Mgmt-ResourcePool contains the management virtual machines and isconfigured with a CPU and memory resource reservation. Your cloud administrator has a read-onlyview of the virtual machine and resource pool settings of the management resource pool.

n Tenant workloads are placed in the resource pool named Compute-ResourcePool. By default, thisworkload resource pool is not configured with CPU and memory resource reservations. Cloudadministrators have full control access rights over this resource pool.

By default, the SDDC on VMware Cloud on AWS contains a single cluster. If you create a new cluster ofhosts in the SDDC on VMware Cloud on AWS, the additional cluster is created in the same AWSavailability zone. Additional clusters can use R5.metal hosts instead of i3.metal hosts. R5.metal hosts useAmazon EBS storage instead of local NVMe flash drives. EBS storage can scale form 15 TB to 35 TB by5 TB increments. R5.metal hosts can be used only for additional clusters of an existing SDDC on VMwareCloud on AWS, and cannot be the first cluster that is provisioned in the environment.

You can configure an SDDC on VMware Cloud on AWS as an extension to an existing on-premisesSDDC by using Hybrid Linked Mode and VPN connections.

Figure 2-2. VMware Cloud on AWS Region-C Cluster

APP

OSAPP

OS

APP

OSAPP

OS

APP

OSAPP

OS

APP

OSAPP

OS

Virtual InfrastructureManagement

(Mgmt-ResourcePool)

NSX-TControllers

NSX-TEdges

NSX-TManager

ESXi ESXi ESXi

Workloads(Compute-

ResourcePool)

N-VDS

NSX-T Transport Zone

VMware Cloud Cluster

Managed by: VMware Cloud vCenter Server

Network: External(AWS VPC)

Network: Internal SDDC

vCenterServer

ESXi

Transport Nodes


VMware, Inc. 9

VMC ConsoleVMC Console is a self-service, Web-based application that is available from the VMware Cloud servicesportal where you can manage and view your SDDCs on VMware Cloud on AWS. VMC Console showseach SDDC as a card, with information including name, region, status, and hardware allocation. Also,there are links for more details and operations that you can perform on the SDDC.

In addition, VMC Console shows subscriptions, activity logs, tools, and developer center to facilitate theuse of the VMware Cloud on AWS service. A subscription is used to pre-pay for hardware at a reducedcost compared to using VMware Cloud on AWS in an on-demand manner. The available tools includeContent Onboarding Assistant, the DCLI bundle, and the vCenter Cloud Gateway. The developer centerprovides code samples, an API Explorer, and other tools to help you learn the available automation andintegration development options.

Linking Between the On-premises SDDC and the SDDC onVMware Cloud AWS

You use the vCenter Cloud Gateway appliance to link from your on-premises data center to your SDDCon VMware Cloud on AWS. The vCenter Cloud Gateway appliance provides the following benefits:

n Active Directory groups are mapped from your on-premises environment to the environment onVMware Cloud on AWS. You do not need to add Active Directory as an identity source in yourVMware Cloud vCenter Server.

n You can restrict the access to important infrastructure services, such as Active Directory, according tothe security policy of your organization. Latency when performing operations on the on-premisesSDDC is lower.

n Because vCenter Cloud Gateway includes the vSphere UI, you benefit from automatically gettingaccess to the latest version of the vSphere HTML5 Client on VMware Cloud on AWS that is fullyinteroperable with your on-premises environment.

Operations Management Architecture for Extending theSDDC to VMware Cloud on AWSTo manage and monitor your SDDC on VMware Cloud on AWS that is implemented as Region C in thisdesign, you can configure the on-premises vRealize Operations Manager and vRealize Log Insightinstances. With this configuration, you avoid using multiple tools for the different parts of your hybridenvironment.

VMware Cloud on AWS Operations ManagementVMware Cloud on AWS offloads the majority of operations and management tasks to VMware directly. Alimited number of relevant events and alerts are available through the hosted VMware Cloud vCenterServer. In this design, the on-premises analytics cluster vRealize Operations Manager is used to collectand monitor these events and alerts, similarly to how the on-premises vCenter Server instances aremonitored.


VMware, Inc. 10

VMware Cloud on AWS LoggingVMware Log Intelligence is a VMware Cloud service with which you can collect logs from the VMwareCloud on AWS service and associated VMware Cloud services. In this design, you use the on-premisesvRealize Log Insight system to collect and aggregate logging data from both VMware Cloud on AWS andon-premises sources.

For forwarding log data that is collected from the SDDC on VMware Cloud on AWS to vRealize LogInsight, you deploy a VMware Cloud Proxy appliance in the on-premises environment.

Figure 2-3. VMware Cloud Proxy Docker Containers

Cloud Proxy

Cloud Assembly SDDC AgentContainer: cloudassembly-sddc-agent

Docker Containers

Cloud Assembly CMX AgentContainer: cloudassembly-cmx-agent

vRealize Orchestrator AgentContainer: tango-vro-agent

Code Stream AgentContainer: codestream-lemans-agent

Log Intelligence AgentContainer: log-forwarder

Cloud Assembly Blueprint AgentContainer: cloudassembly-blueprint-agent

Cloud Management Architecture for Extending the SDDCto VMware Cloud on AWSTo configure the consumption portal for your SDDC on VMware Cloud on AWS implementation as RegionC in this design, you can configure the on-premises vRealize Automation system.

You can use your on-premises vRealize Automation system with your SDDC on VMware Cloud on AWSas a deployment target end point. With this configuration, you can reuse the templates and blueprints thatyou developed for the on-premises environment, reducing the time required to stand up an additionalenvironment.

Note Some blueprints might require a reconfiguration.


VMware, Inc. 11

Detailed Design 3The detailed design for extending VMware Validated Design to VMware Cloud on AWS considers bothphysical and virtual infrastructure design for the hybrid SDDC. It includes numbered design decisions andthe justification and implications of each decision.

n Physical Infrastructure Design for Extending the SDDC to VMware Cloud on AWS

The physical design includes design decision details for the physical properties of the SDDC onVMware Cloud on AWS implementation as Region C in this design.

n Virtual Infrastructure Design for Extending the SDDC to VMware Cloud on AWS

This virtual design includes design decision details for the physical properties of the SDDC onVMware Cloud on AWS implementation as Region C in this design.

n Operations Management Design for Extending the SDDC to VMware Cloud on AWS

Operating a hybrid SDDC that consists of on-premises and VMware Cloud on AWS SDDCcomponents can be performed by using the same management components as a standalone on-premises SDDC. You extend and integrate vRealize Operations Manager and vRealize Log Insightfor seamless Day-2 operations of both environments.

n Cloud Management Design for Extending the SDDC to VMware Cloud on AWS

vRealize Automation is the management component in the on-premises SDDC infrastructure fordeploying blueprints and applications. You can use your on-premises vRealize Automationdeployment with your SDDC on VMware Cloud on AWS.

Physical Infrastructure Design for Extending the SDDC toVMware Cloud on AWSThe physical design includes design decision details for the physical properties of the SDDC on VMwareCloud on AWS implementation as Region C in this design.

n Physical Design Fundamentals of the SDDC Infrastructure on VMware Cloud on AWS

When deploying an SDDC on VMware Cloud on AWS, you must select the deployment location andthe number of hosts for the initial cluster for your use case.

n Physical Networking Design of the SDDC Infrastructure on VMware Cloud on AWS

To begin using VMware Cloud on AWS to run workloads as Region C in your SDDC, you must setup network connections between your on-premises data centers and the SDDC on VMware Cloudon AWS. This network can include a dedicated connection over AWS Direct Connect, an IPSecVPN, or both.

VMware, Inc. 12

Physical Design Fundamentals of the SDDC Infrastructure onVMware Cloud on AWSWhen deploying an SDDC on VMware Cloud on AWS, you must select the deployment location and thenumber of hosts for the initial cluster for your use case.

Selecting an AWS Region and Sizing the Initial Host ConfigurationWhen deploying the SDDC on VMware Cloud on AWS as Region C of your validated SDDC, select theAWS Region location according to these criteria:

n Location latency

n Data sovereignty

n Co-location with existing services

n Cost

You can use any VMware Cloud enabled AWS region. This design uses US West (Oregon) as anexample.

Figure 3-1. Cluster Configuration of the Hybrid SDDC

APPOS

APPOS

APPOS

APPOS

APPOS

APPOS

APPOS

APPOS

APPOS

APPOS

APPOS

APPOS

APPOS

APPOS

APPOS

APPOS

MgmtVC

Region AManagement Cluster

ESXi ESXi ESXi ESXi ESXi ESXi

Region ACompute /

Edge ClusterRegion B

Management ClusterRegion BCompute /

Edge Cluster

PSC

NSX Edge Load Balancer

NSX Edge Load Balancer

ComputeVC

PSC

MgmtVC

ESXi ESXi ESXi ESXi ESXi ESXi

PSC

ComputeVC

PSC

Region CCluster

on VMwareCloud on AWS

ESXi ESXi

VMware CloudVC

You can initially deploy an SDDC on VMware Cloud on AWS with a minimum of three hosts and you canlater expand it to 16 hosts. Each additional host adds a significant amount of resources to the cluster. Theinitial hosts run both the management and tenant virtual machines, similarly to VMware Validated Designfor Consolidated SDDC. The SDDC on VMware Cloud on AWS must always have enough resources forthe operation of the management virtual machines. For information on resource pool configuration andresource reservation in the initial cluster, see Resource Reservation Design.


VMware, Inc. 13

Table 3-1. Resources Consumed by the Management Components on the Initial Three-HostCluster

Resource Used Free

CPU 9 GHz 240 GHz

Memory 212 GB 1.3 TB

Storage 5.5 TB 25.5 TB

The on-premises and cloud units of the hybrid SDDC support maintenance operations in different ways.

n VMware Validated Design for Software-Defined Data Center defines a minimum of four ESXi hosts inthe on-premises management cluster. Allocating four ESXi hosts provides full redundancy in thecluster.

n During maintenance operations in VMware Cloud on AWS environments, to provide enough capacityand redundancy for the update, VMware Cloud on AWS adds temporarily another host to the SDDC.VMware vSphere® vMotion™ and DRS activities occur to facilitate the update. During this time, yourworkloads and other resources function as usual. Adding permanently hosts to the initial cluster is notrequired.

Table 3-2. Design Decisions on the Initial Configuration of the SDDC on VMware Cloud onAWS

Decision ID Design Decision Design Justification Design Implication

SDDC-VMC-PHY-001 Deploy the SDDC on VMwarevCloud on AWS in an AWSRegion that has the lowestlatency to your on-premisesinfrastructure while meetingall other businessrequirements.

Having all infrastructureclosely or centrally locatedprovides an optimal userexperience. However, makesure that this setup is not atthe expense of laws orinfrastructure features.

While most AWS locationshave the same pricing model,slight variations exist. Thesevariations might change theoverall service cost if theclosest AWS region does notmeet the requirements of yourorganization.

SDDC-VMC-PHY-002 Deploy the SDDC on VMwareCloud on AWS with threehosts.

Using the initial minimumcluster size still provides asignificant amount ofresources to tenantworkloads. You can easilyextend clusters on demand.

You can use single-hostclusters for evaluationpurposes, but they are notsuitable for use in production.

The resources provided bythree hosts might not beinitially needed and thereforepotentially wasted. Smallerclusters are not supported forproduction workloads.

Scaling Out an SDDC on VMware Cloud on AWSWhile you can scale out the initial cluster, you can also add clusters to the SDDC. According to theoperational and business requirements of your organization, you can use these additional clusters forother categories of service or environments, such as development or staging environments.

Before adding hosts to the initial cluster, size correctly the cluster by considering the number, size, anduse of the tenant workloads you plan to provision.


VMware, Inc. 14

Physical Networking Design of the SDDC Infrastructure onVMware Cloud on AWSTo begin using VMware Cloud on AWS to run workloads as Region C in your SDDC, you must set upnetwork connections between your on-premises data centers and the SDDC on VMware Cloud on AWS.This network can include a dedicated connection over AWS Direct Connect, an IPSec VPN, or both.

Network Design FundamentalsVMware Cloud on AWS uses VMware NSX-T™ Data Center to create and manage internal SDDCnetworks and provide endpoints for VPN connections from your on-premises network infrastructure.

SDDC Network Topology

When fully configured, an SDDC on VMware Cloud on AWS includes two internal networks: amanagement network for hosts and management appliances, and a compute network for workload VMs.A Tier 0 NSX Edge appliance sits between your on-premises networks and your VMware Cloud on AWSSDDC networks, and routes traffic to either the management network or the compute network asappropriate.

Tier 0 Edge Appliance All traffic between your on-premises networks and the SDDC on VMwareCloud on AWS passes through this appliance. Compute gateway firewallrules, which control access to workload VMs, are applied on its uplinkinterfaces.

Management Gateway(MGW)

The MGW is an NSX Edge Security gateway that provides a north-southnetwork connectivity for the vCenter Server and other management VMsrunning in the VMware Cloud on AWS SDDC. During the SDDC creation,the Internet-facing IP address (Public IP #1) is automatically assigned fromthe pool of AWS public IP addresses. When you create the SDDC onVMware Cloud on AWS, configure the management subnet with a range ofIP addresses (CIDR block) that can support the number of ESXi hosts inthe SDDC. If you do not configure a range during the SDDC creation, thesystem uses a default of 10.2.0.0/16.

Compute Gateway(CGW)

The CGW provides north-south network connectivity for virtual machinesrunning in the SDDC on VMware Cloud on AWS. In a single-node SDDC,VMware Cloud on AWS creates a default logical network segment (CIDRblock 192.168.1.0/24) to provide networking for these VMs. You can createadditional logical networks on the Networking & Security tab.

AWS Direct Connect

The AWS Direct Connect (DX) service provides a dedicated high-speed, low latency connection betweenyour on-premises data center and your AWS VPC. You can use DX alone or with a VPN.


VMware, Inc. 15

DX is used over a private virtual interface (VIF) to carry workload and management traffic, including VPNand vSphere vMotion traffic, between your on-premises data center and your connected VPC. Use DXover a public VIF to connect to AWS public endpoints, such as EC2 and S3.

You can use a DX connection over a private VIF for all traffic between your on-premises data center andyour SDDC on VMware Cloud on AWS. The connection terminates in your connected Amazon VPC,provides a private IP address space, and uses BGP to advertise routes in your SDDC and learn routes inyour on-premise data center.

A DX connection over a public VIF is typically used only for traffic between your on-premises data centerand public AWS services, which you cannot access over a private VIF. The connection terminates at theAWS region level in the region occupied by your connected Amazon VPC and uses BGP to advertiseAWS global routes.

The use of Direct Connect is beneficial, but not required for the Hybrid Cloud functionality, thereforeoptional for this VMware Validated Design. Even if a Direct Connect is established, a VPN is stillnecessary to complete the traffic flow between the VMware Cloud on AWS and on-premises SDDCinfrastructure.

VPN DesignTo route management traffic between your VMware Cloud on AWS and on-premises SDDC infrastructure,you must establish a VPN connection to each on-premises region.

VMware Cloud on AWS offers two different types of VPNs for management traffic, route-based or policy-based.

n A route-based VPN creates an IPsec tunnel interface and routes traffic through it as dictated by therouting table on the VMware Cloud on AWS SDDC. A route-based VPN provides resilient and secureaccess to multiple subnets. When you use a route-based VPN, new routes are added automaticallywhen new networks are created.

Route-based VPNs in a VMware Cloud on AWS SDDC use the IPsec protocol to secure traffic andthe Border Gateway Protocol (BGP) to discover and propagate routes when networks are created. Tocreate a route-based VPN, you configure BGP information for the VMware Cloud on AWS SDDC andon-premises endpoints, and specify tunnel security parameters for the VMware Cloud on AWS SDDCend of the tunnel.

n A policy-based VPN creates an IPsec tunnel and a policy that specifies how traffic uses it. When youuse a policy-based VPN, you must update the routing tables on both ends of the network when newroutes are added.

Policy-based VPNs in a VMware Cloud on AWS SDDC use the IPsec protocol to secure traffic. Tocreate a policy-based VPN, you first configure the VMware Cloud on AWS SDDC endpoint, then youconfigure a matching remote on-premises endpoint. Because each policy-based VPN must create anIPsec security association for each network, a network administrator must update the routinginformation on-premises and in the VMware Cloud on AWS SDDC whenever a new policy-basedVPN is created. A policy-based VPN can be an appropriate choice when you have only a fewnetworks on either end of the VPN, or if your on-premises network hardware does not support BGP,which is required for route-based VPNs.


VMware, Inc. 16

Figure 3-2. VPN Overview

SDDC on VMwareCloud on AWS

Region C

Management Cluster

SharedEdge andComputeCluster

ESXi ESXi ESXi ESXiESXi

Management Cluster

SharedEdge andComputeCluster

ESXi ESXi ESXi ESXiESXi

ManagementvCenterServer

ComputevCenterServer

10.2.0.0/16Infrastructuresubnet

Region A Region B

ManagementvCenterServer

ComputevCenterServer

vCenterCloud

Gateway

Externalconnection

VMware CloudvCenter Server

ESXi ESXi ESXi

In this design, a VPN is required between the management cluster in each on-premises region (Region Aand Region B) and the SDDC on VMware Cloud on AWS (Region C), however the on-premisestermination locations are not enforced. Use NSX ESGs as the on-premises terminating devices, becauseyou can place them in the on-premises SDDC infrastructure. This configuration provides a simple andsecure location without complicating other parts of the enterprise network.


VMware, Inc. 17

Table 3-3. Design Decisions on VPN Configuration


SDDC-VMC-NET-001 Create a policy-basedmanagement VPN betweenthe Management Gateway onthe VMware Cloud on AWSSDDC and the Region-A andRegion-B managementenvironments.

BGP is not supported overNSX-IPsec VPN tunnels.

In some environments, it mightbe preferable to terminate theVPNs outside the on-premisesSDDC environments whereBGP is available.

SDDC-VMC-NET-002 If using NSX for managementVPN termination, configure ahighly available pair of NSXEdge service gateways(ESGs) in each of the edgeclusters.

VPNs between the VMwareCloud on AWS and on-premises SDDC infrastructuremust be able to exchangerouting information.

Adds resource overhead.

SDDC-VMC-NET-003 If using NSX for managementVPN termination, configurethe ESG HA heartbeattimeout to 5 seconds.

Using a longer heartbeattimeout might result in alonger than desired outage ofcommunication between on-premises and VMware Cloudon AWS workloads.

Configuring a heartbeattimeout that is too short mightresult in a premature failoverthat can increase or extend anoutage.

Consider the difference in the property names in the VPN configuration of the VPN-enabled NSX ESGsand of the SDDC on VMware Cloud on AWS.

Table 3-4. Mapping VPN Parameters Between the User Interface of NSX for vSphere andVMC Console

NSX Property Name VMC Console Property Name

Name VPN Name

Peer ID On-prem Gateway IP

Peer Endpoint On-prem Gateway IP

Peer Subnets On-prem Network

Local ID Uplink SNAT (not a user-entered value)

Local Endpoint Uplink IP (not a user-entered value)

Local Subnets Local Network

Encryption Algorithm Encryption

Perfect Forward Secrecy Perfect Forward Secrecy

Authentication PSK (not configurable)

Diffie Hellman Group Diffie Hellman

Pre-Shared Key Pre-Shared Key

Enabled True (not configurable)


VMware, Inc. 18

Figure 3-3. VPN Design for a Region in the On-Premises SDDC

VC

OSPSC

OSSRM

OS

ECMPESGs

ToRSwitches

Internet/EnterpriseNetwork

Mgmt-Management

Compute-Management

Legend:

SharedEdge and

Compute Cluster

192.168.11/24

Transit Networks

Management Application

vRealize AutomationvRealize Operations Manager

Universal Distributed Logical Router

ESGLoadBalancer

Mgmt-xRegion01-VXLAN

192.168.31/24

Mgmt-xRegionA01-VXLAN

Mgmt-VPN

vRealize Business for CloudvCenter Cloud Gateway

vRealize Log InsightvRealize Suite Lifecycle ManagervRealize Operations CollectorvRealize Automation Proxy

VMware Update ManagerDownload Service

vRealize Business Collector

MGMTVPN

ESGs

Edge-Management


VMware, Inc. 19

Figure 3-4. VPN Design for Both Regions in the On-Premises SDDC

VC

OSPSC

OSSRM

OSVC

OSPSC

OSSRM

OS

ECMPESGs

ToRSwitches


Mgmt-Management

Compute-Management

Legend:

SharedEdge and

Compute Cluster

192.168.11.0/24

Transit Networks

Management Application

vRealize AutomationvRealize Business for Cloud

vRealize Operations Manager

Universal Distributed Logical Router

ESGLoadBalancer


192.168.31.0/24

Mgmt-RegionA01-VXLAN

Mgmt-VPN

vCenter Cloud Gateway

vRealize Log InsightvRealize Suite Lifecycle ManagervRealize Operations CollectorvRealize Automation Proxy



MGMTVPN

ESGsECMPESGs

ToRSwitches


SharedEdge and

Compute Cluster

192.168.11.0/24

vRealize AutomationvRealize Business for Cloud


ESGLoad

Balancer


192.168.32.0/24

Mgmt-RegionB01-VXLAN

vCenter Cloud Gateway

vRealize Log Insight vRealize Suite Lifecycle ManagervRealize Operations CollectorvRealize Automation Proxy



MGMTVPN

ESGs

Failover Components

Region A Region B

To have traffic flowing between the VMware Cloud on AWS SDDC management networks and your on-premises management networks, you must populate the management VPN connections with theinfrastructure subnet on the VMware Cloud on AWS SDDC, any custom network segments on theVMware Cloud on AWS SDDC, and the management on-premises networks. These networks arepopulated within the configuration of each side of the VPN tunnel as either local or remote networks. Also,adding the vSphere vMotion networks allows cold vSphere vMotions operations.


VMware, Inc. 20

Table 3-5. Management Network Configuration for VPN Connection

VPN Source VPN Destination Remote Networks Local Networks

VMware Cloud on AWS SDDC Region A n 172.16.11.0/24

n 172.16.12.0/24

n 172.16.31.0/24

n 172.16.32.0/24

n 192.168.11.0/24

n 192.168.31.0/24

n Infrastructure Subnet(10.2.0.0/16)

n StandaloneSubnets

n RoutedSubnets

VMware Cloud on AWS SDDC Region B n 172.17.11.0/24

n 172.17.12.0/24

n 172.17.31.0/24

n 172.17.32.0/24

n 192.168.11.0/24

n 192.168.32.0/24


n StandaloneSubnets

n RoutedSubnets

Region A VMware Cloud on AWSSDDC


n StandaloneSubnets

n RoutedSubnets

n 172.16.11.0/24

n 172.16.12.0/24

n 172.16.31.0/24

n 172.16.32.0/24

n 192.168.11.0/24

n 192.168.31.0/24

Region B VMware Cloud on AWSSDDC


n StandaloneSubnets

n RoutedSubnets

n 172.17.11.0/24

n 172.17.12.0/24

n 172.17.31.0/24

n 172.17.32.0/24

n 192.168.11.0/24

n 192.168.32.0/24

Table 3-6. Design Decisions on VPN Endpoint Configuration


SDDC-VMC-NET-004 Add all networks formanagement and vSpherevMotion in the on-premisesand VMware Cloud on AWSSDDCs to each VPN endpointconfiguration.

To have operations running inboth on-premises andVMware Cloud on AWSSDDC infrastructure, trafficbetween all managementsubnets must be routed.

Having management networksroutable over a VPN mightbring in security considerationsin some organizations.

Firewall Rules DesignThe management gateway on the VMware Cloud on AWS SDDC is configured with a firewall that blocksall inbound connections to the management network on the VMware Cloud on AWS SDDC. Thisconfiguration ensures the security and integrity of the management interfaces on VMware Cloud on AWS,such as vCenter Server and ESXi. The firewall has limited configuration options for existing managementinterfaces, but some connections can be allowed.

When you create an SDDC on VMware Cloud on AWS, the management gateway firewall has thefollowing rules.


VMware, Inc. 21

Table 3-7. Default Management Gateway Firewall Rules

Rule Name Source Destination Services Action

vCenter Outbound Rule vCenter Any Any Allow

ESXi Outbound Rule ESXi Any Any Allow

Default Deny All Any Any Any Block

To allow the SDDC on VMware Cloud on AWS to connect to your on-premises management domain, youmust change the default firewall policy. To simplify the firewall rule management, you can create groups ofIP addresses and subnets.

Table 3-8. Design Decisions on Management Gateway Firewall Configurations


SDDC-VMC-NET-005 Configure the managementgateway firewall to allowaccess from the on-premisesmanagement subnet to thevCenter Server, ESXi, andNSX Manager instances onthe VMware Cloud on AWSSDDC.

The hybrid functionalityrequires changes on thefirewall.

Changing the default firewallrules increases the securityboundary from which theSDDC on VMware Cloud onAWS can be accessed.

SDDC-VMC-NET-006 Configure the local on-premises SDDC managementsubnets as groups.

Using groups simplifies thefirewall rule management.

None.

To simplify the firewall rule management, you add the following groups.

Table 3-9. Inventory Groups

Name Member Type Members

SFO01Nets IP Address 172.16.11.0/24, 172.16.12.0/24,172.16.31.0/24, 172.16.32.0/24,192.168.11.0/24, 192.168.31.0/24

LAX01Nets IP Address 172.17.11.0/24, 172.17.12.0/24,172.17.31.0/24, 172.17.32.0/24,192.168.11.0/24, 192.168.32.0/24

To allow the hybrid functionality, you must add the following management gateway firewall rules to thedefault outbound rules that are configured when the SDDC infrastructure is created on VMware Cloud onAWS.


VMware, Inc. 22

Table 3-10. Additional Management Gateway Firewall Rules

Name Source Destination Services Action

SFO01M01 ESXi Rule SFO01Nets ESXi Provisioning & RemoteConsole (TCP 902),vSphere vMotion (TCP8000), ICMP (ALLICMP), HTTPS (TCP443)

Allow

SFO01M01 vCenterRule

SFO01Nets vCenter ICMP (ALL ICMP),SSO (TCP 7444),HTTPS (TCP 443)

Allow

SFO01 NSX Rule SFO01Nets NSX HTTPS (TCP 443) Allow

Name Resolution DesignSpecifying a DNS server allows the gateway to resolve fully-qualified domain names (FQDNs) to IPaddresses on the network.

The management gateway on the VMware Cloud on AWS SDDC must be configured to resolve the on-premises FQDNs.

Table 3-11. Design Decisions on the Management Gateway DNS Configuration


SDDC-VMC-NET-007 Configure the managementgateway DNS server IPaddress to forward nameresolution to the on-premisesDNS servers.

Without the on-premises DNSresolution, vCenter CloudGateway is unable to link thetwo environments. See Table3-13. Design Decisions on thevCenter Cloud GatewayDeployment.

None.

The compute gateway on the VMware Cloud on AWS SDDC can be configured to resolve up to fivespecific domains by configuring a domain name server for each.

Network Segment DesignNetwork segments are logical networks for use by workload VMs in the Compute-ResourcePool of theSDDC on VMware Cloud on AWS.


VMware, Inc. 23

VMware Cloud on AWS supports three types of logical network segments: routed, extended, anddisconnected.

n A routed network segment (the default type) has connectivity to other logical networks in the SDDCon VMware Cloud on AWS, and to external networks through the SDDC firewall.

n An extended network segment extends an existing L2VPN tunnel, providing a single IP addressspace that spans the VMware Cloud on AWS SDDC and an on-premises network.

n A disconnected network segment has no uplink and provides an isolated network accessible only toVMs connected to it. Disconnected segments are created when needed by HCX. You can also createdisconnected network segments and can convert them to other segment types.

SDDCs on VMware Cloud on AWS does not contain a default network segment, so you must create atleast one for your workload VMs. You can use the VMC Console to create network segments or deletenetwork segments that are no longer in use.

When you create a network segment, ensure that it does not overlap your management network or any ofthe subnets in your connected Amazon VPC.

Virtual Infrastructure Design for Extending the SDDC toVMware Cloud on AWSThis virtual design includes design decision details for the physical properties of the SDDC on VMwareCloud on AWS implementation as Region C in this design.

n Hybrid Linked Mode Design

You configure Hybrid Linked Mode to link the vCenter Server instance on your VMware Cloud onAWS SDDC with your on-premises vCenter Single Sign-On domain.

n Resource Reservation Design

When you deploy an SDDC on VMware Cloud AWS, the configuration of the initial cluster includesreserving resources for the management workloads so that capacity for SDDC infrastructuremanagement is always available.

Hybrid Linked Mode DesignYou configure Hybrid Linked Mode to link the vCenter Server instance on your VMware Cloud on AWSSDDC with your on-premises vCenter Single Sign-On domain.

Shared vCenter Single Sign-On DomainWhen you link a vCenter Server instance on VMware Cloud on AWS to a workload domain where multiplevCenter Server instances are connected in Enhanced Linked Mode, all those instances are linked to theSDDC on VMware Cloud on AWS.

By using Hybrid Linked Mode, you can:

n View and manage the inventories of both your on-premises and VMware Cloud on AWS data centersfrom a single vSphere Client interface by using your on-premises credentials.


VMware, Inc. 24

n Migrate workloads between your on-premises and VMware Cloud on AWS data centers.

n Share tags and tag categories from your on-premises to your VMware Cloud on AWS vCenter Serverinstance.

Figure 3-5. Design of a Shared vCenter Single Sign-On Domain

Region A: SFO Region B: LAX

Platform Services ControllerAppliance

SFO

Management vCenter Server

Appliance

Shared vCenter Single Sign-On Domain

Platform ServicesControllerAppliance

SFO

NSX Edge Load Balancer NSX Edge Load Balancer

ComputevCenter Server

Appliance


LAX

ComputevCenter Server

Appliance


LAX

Management vCenter Server

Appliance LAX LAXSFO SFO

Region C: VMC

vCenterCloud Gateway

SFO


vCenter Cloud GatewayTo enable Hybrid Linked Mode, the vCenter Server instance on VMware Cloud on AWS must be able tocommunicate with all the on-premises vCenter Server instances in Region A and Region B. To exchangeauthentication and management functions between the VMware Cloud on AWS and the on-premisesvCenter Server instances, you deploy a vCenter Cloud Gateway (VCG) appliance. For seamlessauthentication, you join the VCG appliance to the existing on-premises vCenter Single Sign-On domain.This configuration spans the vCenter Single Sign-On domain between both on-premises and VMwareCloud on AWS vCenter Server instances.

Provide the compute and storage resources for the operation of the vCenter Cloud Gateway appliance.

Table 3-12. Minimum Hardware Requirements for the vCenter Cloud Gateway Appliance

Hardware Minimum required

CPUs 8

Memory 24 GB

Storage 190 GB


VMware, Inc. 25

Table 3-13. Design Decisions on the vCenter Cloud Gateway Deployment


SDDC-VMC-VI-001 Deploy the vCenter CloudGateway appliance in themanagement cluster inRegion A.

Managing separate vCenterSingle Sign-On domains limitsthe capabilities of the hybridcloud.

Additional on-premisesresources are required for theappliance.

SDDC-VMC-VI-002 Deploy the vCenter CloudGateway on the managementVLAN.

The vCenter Cloud Gatewaydoes not support VXLAN.

If an outage occurs, you mustdeploy the appliance again.You cannot fail it over to therecovery region of the on-premises SDDC.

Resource Reservation DesignWhen you deploy an SDDC on VMware Cloud AWS, the configuration of the initial cluster includesreserving resources for the management workloads so that capacity for SDDC infrastructure managementis always available.

The initial cluster of the VMware Cloud on AWS SDDC runs both the management applications andprovisioned tenant workloads.

Because the SDDC must remain operational even if a resource contention occurs, when VMware Cloudon AWS deploys the SDDC, it reserves resources in the cluster for the management components bycreating resource pools. The initial cluster contains two resource pools, Mgmt-ResourcePool and Compute-ResourcePool, and the reservations are set on the management resource pool.

VMware Cloud on AWS assigns the Management Storage Policy to all management virtual machines. Toguarantee that management virtual machine always receive all required storage resources, the objectspace reservation property of the Management Storage Policy is set to thick provisioning.

Table 3-14. Reservations for the Management Components in the Initial Cluster

ResourceReservation for the ManagementResource Pool

Reservation for the Compute ResourcePool

CPU 73.5 GHz (Expandable) 0 GHz

Memory 117 GB (Expandable) 0 GB

Storage 11.12 TB 0 TB

Operations Management Design for Extending the SDDCto VMware Cloud on AWSOperating a hybrid SDDC that consists of on-premises and VMware Cloud on AWS SDDC componentscan be performed by using the same management components as a standalone on-premises SDDC. You


VMware, Inc. 26

extend and integrate vRealize Operations Manager and vRealize Log Insight for seamless Day-2operations of both environments.

n vRealize Operations Manager Design for the SDDC Infrastructure on VMware Cloud on AWS

vRealize Operations Manager is the monitoring management component that exists in the on-premises SDDC infrastructure, and can also be extended across the management VPN to monitorthe SSDC infrastructure on VMware Cloud on AWS. Because VMware Cloud on AWS is a hostedand managed by VMware solution, not all the metrics, events, and alerts are made available.

n vRealize Log Insight and Log Intelligence Design for the SDDC Infrastructure on VMware Cloud onAWS

vRealize Log Insight is the logging management component that exists in the on-premises SDDCinfrastructure. VMware Log Intelligence™ is the service that you can use to collect selected logsfrom your SDDC on VMware Cloud on AWS. To enable forwarding the logs from VMware LogIntelligence to the on-premises vRealize Log Insight instances, you must deploy a Cloud Proxy ineach on-premises region.

vRealize Operations Manager Design for the SDDC Infrastructureon VMware Cloud on AWSvRealize Operations Manager is the monitoring management component that exists in the on-premisesSDDC infrastructure, and can also be extended across the management VPN to monitor the SSDCinfrastructure on VMware Cloud on AWS. Because VMware Cloud on AWS is a hosted and managed byVMware solution, not all the metrics, events, and alerts are made available.

To configure monitoring of your SDDC on VMware Cloud on AWS by using vRealize Operations Manager,you connect to the vCenter Server instance on the VMware Cloud on AWS SDDC by using an adapterinstance. The new adapter instance uses the existing default remote collector group in vRealizeOperations Manager.


VMware, Inc. 27

Figure 3-6. Logical Design for Extending Operations Management to VMware Cloud on AWS

Metric AdaptersRegion A

Region B


Analytics Cluster

Integration

ExternalLoad Balancer

vCenter Server

Access

User Interface

API

vRealizeLog Insight

vRealizeAutomation

Metric Adapters

vCenter Server

NSX

vRealizeLog Insight

AdditionalSolutions

vRealizeBusiness

vRealizeAutomation

ManagementPacks

Suite API

Shared Storage

vRealize Operations ManagerRemote Collectors

CollectorGroup

ManagementPacks

Suite API

Remote Collector 2

Remote Collector 1

Shared Storage

Metric Adapters

vCenter Server

NSX

vRealizeLog Insight

vRealize Operations ManagerRemote Collectors

CollectorGroup

ManagementPacks

Suite API

Remote Collector 2

Remote Collector 1

Shared Storage

StorageDevices

vSAN

StorageDevices

vSAN

Master Replica

Data 1 Data n

SiteRecoveryManager

AdditionalSolutions

SiteRecoveryManager

Region C

Integration

vCenter Server


VMware, Inc. 28

Figure 3-7. Network Design for Extending Operations Management to VMware Cloud onAWS

APP

OSAPP

OSAPP

OSAPP

OSAPP

OSAPP

OS

vrops01svr01a vrops01svr01b vrops01svr01c


VIP: vrops01svr01.rainpole.local

Analytics Cluster Region A

vrops01svr01a vrops01svr01b vrops01svr01c

VIP: vrops01svr01.rainpole.local

Placeholder Disaster RecoveryAnalytics Cluster

Region B

sfo01m01lb01 lax01m01lb01


SDDC on VMwareCloud on AWS

Region C

Infrastructuresubnet

Externalconnection


ESXi ESXi ESXi


VMware, Inc. 29

Table 3-15. Design Decisions on Monitoring Configuration


SDDC-VMC-OPS-001 Add an adapter instance forthe vCenter Server instanceon the VMware Cloud onAWS SDDC.

For each monitored vCenterServer instance, you createan adapter instance forcollection of analytics data.

None.

SDDC-VMC-OPS-002 Use the default remotecollector group when addingthe adapter instance for thevCenter Server instance onthe VMware Cloud on AWSSDDC.

The region-specific collectorsare not failed over if adisaster recovery occurs. Byusing the default collectorgroup, the analytics clustercollects metrics for thisadapter instance. Becausethe analytics cluster is failedover if a disaster recoveryevent occurs, connection tothe vCenter Server instanceon the VMware Cloud onAWS SDDC remains open.

Small additional load on theanalytics cluster.

vRealize Log Insight and Log Intelligence Design for the SDDCInfrastructure on VMware Cloud on AWSvRealize Log Insight is the logging management component that exists in the on-premises SDDCinfrastructure. VMware Log Intelligence™ is the service that you can use to collect selected logs from yourSDDC on VMware Cloud on AWS. To enable forwarding the logs from VMware Log Intelligence to the on-premises vRealize Log Insight instances, you must deploy a Cloud Proxy in each on-premises region.

When forwarding logs to another location, the logs must be tagged with a site code to ensure the logorigin is traceable. This tagging also allows filters to be created to stop duplicate or circular logging tooccur.

Provide the compute and storage resources for the operation of the Cloud Proxy appliance.

Table 3-16. Resource Specification of the Cloud Proxy Appliance

Attribute Specification

Number of CPUs 4 vCPUs

Memory 12 GB

Disk size n 1.4 GB Thin Provisioned

n 80 GB Thick Provisioned


VMware, Inc. 30

Table 3-17. Design Decisions on Logging Configuration


SDDC-VMC-LOG-001 Enable the VMware LogIntelligence service for yourSDDC on VMware Cloud onAWS.

Log collection from VMwareCloud on AWS is not possiblewithout VMware LogIntelligence.

None.

SDDC-VMC-LOG-002 Deploy a Cloud Proxyappliance in each on-premises managementcluster.

A Cloud Proxy is required toforward logs from LogIntelligence to the on-premises SDDC.

You must allocate additionalresources to run the CloudProxy appliance.

SDDC-VMC-LOG-003 Tag the logs from the VMwareCloud on AWS SDDC withsite=VMC.

Tagging logs allows for siteidentification and log filtering.

None.

SDDC-VMC-LOG-004 Filter the vRealize Log Insightforwarding rules to excludesite=VMC.

Each region must receive itsown copy of the logs from theVMware Cloud on AWSSDDC by using a region-specific Cloud Proxyappliance. If a disasteroccurs, logs are stillforwarded to the running partof the on-premises SDDC.

Duplication of logs exists ineach vRealize Log Insightinstance.


VMware, Inc. 31

Figure 3-8. Log Forwarding Design

VMwareCloud on AWS

Region C

10.2.0.0/16Infrastructuresubnet

Region A Region B

VMwareCloudProxy

vRealizeLog Insight

Externalconnection


ESXi ESXi ESXi

LogForwarding

Management Cluster

VMwareCloudProxy

vRealizeLog Insight

LogForwarding

Management Cluster

LogForwarding

VMware Log Intelligence

VMware Cloud Services

Cloud Management Design for Extending the SDDC toVMware Cloud on AWSvRealize Automation is the management component in the on-premises SDDC infrastructure fordeploying blueprints and applications. You can use your on-premises vRealize Automation deploymentwith your SDDC on VMware Cloud on AWS.

You can configure the SDDC on VMware Cloud on AWS as a deployment endpoint for vRealizeAutomation, so that all deployment actions take place over the management VPN. The configurationincludes creating an infrastructure endpoint and a fabric group with the following details:


VMware, Inc. 32

Table 3-18. Design Decisions on vRealize Automation Endpoints


SDDC-VMC-CMP-001 Create a vSphere endpoint tothe SDDC on VMware Cloudon AWS.

vSphere endpoints andvCenter Server instances ineach region have one-to-onerelationship. You use anendpoint for each region.

As you add more SDDCs onVMware Cloud on AWS asregions, you must add morevSphere endpoints.

Table 3-19. Configuration of the Infrastructure Endpoint for VMware Cloud on AWS

Setting Value

vCenter Server URL https://vcenter.sddc-xxx-xxx-xxx-xxx.vmwarevmc.com/sdk

Resource Pool Compute-ResourcePool

Datastore WorkloadDatastore

VM & Template Folder Workloads

Network Any isolated or routed network segment


VMware, Inc. 33

architecture and design for extending vmware validated ... · the aws cloud running on an amazon...

Documents