VMware Cloud on AWS Networking and Security

VMware Cloud on AWS

Networking and Security

23 August 2024

SDDC Version 1.24

VMware Cloud on AWS

You can find the most up-to-date technical documentation on the VMware by Broadcom website at:

https://docs.vmware.com/

VMware by Broadcom

3401 Hillview Ave.

Palo Alto, CA 94304

www.vmware.com

and/or its subsidiaries. For more information, go to https://www.broadcom.com. All trademarks, trade

names, service marks, and logos referenced herein belong to their respective companies.

VMware Cloud on AWS Networking and Security

VMware by Broadcom 2

Contents

About VMware Cloud on AWS Networking and Security 5

1 NSX Networking Concepts 6

Features Supported with NSX 11

Using the Networking and Security Dashboard

3 Configuring VMware Cloud on AWS Networking and Security Using NSX 15

SDDC Network Administration with NSX Manager 17

Open NSX Manager 18

Assign NSX Service Roles to Organization Members 21

NSX Roles and Permissions in VMware Cloud on AWS 23

Assign NSX Roles from an LDAP Identity Source 25

Connecting Your On-Premises SDDC to Remote Networks 27

Configure AWS Direct Connect Between Your SDDC and On-Premises Data Center 28

Configure a VPN Connection Between Your SDDC and On-Premises Data Center 36

Configure Management Gateway Networking and Security 58

Set vCenter FQDN Resolution Address 58

Set HCX FQDN Resolution Address 59

Add or Modify Management Gateway Firewall Rules 59

Configure Compute Gateway Networking and Security 64

Create or Modify a Network Segment 64

Add or Modify Compute Gateway Firewall Rules 70

Add or Modify Distributed Firewall Rules 73

Configure DNS Services 79

Creating and Managing SDDC Deployment Groups with VMware Transit Connect™ 81

Create or Modify an SDDC Group 89

Connect SDDC Groups in VMware Cloud on AWS 97

Add Compute Gateway Firewall Rules to Enable SDDC Group Member Workload

Connectivity 98

Attach a Direct Connect Gateway to an SDDC Group 100

Use vCenter Linking in an SDDC Group 102

Add a Custom Tier-1 Gateway to a VMware Cloud on AWS SDDC 104

Connect a VPN to a Tier-1 Gateway 106

Enabling and Using IPv6 in SDDC Networks 110

Configure a Multi-Edge SDDC With Traffic Groups 112

Enable AWS Managed Prefix List Mode for the Connected Amazon VPC 116

Aggregate and Filter Routes to Uplinks 119

VMware by Broadcom

View Routes Learned and Advertised over VMware Transit Connect 121

View Statistics and Manage Settings for Uplinks 121

Working With Inventory Groups 122

About Context Profiles 123

Managing Workload Connections 123

Attach a VM to or Detach a Workload VM from a Compute Network Segment 124

Request or Release a Public IP Address 125

Create or Modify NAT Rules 126

Creating Firewall Rules to Manage Traffic Between the Compute and Management Networks

130

4 Configure Monitoring and Troubleshooting Features 132

Configure IPFIX 133

Configure Port Mirroring 133

View Connected VPC Information and Troubleshoot Problems With the Connected VPC 134

Working with NSX Events and Alarms 136

NSX Alarms Catalog for VMware Cloud on AWS 138

About VMware vDefend Firewall Features

142

VMware Cloud on AWS Networking and Security

VMware by Broadcom 4

About VMware Cloud on AWS Networking

and Security

This guide provides information about configuring NSX networking and security for VMware

Cloud on AWS.

Intended Audience

This information is intended for anyone who wants to use VMware Cloud on AWS to create an

SDDC that has the networking and security infrastructure necessary to migrate workloads off

premises and run them securely in the cloud. It was written for readers who have used vSphere

in an on-premises environment and are familiar with the fundamentals of IP networking using

NSX

or another networking solution. In-depth knowledge of vSphere or Amazon Web Services is not

required.

VMware by Broadcom

NSX Networking Concepts

VMware Cloud on AWS uses NSX to create and manage SDDC networks. NSX provides an agile

software-defined infrastructure to build cloud-native application environments.

This guide explains how to manage your SDDC networks using NSX and the VMware Cloud

Console Networking and Security Dashboard.

You can access the NSX Manager in your SDDC in several ways:

n By using a secure reverse proxy server to connect to a public IP address reachable by any

browser that can connect to the Internet.

n By using a private network connection to reach the NSX Manager's private IP directly.

Examples of private connections include: VPN, Direct Connect (Private VIF), through an SDDC

Group, or via an EC2 instance (jump host) in the Connected VPC.

n By connecting directly to your cloud provider’s network. AWS Direct Connect provides this

kind of connection for VMware Cloud on AWS. See Configure AWS Direct Connect Between

Your SDDC and On-Premises Data Center.

See Open NSX Manager for details.

SDDC Network Topology

When you create an SDDC, it includes a Management Network. You specify the Management

Network CIDR block when you create the SDDC. It cannot be changed after the SDDC has been

created. See Deploy an SDDC from the VMC Console for details.

A VMware Cloud on AWS SDDC has two separate network layers:

The AWS Underlay Network

This is the AWS VPC subnet that you specify when you deploy the SDDC. It supports the

native AWS networking and services that provide connectivity to the SDDC.

The NSX Overlay Network

This is the layer in which all SDDC subnets are created and all SDDC appliances and

workloads run.

VMware by Broadcom

The two layers are connected by one or more NSX Edge appliances, which enable

communication over the Connected VPC between VMs in the SDDC and native AWS workloads,

as well as connectivity to remote networks including the Internet, AWS Direct Connect, VMware

Transit Connect (for SDDC groups), and other AWS endpoints such as VPCs, TGWs, and DXGWs.

The Management Network has two subnets:

Appliance Subnet

This subnet is used by the vCenter, NSX and HCX appliances in the SDDC. Other appliance-

based services that you add to the SDDC also connect to this subnet.

Infrastructure Subnet

This subnet is used by the ESXi hosts in the SDDC.

The Compute Network includes an arbitrary number of logical segments for your workload

VMs. See VMware Configuration Maximums for current limits on logical segments. You must

create compute network segments to meet your workloads' needs. See VMware Configuration

Maximums for applicable limits.

An SDDC network has two notional tiers:

n Tier-0 handles north-south traffic (traffic leaving or entering the SDDC, or between the

Management and Compute gateways). In the default configuration, each SDDC has a single

Tier-0 router. If an SDDC is a member of an SDDC group, you can reconfigure the SDDC to

add Tier-0 routers that handle SDDC group traffic. See Configure a Multi-Edge SDDC With

Traffic Groups.

n Tier-1 handles east-west traffic (traffic between routed network segments within the SDDC).

In the default configuration, each SDDC has a single Tier-1 router. You can create and

configure additional Tier-1 gateways if you need them. See Add a Custom Tier-1 Gateway

to a VMware Cloud on AWS SDDC.

Both tiers are created on the AWS Overlay network.

VMware Cloud on AWS Networking and Security

VMware by Broadcom 7

Figure 1-1. SDDC Network Topology

Tier0

Default

CGW

T1 MGW

Linked Customer VPC

Custom T1 -

Isolated

Direct

Connect (DX)

Customer

Site

Internet

ESXi hosts

Internet Interface

IGW

VPC Interface

Intranet Interface

VGW

VTI

(Route-based VPN)

HCX

Mgr/IX/L2C

SRM/vSR

vCenter

Edge0/1

NSX

Managers

Routed Compute

Segment

VMware Cloud on AWS

SDDC

Linked Customer AWS Account

xENI

Main Route

Table

SDDC Subnet

DXGW

BGP

Connected VPC

Transit VIF

Hosted Private

VIF

vTGW (Transit

Connect)

BGP

AWS VPC Underlay

SDDC NSX Overlay

Management

Network

Custom T1 –

Routed/NAT

BGP

NSX Edge Appliance

The default NSX Edge Appliance is implemented as a pair of VMs that run in active/standby

mode. This appliance provides the platform on which the default Tier-0 and Tier-1 routers

run, along with IPsec VPN connections and their BGP routing machinery. All north-south

traffic goes through the default Tier-0 router. To avoid sending east-west traffic through the

appliance, a component of each Tier-1 router runs on every ESXi host that handles routing for

destinations within the SDDC.

If you need additional bandwidth for the subset of this traffic routed to SDDC group

members, a Direct Connect Gateway attached to an SDDC group, HCX Service Mesh, or

to the Connected VPC, you can reconfigure your SDDC to be Multi-Edge by creating traffic

groups, each of which creates an additional T0 router. See Configure a Multi-Edge SDDC With

Traffic Groups for details.

Note VPN traffic, as well as DX traffic to a private VIF must pass through the default T0 and

cannot be routed to a non-default traffic group. In addition, because NAT rules always run on

the default T0 router, additional T0 routers cannot handle traffic subject to NAT rules. This

includes traffic to and from the SDDC's native Internet connection. It also includes traffic to

the Amazon S3 service, which uses a NAT rule and must go through the default T0.

Management Gateway (MGW)

The MGW is a Tier-1 router that handles routing and firewalling for vCenter and other

management appliances running in the SDDC. Management gateway firewall rules run on

the MGW and control access to management VMs. In a new SDDC, the Internet connection

VMware Cloud on AWS Networking and Security

VMware by Broadcom 8

is labeled Not Connected in the Overview tab and remains blocked until you create a

Management Gateway Firewall rule allowing access from a trusted source. See Add or Modify

Management Gateway Firewall Rules.

Compute Gateway (CGW)

The CGW is a Tier-1 router that handles network traffic for workload VMs connected to

routed compute network segments. Compute gateway firewall rules, along with NAT rules,

run on the Tier-0 router. In the default configuration, these rules block all traffic to and from

compute network segments (see Configure Compute Gateway Networking and Security).

Routing Between Your SDDC and the Connected VPC

When you create an SDDC, we pre-allocate 17 AWS Elastic Network Interfaces (ENIs) in the

selected VPC owned by the AWS account you specify at SDDC creation. We assign each of

these ENIs an IP address from the subnet you specify at SDDC creation, then attach each of the

hosts in the SDDC cluster Cluster-1 to one of these ENIs. An additional IP address is assigned to

the ENI where the active NSX Edge Appliance is running.

This configuration, known as the Connected VPC, supports network traffic between VMs in the

SDDC and native AWS instances and services with addresses in the Connected VPC's primary

CIDR block. When you create or delete routed network segments connected to the default CGW,

the main route table is automatically updated. When Managed Prefix List mode is enabled for the

Connected VPC, the main route table and any custom route tables to which you have added the

managed prefix list are also updated.

The Connected VPC (or SERVICES) Interface is used for all traffic to destinations within the

Connected VPC's primary CIDR. AWS services or instances that communicate with the SDDC

must be in subnets associated with the main route table of the Connected VPC when using

the default configuration. If the AWS Managed Prefix List Mode mode is enabled (see Enable

AWS Managed Prefix List Mode for the Connected Amazon VPC) then you can manually add the

Managed Prefix list to any custom route table within the connected VPC when you want AWS

services and instances using those custom route tables to communicate with SDDC workloads

over the SERVICES Interface.

When the NSX Edge appliance in your SDDC is moved to another host, either to recover from

a failure or during SDDC maintenance, the IP address allocated to the appliance is moved to the

new ENI (on the new host), and the main route table, along with any custom route tables that use

a Managed Prefix List, is updated to reflect the change. If you have replaced the main route table

or are using a custom route table but have not enabled Managed Prefix List Mode, that update

fails and network traffic can no longer be routed between SDDC networks and the Connected

VPC. See View Connected VPC Information and Troubleshoot Problems With the Connected VPC

for more about how to use the VMware Cloud Console to see the details of your Connected VPC.

VMware Cloud on AWS provides several facilities to help you aggregate routes to the Connected

VPC, other VPCs, and your VMware Managed Transit Gateways. See Enable AWS Managed

Prefix List Mode for the Connected Amazon VPC.

VMware Cloud on AWS Networking and Security

VMware by Broadcom 9

For an in-depth discussion of SDDC network architecture and the AWS network objects that

support it, read the VMware Cloud Tech Zone article VMware Cloud on AWS: SDDC Network

Architecture.

Reserved Network Addresses

Certain IPv4 address ranges are unavailable for use in SDDC compute networks. Several are used

internally by SDDC network components. Most are reserved by convention on other networks as

well.

Table 1-1. Reserved Address Ranges in SDDC Networks

n 10.0.0.0/15

n 172.31.0.0/16

These ranges are reserved within the SDDC management subnet,

but can be used in your on-premises networks or SDDC compute

network segments.

n 169.254.0.0/19

n 169.254.64.0/24

n 169.254.101.0/30

n 169.254.105.0/24

n 169.254.106.0/24

Per RFC 3927, all of 169.254.0.0/16 is a link-local range that cannot be

routed beyond a single subnet. However, with the exception of these

CIDR blocks, you can use 169.254.0.0/16 addresses for your virtual

tunnel interfaces. See Create a Route-Based VPN.

Note SDDC versions 1.20 and earlier also reserve 100.64.0.0/16 for carrier-grade NAT per

RFC 6598. Avoid using addresses in this range in SDDC versions earlier than 1.22. See VMware

Knowledge Base article 76022 for a detailed breakdown of how older SDDC networks use the

100.64.0.0/16 address range and VMware Knowledge Base article 92322 for more information

about reserved address range changes in SDDC version 1.22.

SDDC networks also observe the conventions for special Use IPv4 address ranges enumerated in

RFC 3330.

Multicast Support in SDDC Networks

In SDDC networks, layer 2 multicast traffic is treated as broadcast traffic on the network segment

where the traffic originates. It is not routed beyond that segment. Layer 2 multicast traffic

optimization features such as IGMP snooping are not supported. Layer 3 multicast (such as

Protocol Independent Multicast) is not supported in VMware Cloud on AWS.

VMware Cloud on AWS Networking and Security

VMware by Broadcom 10

MTU Considerations for Internal and External Traffic

Network traffic internal to the SDDC (including traffic to and from the Connected VPC) supports

an MTU of up to 8900 bytes. Traffic to the MGW is generally limited to 1500 bytes because

management appliance interfaces use an MTU of 1500. Other MTU defaults are listed in VMware

Configuration Maximums. The following guidelines apply to MTU values throughout the SDDC

network:

n SDDC group and DX share the same interface so must use the lower MTU value (8500 bytes)

when both connections are in use.

n All VM NICs and interfaces on the same segment need to have the same MTU.

n MTU can differ between segments as long as the endpoints support PMTUD and any firewalls

in the path permit ICMP traffic.

n The layer 3 (IP) MTU must be less than or equal to the underlying layer 2 connection's

maximum supported packet size (MTU) minus any protocol overhead. In VMware Cloud on

AWS this is the NSX segment, which supports layer 3 packets with an MTU of up to 8900

bytes.

Understanding SDDC Network Performance

For a detailed discussion of SDDC network performance, please read the VMware Cloud Tech

Zone Designlet Understanding VMware Cloud on AWS Network Performance.

Read the following topics next:

n Features Supported with NSX

Features Supported with NSX

NSX supports a wide range of networking and security solutions.

NSX was designed specifically to support diverse data center environments at scale and provide

robust capabilities for containers and the cloud.

Note NSX Configuration Maximums are now included in VMware Configuration Maximums.

Networking and Connectivity Features

NSX provides all the networking capabilities required by workloads running in the SDDC. These

capabilities allow you to:

n Deploy networks (L2, L3, and isolated) and define subnets and gateways for the workloads

that will reside there.

n L2VPNs extend your on-premises L2 domains to the SDDC, enabling workload migration

without IP address changes.

VMware Cloud on AWS Networking and Security

VMware by Broadcom 11

n Route-based IPsec VPNs can connect to on-premises networks, VPCs, or other SDDCs.

Route-based VPNs use BGP to learn new routes as networks become available.

n Policy-based IPsec VPNs can also be used to connect to on-premises networks, VPCs, or

other SDDCs.

n Isolated networks have no uplinks, and provide access only to those VMs connected to

them.

n Use AWS Direct Connect (DX) to carry traffic between on-premises and SDDC networks

over high bandwidth, low latency connectivity. You can optionally use a route-based VPN as

backup for DX traffic.

n Enable native DHCP selectively for network segments or use DHCP relay to link with an

on-premises IPAM solution.

n Create multiple DNS zones, allowing use of different DNS servers for network subdomains.

n Take advantage of distributed routing, managed by an NSX kernel module running on the

host where the workload resides, so workloads can efficiently communicate with each other.

Security Features

NSX security features include network address translation (NAT) and advanced firewall

capabilities.

n Source NAT (SNAT) is automatically applied to all workloads in the SDDC to enable Internet

access. To provide a secure environment, Internet access is blocked at edge firewalls, but

firewall policy can be changed to allow managed access. You can also request a public IP for

workloads and create custom NAT policies for them.

n Edge firewalls run on the management and compute gateways. These stateful firewalls

examine all traffic into and out of the SDDC.

n Distributed Firewall (DFW) is a stateful firewall that runs on all SDDC hosts. It provides

protection for traffic within the SDDC and enables micro-segmentation to allow fine-grained

control over traffic between workloads.

Network Operations Tools

NSX also provides several popular network operations management tools.

n Port mirroring can send mirrored traffic from a source to a destination appliance in the SDDC

or your on-premises network.

n IPFIX supports segment-specific network traffic analysis by sending traffic flows to an IPFIX

collector.

VMware Cloud on AWS Networking and Security

VMware by Broadcom 12

Using the Networking and

Security Dashboard

The Networking and Security dashboard provides a single-page view of SDDC networking and

security status with links to NSX Manager network management functions.

Important The legacy Networking & Security view is deprecated as of SDDC version 1.22

and will be removed in a future release. Until then, you can temporarily revert to the legacy

Networking & Security view by clicking Switch View in the Networking and Security dashboard

banner.

Information in the Dashboard View

The dashboard view provides information about SDDC connectivity, Management and Compute

gateways, and your cloud provider.

VPN

This card summarizes information about VPNs in the SDDC. Route-based and policy-based

IPsec VPNs are supported. Either type of VPN can connect to the SDDC over the Internet.

A route-based VPN can also connect to the SDDC over AWS Direct Connect. You can

also configure a Layer 2 VPN, which can be especially useful for workload migration See

Configure a VPN Connection Between Your SDDC and On-Premises Data Center for more

information about VPN types and how to configure them.

Direct Connect

This card shows the status of the SDDC's Direct Connect connection if one exists. AWS

Direct Connect (DX) is a service provided by AWS that creates a high-speed, low latency

connection between your on-premises data center and AWS services. When you configure

AWS Direct Connect, VPNs can route traffic over DX instead of the public Internet.

Because DX implements Border Gateway Protocol (BGP) routing, use of an L3VPN for the

management network is optional when you configure DX. DX traffic is not encrypted. If you

want to encrypt that traffic, configure an IPsec VPN that uses DX and a private IP address.

See Configure AWS Direct Connect Between Your SDDC and On-Premises Data Center for

more information about AWS Direct Connect.

Transit Connect

VMware by Broadcom

If this SDDC is a member of an SDDC group, this card shows the status of the VMware

Transit Connect connection for the group. An SDDC deployment group uses VMware Transit

Connect to provide high-bandwidth, low-latency connections between SDDCs in the group.

An SDDC group can include VPCs you own. See Creating and Managing SDDC Deployment

Groups with VMware Transit Connect™.

Management Gateway

This card shows the status of the SDDC's Management Gateway (MGW) and subnets.

The MGW is a Tier-1 router that handles routing and firewalling for vCenter and other

management appliances running in the SDDC. Management gateway firewall rules run on

the MGW and control access to management VMs. In the default configuration, these rules

block all inbound traffic to the management network. See Configure Management Gateway

Networking and Security for more information.

Default Compute Gateway

This card shows the status of the SDDC's Compute Gateway and compute network

segments. The SDDC Compute compute network includes one or more segments and

supports the DNS, DHCP, and security (gateway firewall and distributed firewall) services

that manage network traffic for workload VMs. See

Configure Compute Gateway Networking

and Security for more information.

Cloud Provider

This card provides a superset of the information available on the SDDC Connected VPC

page.

VMware Cloud on AWS Networking and Security

VMware by Broadcom 14

Configuring VMware Cloud on

AWS Networking and Security

Using NSX

Follow this workflow to configure NSX networking and security in your SDDC.

Procedure

1 SDDC Network Administration with NSX Manager

You can use either the NSX Web UI or the VMware Cloud Console Networking & Security

tab to manage your SDDC networks.

2 Connecting Your On-Premises SDDC to Remote Networks

To connect your VMware Cloud on AWS SDDC to your on-premises data center or another

remote network, you can create a VPN that uses the public Internet, a VPN that uses AWS

Direct Connect, or just use AWS Direct Connect alone.

3 Configure Management Gateway Networking and Security

The management network and Management Gateway are largely preconfigured in your

SDDC, but you'll still need to configure access to management network services like vCenter

and HCX and create management gateway firewall rules to allow traffic between the

management network and other networks, including your on-premises networks and other

SDDC networks.

4 Configure Compute Gateway Networking and Security

Compute Gateway networking includes a compute network with one or more segments and

the DNS, DHCP, and security (gateway firewall and distributed firewall) configurations that

manage network traffic for workload VMs. It can also include a layer 2 VPN and extended

network that provides a single broadcast domain that spans your on-premises network and

your SDDC workload network.

5 Creating and Managing SDDC Deployment Groups with VMware Transit Connect™

An SDDC deployment group uses VMware Transit Connect to provide high-bandwidth, low-

latency connections between SDDCs in the group. An SDDC group can include VPCs you

own. You can also add an AWS Direct Connect Gateway (DXGW) to provide connectivity

between group members and your on-premises SDDCs.

VMware by Broadcom

6 Add a Custom Tier-1 Gateway to a VMware Cloud on AWS SDDC

Every new VMware Cloud on AWS SDDC includes a default Tier-1 gateway named the

Compute Gateway (CGW). You can create and configure additional custom Tier-1 gateways

if you need them. Each Tier-1 gateway sits between the SDDC Tier-0 gateway and an

arbitrary number of compute network segments.

7 Enabling and Using IPv6 in SDDC Networks

Beginning with SDDC Version 1.22, you can enable dual-stack (IPv4 and IPv6) networking in

a new SDDC.

8 Configure a Multi-Edge SDDC With Traffic Groups

In the default configuration, your SDDC network has a single edge (T0) router through

which all North-South traffic flows. This edge supports the default traffic group, which is

not configurable. If you need additional bandwidth for the subset of this traffic routed to

SDDC group members, a Direct Connect Gateway attached to an SDDC group, VMware HCX

Service Mesh, or to the Connected VPC, you can reconfigure your SDDC to be Multi-Edge by

creating traffic groups, each of which creates an additional T0 router.

9 Enable AWS Managed Prefix List Mode for the Connected Amazon VPC

AWS Managed Prefix List Mode can simplify route table management in a Multi-Edge SDDC

and enable support in any SDDC for custom route tables and route aggregation.

10 Aggregate and Filter Routes to Uplinks

Use route aggregation and egress filtering to control the set of routes advertised to SDDC

network uplinks like Direct Connect, VMware Transit Connect and the Connected VPC. You'll

need this in cases where you have to reduce the number of entries in a VPC route table or

limit the set of routes that are advertised to uplinks.

11 View Routes Learned and Advertised over VMware Transit Connect

In an SDDC that is a member of an SDDC Group, you can open the Transit Connect page to

view routes learned and advertised by the VMware Transit Connect instance created for the

group.

12 View Statistics and Manage Settings for Uplinks

The Global Configuration page includes controls that allow you to view traffic statistics and

manage Maximum Transmissible Unit (MTU) and Unicast Reverse Path Forwarding (URPF)

settings for SDDC network uplinks.

13 Working With Inventory Groups

VMware Cloud on AWS network administrators can use NSX inventory objects to define

collections of services, groups, context profiles, and virtual machines to use in firewall rules.

14 Managing Workload Connections

Workload VMs on routed segments or HCX extended networks with MON enabled can

connect to the Internet by default. NAT rules, Compute Gateway firewall rules, and

distributed firewall rules, as well as default routes advertised by a VPN, DX, or VTGW

connection all give you fine-grained control over Internet access.

VMware Cloud on AWS Networking and Security

VMware by Broadcom 16

SDDC Network Administration with NSX Manager

You can use either the NSX Web UI or the VMware Cloud Console Networking & Security tab to

manage your SDDC networks.

NSX Manager supports a superset of the features found on the Networking & Security tab. See

NSX Manager in the

NSX Data Center Administration Guide

for information about how to use

NSX Manager.

Accessing NSX Manager

You can use a VPN to access the local NSX manager at its private IP address, or use any browser

to access it over the Internet at its public IP address. See Open NSX Manager. You can also

access the local NSX manager over Direct Connect.

Note Many NSX workflows start by telling you to "log in with admin privileges to an NSX

Manager." When you click OPEN NSX MANAGER in the VMware Cloud Console and choose

ACCESS VIA THE INTERNET, you can skip this step. This option gives you access to the SDDC

NSX manager with the rights included in your VMware Cloud on AWS organization role. The NSX

Cloud Admin role has admin access to NSX. The the NSX Cloud Auditor has read-only access

to NSX. See Assign NSX Service Roles to Organization Members for more information on service

roles and how to assign them.

If you click OPEN NSX MANAGER and log in to NSX via the internal network, your role is

determined by your NSX credentials, not your organization role.

Workflow Navigation

The Networking & Security tab combines NSX Networking page features like VPN, NAT, and

DHCP with Security page features like firewalls and features from other NSX pages including

Inventory, Plan & Troubleshoot, and System. In this publication, references to NSX user interface

items apply to both the NSX Manager Web UI and the VMware Cloud Console Networking &

Security tab.

Use this table to map starting points for workflows in this publication to the appropriate items in

the Networking & Security tab and NSX manager

Table 3-1. SDDC Network Administration Workflows

Workflow Networking & Security Tab NSX

Overview Overview Overview

Create or Modify a Network Segment Network > Segments Networking > Connectivity >

Segments

Configure a VPN Connection

Between Your SDDC and On-

Premises Data Center

Network > VPN Networking > Network Services >

VPN

Create or Modify NAT Rules Network > NAT Networking > Network Services >

NAT

VMware Cloud on AWS Networking and Security

VMware by Broadcom 17

Table 3-1. SDDC Network Administration Workflows (continued)

Workflow Networking & Security Tab NSX

Add a Custom Tier-1 Gateway to a

VMware Cloud on AWS SDDC

Network > Tier-1 Gateways Networking > Connectivity > Tier-1

Gateways

Configure a Multi-Edge SDDC With

Traffic Groups

Network > Transit Connect Networking > Cloud Services >

Transit Connect

Configure AWS Direct Connect

Between Your SDDC and On-

Premises Data Center

System > Direct Connect Networking > Cloud Services >

Direct Connect

View Connected VPC Information

and Troubleshoot Problems With the

Connected VPC

System > Connected VPC Networking > Cloud Services >

Connected VPC

Request or Release a Public IP

Address

System > Public IPs Networking > Cloud Services >

Public IPs

Configure DNS Services System > DNS Networking > IP Management > DNS

Configure Segment DHCP Properties System > DHCP Networking > IP Management >

DHCP

Add or Modify Management Gateway

Firewall Rules, Add or Modify

Compute Gateway Firewall Rules

Security > Gateway Firewall Security > Gateway Firewall

Add or Modify Distributed Firewall

Rules

Security > Distributed Firewall Security > Distributed Firewall

Chapter 5 About VMware vDefend

Firewall Features

Security > Distributed IDS/IPS Security > Distributed IDS/IPS

Working With Inventory Groups Inventory Inventory

Chapter 4 Configure Monitoring and

Troubleshooting Features

Tools Plan & Troubleshoot

Open NSX Manager

The SDDC NSX Manager is accessible at a public IP address reachable by any browser that can

connect to the Internet. Click OPEN NSX MANAGER on the SDDC Summary page.

The SDDC NSX Manager also has a private IP address on the management network, which

is protected by the management gateway (MGW). By default, the MGW blocks traffic to all

management network destinations, including NSX, from all sources. To access the local NSX

Manager at its private IP address, you must add management gateway firewall rules that allow

only secure traffic from trusted sources. You can use any of the following connection types to

connect to the SDDC NSX Manager at a private IP address:

n Configure AWS Direct Connect Between Your SDDC and On-Premises Data Center

This option provides a dedicated connection between your enterprise and the SDDC. It can

be combined with an IPsec VPN to encrypt traffic.

n Configure a VPN Connection Between Your SDDC and On-Premises Data Center

VMware Cloud on AWS Networking and Security

VMware by Broadcom 18

This option provides an encrypted connection between your enterprise and the SDDC.

If you can't use Direct Connect or a VPN, you can access the local NSX manager over the

Internet at its public IP address. All traffic to the local NSX Manager public IP is encrypted and

authenticated, which minimizes the risk of tampering with this connection or its traffic outside of

your private network. The Settings tab for your SDDC provides connection and authentication

details for connecting to the local NSX manager.

Note In an SDDC where VMware Tanzu Kubernetes Grid has been enabled, NSX Manager

can display a Load Balancers tab. Services from this load balancer are available only to Tanzu

Kubernetes Grid workloads. See VMware Knowledge Base article 86368 for more information.

Prerequisites

This operation is restricted to users who have a VMware Cloud on AWS service role of NSX

Cloud Admin or NSX Cloud Auditor. See Assign Roles to an Organization Member for more

information on VMware Cloud on AWS service roles and how to assign them.

n An NSX service role is required for users to access NSX manager using SSO authentication

(either the "Private URL (Log in through VMware Cloud Services)" or "Public URL" and/or

when using the "Open NSX Manager button").

n When accessing the NSX Manager directly using either of the NSX Manager URLs, a VMware

Cloud on AWS Service Role such as Administrator or Administrator (Delete Restricted ) is

not required as long as the user has one of the NSX roles mentioned in Assign Roles to an

Organization Member.

n When accessing the NSX Manager using "Private URL (Log in through NSX Manager

credentials)", it is also possible to assign NSX roles to LDAP users or groups in the NSX

Manager directly, or by using the predefined system roles. Predefined system roles do not

require a VMware Cloud on AWS or NSX role assigned to the user in the CSP if the user has

been granted a role directly from NSX Manager.

Procedure

1 Log in to VMware Cloud Services at https://vmc.vmware.com.

2 Click Inventory > SDDCs, then pick an SDDC card and click VIEW DETAILS.

3 Click the OPEN NSX MANAGER button on the SDDC card to open the local NSX Manager at

its default public IP address.

You are logged in to NSX using your VMware Cloud on AWS credentials.

VMware Cloud on AWS Networking and Security

VMware by Broadcom 19

4 If your SDDC includes a VPN or DX connection and you want to access NSX Manager at its

private IP address, create a Management Gateway firewall rule that allows HTTPS traffic from

the VPN or DX to the local NSX Manager, then use a browser to open a connection to one of

the NSX Manager URLs listed on the Settings tab.

a Click the OPEN NSX MANAGER button and create the firewall rule.

See Add or Modify Management Gateway Firewall Rules for more information about

how to create a Management Gateway firewall rule. The rule must have the following

parameters:

MGW Firewall Rule Property Value

Sources An IP address or CIDR block in your on-premises data center.

Important Although you can select Any as the source address

in a firewall rule, using Any as the source address in this firewall

rule can enable attacks on your NSX Manager and may lead

to compromise of your SDDC. As a best practice, configure

this firewall rule to allow access only from trusted source

addresses.

Destinations The NSX Manager system-defined group.

Services HTTPS (TCP 443)

Action Allow

b Use a browser to open a connection to NSX.

Expand the NSX Manager URLs on the Settings tab to see the URLS and accounts that

you can use.

Access NSX Manager via the Internet

This URL contains the local NSX Manager's public IP address. We use this address when you

click the OPEN NSX MANAGER button.

Access NSX Manager via internal network

This is the NSX Manager's Private IP address on the management subnet. A management

gateway firewall rule like the one shown in 4.a allows traffic to this address.

If you cannot access NSX Manager via the internal network even though you have created

the necessary firewall rules, the problem might be caused by transient network issues. Click

TRY AGAIN to re-try access via the internal network, or open a browser and connect to

NSX Manager at its public URL. NSX private and public URLs are listed on the SDDC Console

Settings page.

URL to access via internal network (Log in through VMware Cloud Services)

Open this URL in a browser and log in to NSX manager using your VMware Cloud on AWS

credentials.

URL to access via internal network (Log in through NSX Manager credentials)

VMware Cloud on AWS Networking and Security

VMware by Broadcom 20

Open this URL in a browser and log in using the credentials of the NSX Manager Admin User

Account (to perform all tasks related to deployment and administration of NSX) or the NSX

Manager Audit User Account (to view NSX service settings and events).

c (Optional) Change the NSX manager default access to use the internal network.

After you have configured access to NSX manager via the internal network, you can open

the SDDC Settings tab and change the NSX Manager button default access from Via the

Internet (Public) to Via internal network (Private). After you make this change, clicking

the OPEN NSX MANAGER button opens the local NSX Manager at its private IP address

on the internal network.

Assign NSX Service Roles to Organization Members

Grant users in your organization an NSX service role to allow them to view or configure NSX

features in the SDDC.

Unlike organization roles, which specify the privileges that an organization member has over

organization assets, service roles specify the privileges that an organization member has when

accessing

VMware Cloud Services that the organization uses. All service roles can be assigned

and changed by an organization owner. When multiple roles are assigned to an organization

member, the effective access granted is based on the union of the rights on all assigned roles.

For more about service roles available in VMware Cloud on AWS, see Assign a VMware Cloud on

AWS Service Role to an Organization Member in

VMware Cloud on AWS Getting Started

The following NSX service roles are defined in SDDCs at version 1.24 and later.

Note The NSX Cloud Admin and NSX Cloud Auditor roles are not automatically assigned to an

organization member. An organization owner can use VMware Cloud Services to assign them, or

you can follow the steps in Assign NSX Roles from an LDAP Identity Source to assign them to

organization members who have LDAP accounts.

NSX Cloud Admin

This role can perform all tasks related to deployment and administration of the NSX service.

NSX Cloud Auditor

This role can view NSX service settings and events but cannot make any changes to the

service.

NSX Security Admin

This role can perform all tasks accessible from the NSX Security tab. This role cannot make

role assignments.

NSX Security Auditor

This role can view but not modify settings accessible from the NSX Security tab.

NSX Network Admin

VMware Cloud on AWS Networking and Security

VMware by Broadcom 21

This role can perform all tasks accessible from the NSX Networking tab. This role cannot

make role assignments.

NSX Network Auditor

This role can view but not modify settings accessible from the NSX Networking tab.

This table lists some of the tasks typically associated with each NSX service role.

Table 3-2. NSX Roles and Permitted Tasks

Task

NSX Cloud

Admin

NSX Cloud

Auditor

NSX Security

Admin

NSX Security

Auditor

NSX Network

Admin

NSX Network

Auditor

Open NSX

Manager

YES YES YES YES YES YES

Activate NSX

Advanced

Firewall

YES No YES No YES No

View SDDC

Networking &

Security tab

YES YES YES YES YES YES

Edit NSX

Default

Access

YES No YES No YES No

For a more detailed view of the rights associated with each NSXrole, see NSX Roles and

Permissions in VMware Cloud on AWS.

Prerequisites

You must be an Organization Owner to assign a service role to an organization member.

Procedure

1 Log in to the VMware Cloud Console at https://vmc.vmware.com.

2 Click the services icon and select Identity & Access Management.

3 Select a user and click Edit Roles.

4 Select the VMware Cloud on AWS service name under Assign Service Roles.

5 Select an NSX service role to assign.

Note When multiple service roles are assigned to an organization user, permissions are

granted for the most permissive role. For example, an organization member who has both

the NSX Cloud Admin and NSX Cloud Auditor roles is granted all the NSX Cloud Admin

permissions, which include those granted to the NSX Cloud Auditor role.

6 Click SAVE to save your changes.

VMware Cloud on AWS Networking and Security

VMware by Broadcom 22

What to do next

Ensure that any users whose roles have been changed log out of VMware Cloud Services and log

back in so that the changes take effect.

NSX Roles and Permissions in VMware Cloud on AWS

NSX roles in VMware Cloud on AWS have a specific set of permissions for operations on SDDC

network objects.

This table provides a detailed breakdown of the permissions that each NSX role has for

operations on VMware Cloud on AWS SDDC network objects.

Table 3-3. NSX Roles and Permissions in VMware Cloud on AWS

Operation

NSX Cloud

Admin

NSX Cloud

Auditor

NSX Network

Admin

NSX

Network

Auditor

NSX

Security

Admin

NSX

Security

Auditor

Networking > Connectivity

> Tier-1 Gateways

Full Access

Access

Read Full Access Read Read Read

Networking > Connectivity

> Segments

Full Access Read Full Access Read Read Read

Networking > Connectivity

> Segments > Segment

Profiles

Full Access Read Full Access Read Read Read

Networking > IP

Management > DNS

Full Access Read Full Access Read Read Read

System > Certificates Full Access Read None None Full Access Read

Networking > Network

Services > NAT

Full Access Read Full Access Read Full Access Read

Networking > Network

Services > VPN

Full Access Read Full Access Read Full Access * Read

Tools > IPv6 Profiles Full Access Read Full Access Read Read Read

Plan & Troubleshoot

> Traffic Analysis >

Traceflow

Full Access Read Full Access Full Access Full Access Full Access

Plan & Troubleshoot >

Traffic Analysis > Live

Traffic Analysis

Full Access Read Full Access Full Access Full Access Full Access

Plan & Troubleshoot >

Port mirroring

Full Access Read Full Access Read Read Read

Plan & Troubleshoot >

IPFIX > Switch IPFIX and

Collectors

Full Access Read Full Access Read Read Read

Security > Distributed

Firewall

Full Access Read Read Read Full Access Read

VMware Cloud on AWS Networking and Security

VMware by Broadcom 23

Table 3-3. NSX Roles and Permissions in VMware Cloud on AWS (continued)

Operation

NSX Cloud

Admin

NSX Cloud

Auditor

NSX Network

Admin

NSX

Network

Auditor

NSX

Security

Admin

NSX

Security

Auditor

Security > Gateway

Firewall

Full Access Read Read Read Full Access Read

Security > IDS/IPS Full Access Read Read Read Full Access Read

Inventory > Context

Profiles

Full Access Read Full Access Read Full Access Read

Inventory > Virtual

Machines

Read Read Read Read Read Read

Inventory > Services Full Access Read Full Access Read Full Access Read

Inventory > Profiles Full Access Read Full Access Read Full Access Read

Inventory > Virtual

Machines > Create and

Assign Tags to VM.

Full Access Read Read Read Full Access Read

Inventory > Groups Full Access Read Full Access Read Full Access Read

Networking > Direct

Connect

Full Access Read Full Access Read Read Read

Networking >Transit

Connect

Full Access Read Full Access Read Read Read

Networking > Connected

VPC

Full Access Read Full Access Read Read Read

Networking > Public IPs>

Request Public IP

Full Access Read Full Access Read Read Read

Networking > Traffic

Groups

Full Access Read Full Access Read Read Read

Networking > Settings >

Networking Profiles

Full Access Read Full Access Read Read Read

Networking > Settings >

Global Configuration

Full Access Read Full Access Read Read Read

Networking > Settings >

Global Configuration >

Route Aggregation

Full Access Read Full Access Read Read Read

Networking > Settings >

Global Configuration >

Route Filtering

Full Access Read Full Access Read Read Read

Networking > Settings >

Global Configuration >

Uplinks

Full Access Read Full Access Read Read Read

System > Identity Firewall

Full Access Read Full Access Read Full Access Read

VMware Cloud on AWS Networking and Security

VMware by Broadcom 24

Table 3-3. NSX Roles and Permissions in VMware Cloud on AWS (continued)

Operation

NSX Cloud

Admin

NSX Cloud

Auditor

NSX Network

Admin

NSX

Network

Auditor

NSX

Security

Admin

NSX

Security

Auditor

System > User

Management

Full Access Read Read Read Read Read

System> Certificates Full Access Read None None Full Access Read

Integrated Services >

Advanced Firewall Add-

On Enable/Disable

Full Access Read Full Access Read Full Access Read

Note The NSX Security Admin role cannot create an L2VPN. While the role has Full Access

to policy-based VPN and L2VPN objects, it has Read-only access to route-based VPN objects.

Because an L2VPN requires a route-based VPN, this role is effectively unable to create an

L2VPN.

Assign NSX Roles from an LDAP Identity Source

If your administrative user accounts are maintained in an LDAP identity source (Active Directory

or OpenLDAP), you can configure the SDDC NSX Manager to enable LDAP users to access NSX

with roles you assign to their account or LDAP group in NSX Manager.

In most cases, all you'll need to do after setting up the LDAP service is point NSX Manager to any

domain controller on port 389 (LDAP) or 636 (LDAPS).

If you are using Active Directory (AD), and your AD forest is comprised of multiple subdomains,

you should point NSX Manager at your AD Global Catalog (GC) and configure each subdomain

as an alternative domain name in NSX. The Global Catalog service usually runs on your primary

AD domain controllers, and is a read-only copy of the most important information from all the

primary and secondary domains. The GC service runs on port 3268 (plaintext), and 3269 (LDAP

over TLS, encrypted).

For example, if your primary domain is "example.com" and you have subdomains

"americas.example.com" and "emea.example.com", you should:

1 Configure NSX Manager to use either the LDAP protocol on port 3268 or the LDAPS protocol

on port 3269.

2 Add alternative domain names "americas.example.com" and "emea.example.com" in the NSX

LDAP configuration.

Users in one of the subdomains must log in using the appropriate domain in their login name.

For example, user "john" in the emea.example.com domain, must log in with the username

"[email protected]".

VMware Cloud on AWS Networking and Security

VMware by Broadcom 25

Prerequisites

Your SDDC NSX Manager must be configured to authenticate users using a directory service

such as Active Directory over LDAP or OpenLDAP and have access to your LDAP identity source

through the Management Gateway firewall. See LDAP Identity Source in the

NSX Administration

Guide

Procedure

1 Log in to VMware Cloud Services at https://vmc.vmware.com.

2 Click Inventory > SDDCs, then pick an SDDC card and click OPEN NSX MANAGER. to open

the local NSX Manager at its default public IP address. You are logged in to NSX using your

VMware Cloud on AWS credentials. See Open NSX Manager for more information about

firewall rules that may be needed when connecting to NSX Manager from the VMware Cloud

Console.

3 Assign NSX roles from the NSX Manager LDAP identity source.

In the NSX Manager UI, click System > User Management. In the User Role Assignment tab,

click

ADD ROLE FOR LDAP USER and select an LDAP domain to search.

4 Specify NSX roles for the LDAP user or group. scopes.

a Enter the first few characters of a user or group name to search the LDAP directory, then

select a user or group from the list that appears.

b On the Set Roles/Scope page, assign an NSX role to the user or group.

You can assign either of these NSX roles:

Cloud Admin

This role can perform all tasks related to deployment and administration of the NSX service.

Cloud Operator

This role can view NSX service settings and events but cannot make any changes to the

service.

No other roles can be assigned here.

c Click APPLY.

d Click SAVE.

Results

LDAP group members with NSX roles can use this workflow to log into the NSX Manager private

URL using their LDAP credentials.

On the SDDC Settings tab, navigate to NSX Information and expand NSX Manager URLs. Click

the link shown under Private URL (Log in through NSX Manager credentials) and provide your

LDAP credentials.

VMware Cloud on AWS Networking and Security

VMware by Broadcom 26

Connecting Your On-Premises SDDC to Remote Networks

To connect your VMware Cloud on AWS SDDC to your on-premises data center or another

remote network, you can create a VPN that uses the public Internet, a VPN that uses AWS Direct

Connect, or just use AWS Direct Connect alone.

You can also take advantage of SDDC groups to use VMware Transit Connect and an AWS

Direct Connect Gateway to provide centralized connectivity between a group of VMware Cloud

on AWS SDDCs, including an on-premises SDDC. See Creating and Managing SDDC Deployment

Groups with VMware Transit Connect™.

Figure 3-1. SDDC Connections to your On-Premises Data Center

172.16.10.0/24

10.10.10.0/24

192.168.10.0/24

172.16.20.0/24

10.10.10.0/24

192.168.10.0/24

172.16.10.0/24

10.10.10.0/24

192.168.10.0/24

172.16.20.0/24

10.10.10.0/24

192.168.10.0/24

L3 VPN

L2 VPN

HCX

BGP (L3 VPN optional)

L2 VPN

HCX

Public Internet

AWS Direct Connect

L3 VPN / BGP

NSX L2 VPN

HCX

Data Center VMware Cloud on AWSInterconnection

AWS Direct Connect (DX)

AWS Direct Connect is a service provided by AWS that creates a high-speed, low latency

connection between your on-premises data center and AWS services. When you configure

AWS Direct Connect, VPNs can route traffic over DX instead of the public Internet.

Because DX implements Border Gateway Protocol (BGP) routing, use of an L3VPN for the

management network is optional when you configure DX. DX traffic is not encrypted. If you

want to encrypt that traffic, configure an IPsec VPN that uses DX and a private IP address.

Layer 3 (L3) VPN

A layer 3 VPN provides a secure connection between your on-premises data center and your

VMware Cloud on AWS SDDC over the public Internet or AWS Direct Connect. These IPsec

VPNs can be either route-based or policy-based. For the on-premises endpoint, you can use

any device that supports the settings listed in the IPsec VPN Settings Reference.

Layer 2 (L2) VPN

VMware Cloud on AWS Networking and Security

VMware by Broadcom 27

A layer 2 VPN provides an extended, or stretched, network with a single IP address space

that spans your on-premises data center and your SDDC and enables hot or cold migration of

on-premises workloads to the SDDC. You can create only a single L2VPN tunnel in any SDDC.

The on-premises end of the tunnel requires NSX. If you are not already using NSX in your

on-premises data center, you can download a standalone NSX Edge appliance to provide the

required functionality. An L2 VPN can connect your on-premises data center to the SDDC

over the public Internet or AWS Direct Connect.

VMware HCX

VMware HCX, a multi-cloud app mobility solution, is provided free to all SDDCs and facilitates

migration of workload VMs to and from your on-premises data center to your SDDC. For

more information about installing, configuring, and using HCX, see the Hybrid Migration with

HCX Checklist.

Configure AWS Direct Connect Between Your SDDC and On-

Premises Data Center

Use of AWS Direct Connect is optional. If traffic between your on-premises network and

your SDDC workloads requires higher speeds and lower latency than you can achieve with

a connection over the public Internet, configure VMware Cloud on AWS to use AWS Direct

Connect.

There are a couple of ways you can configure your VMware Cloud on AWS SDDC to take

advantage of AWS Direct Connect for traffic to and from your on-premises datacenter:

Configure Direct Connect to a private VIF.

AWS Direct Connect (DX) provides a dedicated network connection between your on-

premises network infrastructure and a virtual interface (VIF) in an AWS VPC. A private

VIF provides direct private access to your SDDC. Configure DX over a private VIF to

carry workload and management traffic, including VPN, HCX, and vMotion, between your

on-premises data center and your VMware Cloud on AWS SDDC. A DX connection provides

a private path for network communications and uses BGP to advertise routes between the

SDDC and your on-premises data center. Provisioning procedures for this VIF depend on the

type of DX connection you choose.

Associate a Direct Connect Gateway (DXGW) with your SDDC Group's VMware Managed

Transit Gateway.

If you have created an SDDC Group in your VMware Cloud on AWS organization, you can use

an AWS transit VIF to connect to that group's DXGW and provide DX connectivity between

your on-premises data center and all SDDCs in the group. See Attach a Direct Connect

Gateway to an SDDC Group.

Access AWS services over a public VIF

VMware Cloud on AWS Networking and Security

VMware by Broadcom 28

If you just want to use DX to access AWS services, you can do so over a public VIF. A

public VIF is transparent to the SDDC and requires no configuration in the SDDC itself. You

cannot use a public VIF to carry the same kinds of SDDC traffic (such as vMotion) that require

a private VIF or Direct Connect Gateway. When you have a public VIF configured to learn

AWS routes in the region where your SDDC is located, any connectivity from your SDDC to

a public IP in your on-premises data center will be included in the AWS routes for that region

and will traverse your DX. In this kind of configuration, a VPN connection over the public VIF

provides secure, private connectivity to the SDDC.

Set Up an AWS Direct Connect Connection

To set up an AWS Direct Connect connection, place an order through the AWS console to create

a Direct Connect connection in a region where VMware Cloud on AWS is available.

Connection Types

AWS offers three types of Direct Connect connections:

Dedicated Connection

A dedicated connection provides a physical Ethernet port dedicated to a single customer

that supports multiple private or public virtual interfaces (VIF) and 1 transit VIF.

To order a dedicated connection, ask a member of the AWS Direct Connect Partner Program

to provision a circuit to an AWS Direct Connect location in the same region as your SDDC.

Use your (customer-managed) AWS account to make this request. After the circuit has been

provisioned, create a hosted private VIF to your SDDC using the account shown in the AWS

Account ID field of the NSX Direct Connect page. In an SDDC that is a member of an SDDC

group, you can create a Direct Connect Gateway (DXGW) in your account and connect a

transit VIF to it from the DXGW. See Creating and Managing SDDC Deployment Groups with

VMware Transit Connect.

Hosted Connection

A hosted connection is a circuit shared by multiple customers and provisioned to your AWS

account by an AWS Direct Connect Partner. After the circuit has been provisioned, create

a hosted private VIF to your SDDC using the account shown in the AWS Account ID field

of the NSX Direct Connect page. If your hosted connection speed is 1Gbps or higher and

the SDDC that is a member of an SDDC group, you also have the option to create a Direct

Connect Gateway (DXGW) in your account, and connect a transit VIF to it from the DXGW.

See Creating and Managing SDDC Deployment Groups with VMware Transit Connect.

Hosted VIF

A hosted VIF is similar to a hosted connection but only provides the ability to create a single

VIF managed by a partner. The hosted private VIF must be created by the AWS Partner

using the account number shown in the AWS Account ID field of the NSX Direct Connect

page, rather than provisioned to your own AWS account.

VMware Cloud on AWS Networking and Security

VMware by Broadcom 29

For more information about using Direct Connect with VMware Cloud on AWS, see the VMware

Designlet VMware Cloud on AWS SDDC Connectivity With Direct Connect Private VIF. For more

information about connection types and how to set them up, see AWS Direct Connect Partners,

Getting Started with AWS Direct Connect.

Configure Direct Connect to a Private Virtual Interface for SDDC Management

and Compute Network Traffic

Create a private VIF over your DX to provide direct connectivity between your on-premises

network and the SDDC's workloads, ESXi Management, and Management Appliances using their

private IPs.

Create one private virtual interface (VIF) for each Direct Connect (DX) circuit you want to attach

to your SDDC. Each private VIF establishes a separate BGP session, which can be used in active/

standby or active/active (including ECMP) designs or used for private network segments. If you

want DX redundancy, attach separate private VIFs provisioned on different DX circuits to the

SDDC.

When connecting multiple private VIFs over separate DX circuits to an SDDC for high availability,

all the DX circuits must be created in the same AWS account and delivered to different

AWS

Direct Connect Locations. When you do this, AWS attempts to leverage separate internal

network paths for the DX connectivity to provide better redundancy. See High resiliency

and Active/Active and Active/Passive Configurations in AWS Direct Connect in the AWS

documentation. See VMware Configuration Maximums for limits on the number of network

segments advertised to all private VIFs. Route aggregation is supported to provide more

flexibility, but all VIFs will have the same networks advertised by the SDDC.

Important When you connect a DX private virtual interface or an SDDC Group to an SDDC,

all outbound traffic from ESXi hosts to destinations outside the SDDC network is routed over

that interface, regardless of other routing configurations in the SDDC. This includes vMotion and

vSphere replication traffic. You must ensure that inbound traffic to ESXi hosts is also routed over

the same path so that the inbound and outbound traffic paths are symmetrical. See Creating and

Managing SDDC Deployment Groups with VMware Transit Connect in the

VMware Cloud on AWS

Operations Guide

for more about VMware Transit Connect and the VMware Managed Transit

Gateway (VTGW).

Although routes learned from a route-based VPN are advertised over BGP to other route-based

VPNs, an SDDC advertises only its own networks to an SDDC group. It does not advertise routes

learned from VPNs. See AWS Direct Connect quotas in the AWS

Direct Connect User Guide

for

detailed information about limits imposed by AWS on Direct Connect, including limits on routes

advertised and learned over BGP.

When you create a private VIF in this way, you can attach it to any of your Organization’s SDDCs

in the region where you created the VIF. The private VIF must be created in the same region as

the DX circuit, and attached to an SDDC in that same region. After you attach it to an SDDC, the

VIF cannot be detached or reassigned to another SDDC. Instead, it must be deleted and a new

VIF created. Deleting an SDDC deletes any attached VIFs.

VMware Cloud on AWS Networking and Security

VMware by Broadcom 30

Prerequisites

n Ensure that you meet the prerequisites for virtual interfaces as described in Prerequisites for

Virtual Interfaces.

n If you want to use route-based VPN as the backup to Direct Connect, you'll also need to

set the Use VPN as backup to Direct Connect switch to Enabled as shown in Step 6. Policy-

based VPNs cannot be used to back up another connection.

Procedure

1 Log in to VMware Cloud Services at https://vmc.vmware.com.

2 Click Inventory > SDDCs, then pick an SDDC card and click VIEW DETAILS.

3 Click OPEN NSX MANAGER and log in with the NSX Manager Admin User Account shown

on the SDDC Settings page. See SDDC Network Administration with NSX Manager.

You can also use the VMware Cloud Console Networking & Security tab for this workflow.

4 Log in to the AWS Console and complete the

Creating a Hosted Private Virtual Interface

procedure under Create a Hosted Virtual Interface.

If you're using a hosted VIF (see Set Up an AWS Direct Connect Connection), work with your

AWS Direct Connect Partner to create the VIF in the account shown in the AWS Account ID

field of the Direct Connect page, then skip to Step 5 of this procedure. If you are using a

dedicated or hosted connection, take these steps first.

a For Virtual interface type, choose Private and make up a Virtual interface name.

b For the Virtual interface Owner field, select Another AWS account and use the AWS

Account ID from the NSX Direct Connect page.

c For VLAN, use the value provided by your AWS Direct Connect Partner.

VMware Cloud on AWS Networking and Security

VMware by Broadcom 31

d For BGP ASN, use the ASN of the on-premises router where this connection terminates.

This value must not be the same as the BGP Local ASN shown on the NSX Direct

Connect page.

e Expand Additional Settings and make the following choices:

Address family Select IPV4

Your router peer ip Specify the IP address of the on-premises end of this

connection (your router), or leave blank to have AWS

automatically assign an address that you'll need to

configure in your router.

Amazon router peer ip Specify the IP address of the AWS end of this

connection, or leave blank to have AWS automatically

assign an address that you'll need to configure in your

router.

BGP authentication key Specify a value or leave blank to have AWS generate

a key, which you'll need to configure in your router.

Jumbo MTU (MTU size 9001) The default MTU for all SDDC networks is 1500 bytes.

To enable DX traffic to this private VIF to use a larger

MTU, select Enable under Jumbo MTU (MTU size

9001). After the VIF has been created, you'll also need

to open the NSX Global Configuration page and set a

higher MTU value under Intranet Uplink, as described

in Specify the Direct Connect MTU. Enabling this in the

connection properties, even if you don't intend to use

it right away, makes it easier to take advantage of

jumbo frames in SDDC networks when you need them.

When the interface has been created, the AWS console reports that it is ready for

acceptance.

5 Open NSX Manager or the VMC Console Networking & Security tab. Click Direct Connect

and accept the virtual interface by clicking ATTACH.

Before it has been accepted, a new VIF is visible in all SDDCs in your organization. After you

accept the VIF, it is no longer visible in any other SDDC.

It can take up to 10 minutes for the BGP session to become active. When the connection is

ready, the State shows as Attached and the BGP Status as Up.

VMware Cloud on AWS Networking and Security

VMware by Broadcom 32

6 (Optional) Configure a route-based VPN as the backup to Direct Connect.

In the default configuration, traffic on any route advertised over BGP by both DX and a

route-based VPN uses the VPN by default. To have a route advertised by both DX and VPN

use DX by default and failover to the VPN when DX is unavailable click Direct Connect and

set the Use VPN as backup to Direct Connect switch to Enabled.

Note This configuration requires a route-based VPN. You cannot use a policy-based VPN as

a backup to Direct Connect. In an SDDC that is a member of an SDDC group, traffic over a

route that is advertised by both the DX private VIF and the group's VMware Managed Transit

Gateway (VTGW) will be routed over the VTGW.

The system requires a minute or so to update your routing preference. When the operation

completes, routes advertised by both DX and VPN default to the DX connection, using the

VPN only when DX is unavailable. Equivalent routes advertised by both DX and VPN prioritize

the VPN connection.

Results

A list of Advertised BGP Routes and Learned BGP Routes is displayed as the routes are learned

and advertised. Click the refresh icon to refresh these lists. All routed subnets in the SDDC are

advertised as BGP routes, along with this subset of management network subnets:

n Subnet 1 includes routes used by ESXi host vmks and router interfaces.

n Subnet 2 includes routes used for Multi-AZ support and AWS integration.

n Subnet 3 includes management VMs.

Disconnected and extended networks are not advertised. Networks attached to custom T1s are

not advertised. If route filtering is enabled then networks attached to the default CGW are also

not advertised.

Any route aggregations defined and applied to the DX will be advertised as defined. (See

Aggregate and Filter Routes to Uplinks).

The actual CIDR blocks advertised to the private VIFs depend on your management subnet CIDR

block. The following table shows the CIDR blocks for these routes in an SDDC that uses the

default management network CIDR of 10.2.0.0 in block sizes /16, /20, and /22.

Table 3-4. Advertised Routes for 10.2.0.0 Default MGW CIDR

MGW CIDR Subnet 1 Subnet 2 Subnet 3

10.2.0.0/23 10.2.0.0/24 10.2.1.0/26 10.2.1.128/25

10.2.0.0/20 10.2.0.0/21 10.2.8.0/23 10.2.12.0/22

10.2.0.0/16 10.2.0.0/17 10.2.128.0/19 10.2.192.0/18

VMware Cloud on AWS Networking and Security

VMware by Broadcom 33

What to do next

Ensure the on-premises vMotion interfaces are configured to use Direct Connect. See Configure

vMotion Interfaces for Use with Direct Connect.

Configure vMotion Interfaces for Use with Direct Connect

If you are using a Direct Connect connection between your on-premises data center and your

cloud SDDC, you must configure the vMotion interfaces for your on-premises hosts to route

vMotion traffic over the Direct Connect connection.

Prerequisites

Configure Direct Connect and create a private virtual interface.

Procedure

1 Select one of the following methods to configure the vMotion interface on each host in your

on-premises environment.

Option Description

Override the default gateway

(vSphere 7.0 and later)

For each host, edit the VMkernel adapter used for vMotion traffic, and

select the option to override the default gateway. Enter an IP address in

your on-premises vMotion subnet that is capable of routing traffic to the

on-premises side of the Direct Connect connection. See Edit a VMkernel

Adapter Configuration.

Configure the vMotion TCP/IP stack For each host:

a Remove any existing vMotion VMkernel adapters.

b Create a new VMkernel adapter and select the vMotion TCP/IP stack.

See Place vMotion Traffic on the vMotion TCP/IP Stack of an ESXi Host.

c Edit the host vMotion TCP/IP stack to change the routing to use an IP

address in your on-premises vMotion subnet that is capable of routing

traffic to the on-premises side of the Direct Connect connection. See

Change the Configuration of a TCP/IP Stack on a Host.

2 (Optional) Test connectivity between an on-premises host and a cloud SDDC host using

vmkping.

See VMware Knowledge Base article 1003728 for more information.

Configure Direct Connect to a Public Virtual Interface for Access to AWS

Services

If your on-premises workloads need access to AWS EC2 instances and services such as S3 over a

DX connection, configure a public virtual interface for that traffic in your VPC.

Although SDDC management and workload traffic over DX must use a private VIF or DX

Gateway, you can create a DX connection from your on-premises datacenter to a public VIF

if you just want to access AWS services from your on-premises workloads or for any purpose

that requires a connection to the global AWS backbone.

VMware Cloud on AWS Networking and Security

VMware by Broadcom 34

Prerequisites

n Ensure that you meet the prerequisites for virtual interfaces as described in Prerequisites for

Virtual Interfaces.

Procedure

1 Log in to the AWS Console. and complete the steps for creating a hosted public virtual

interface under Create a Hosted Virtual Interface.

a In the Interface Owner field, select My AWS Account.

b Specify Your router peer IP and Amazon router peer IP.

c Select Auto-generate BGP key and list any on-premises routes that you want advertised

on the AWS backbone in Prefixes you want to advertise.

When the interface has been created, the AWS Console reports that it is ready for

acceptance.

2 Open NSX Manager or the VMC Console Networking & Security tab. Click Direct Connect

and accept the virtual interface by clicking ATTACH.

Before it has been accepted, a new VIF is visible in all SDDCs in your organization. After you

accept the VIF, it is no longer visible in any other SDDC.

It can take up to 10 minutes for the BGP session to become active. When the connection is

ready, the State shows as Attached and the BGP Status as Up.

Specify the Direct Connect MTU

The default Maximum Transmissible Unit (MTU) for all SDDC networks is 1500 bytes. When you

use Direct Connect and a private VIF, you can configure a larger MTU (up to 8900 bytes) on the

SDDC uplink if your DX connection supports it.

You can enable DX to use a larger MTU when you create the VIF. If you do this, you'll also need

to open the NSX Global Configuration page and set a higher Intranet MTU Value.

This larger (or Jumbo) MTU value applies only to DX connections over a private VIF and any

SDDC group connections you have configured. Any VPN, whether or not it connects over DX,

uses an MTU of 1500, regardless of other settings. To be sure that workload VMs can take

advantage of the larger MTU, verify that workload VMs using the DX connection, along with any

other interfaces along the workload's connection path, use an MTU that matches the Intranet

MTU Value.

All network interfaces on a segment should be set to the same MTU value, or communication

problems can occur. Using different MTU values on different segments is generally acceptable,

as long as path MTU discovery (PMTUD) is enabled and ICMP traffic is permitted between the

networks. If an SDDC group is configured, the Intranet Interface MTU should not be set above

8500 bytes (the maximum supported for SDDC Group traffic). In an SDDC that is part of an SDDC

group and also has a DX connection, the maximum usable MTU for all traffic is 8500 bytes, since

both the DX private VIF and the SDDC group connection share the same Intranet Interface.

VMware Cloud on AWS Networking and Security

VMware by Broadcom 35

Procedure

1 Log in to VMware Cloud Services at https://vmc.vmware.com.

2 Click Inventory > SDDCs, then pick an SDDC card and click VIEW DETAILS.

3 Click OPEN NSX MANAGER and log in with the NSX Manager Admin User Account shown

on the SDDC Settings page. See SDDC Network Administration with NSX Manager.

You can also use the VMware Cloud Console Networking & Security tab for this workflow.

4 On the Global Configuration page, click the pencil icon ( ), set a higher MTU value in the

Intranet Uplink field, then click SAVE.

The value you set must be less than or equal to the smallest MTU value for all your DX

virtual interfaces. In practice this means that you should set all your VIFs to the same MTU

value (the default, at 1500 or Jumbo, at 9001), since having any VIF that does not support a

Jumbo MTU effectively limits all DX connections to an MTU of 1500. Mixing MTU sizes within

a network can lead to packet fragmentation and other problems that result in poor network

performance.

Note To leave room for Geneve (Generic Network Virtualization Encapsulation) headers, the

SDDC intranet MTU is capped at 8900 bytes to avoid packet fragmentation at the VIF.

Configure a VPN Connection Between Your SDDC and On-Premises

Data Center

Configure a VPN to provide a secure connection to your SDDC over the public Internet or AWS

Direct Connect. Route-based and policy-based IPsec VPNs are supported. Either type of VPN

can connect to the SDDC over the Internet. A route-based VPN can also connect to the SDDC

over AWS Direct Connect.

You can also configure a Layer 2 VPN, which can be especially useful for workload migration.

For more information about IPsec VPNs, see the VMware Designlet VMware Cloud on AWS

SDDC Connectivity With IPSec VPN.

What to read next

Procedure

1 Create or Modify a Network Segment

Network segments are logical networks for use by workload VMs in the SDDC compute

network.

2 Add or Modify Compute Gateway Firewall Rules

By default, the Compute Gateway blocks traffic into and out of the SDDC Compute Network.

Add Compute Gateway firewall rules to allow traffic as needed.

3 Add or Modify Distributed Firewall Rules

Distributed firewall rules apply at the VM (vNIC) level and control East-West traffic within the

SDDC.

4 Configure DNS Services

VMware Cloud on AWS DNS forwarding services run in DNS zones, and enable workload

VMs in the zone to resolve fully-qualified domain names to IP addresses.

Create or Modify a Network Segment

Network segments are logical networks for use by workload VMs in the SDDC compute network.

VMware Cloud on AWS supports three types of network segments: routed, extended and

disconnected.

n A routed network segment (the default type) has connectivity to other logical networks in the

SDDC and, through the SDDC firewall, to external networks.

VMware Cloud on AWS Networking and Security

VMware by Broadcom 64

n An extended network segment extends an existing L2VPN tunnel, providing a single IP

address space that spans the SDDC and an on-premises network.

n A disconnected network segment has no uplink, and provides an isolated network accessible

only to VMs connected to it. Disconnected segments are designed so they can be toggled

between routed and disconnected, so they need to be configured to work in either mode.

Disconnected segments are created when needed by VMware HCX (see Getting started with

VMware HCX).

See VMware Configuration Maximums for limits on segments per SDDC and network connections

per segment.

SDDCs are created without a default network segment, so you must create at least one for your

workload VMs. When you create a segment, you start by configuring some basic parameters

and specifying how DHCP requests are handled on the segment. After the segment has been

created, you can take additional, optional steps to specify a segment profiles and create DHCP

static bindings.

Procedure

1 Log in to VMware Cloud Services at https://vmc.vmware.com.

2 Click Inventory > SDDCs, then pick an SDDC card and click VIEW DETAILS.

3 Click OPEN NSX MANAGER and log in with the NSX Manager Admin User Account shown

on the SDDC Settings page. See SDDC Network Administration with NSX Manager.

You can also use the VMware Cloud Console Networking & Security tab for this workflow.

4 Open the Segments page.

To create a new segment, click ADD SEGMENT and give the new segment a Name

and optional Description. See Enabling and Using IPv6 in SDDC Networks for additional

information about creating IPv6 or dual-stack segments.

To delete or modify a segment, click its button and choose Edit. You can modify all

segment properties, including segment type. You can also edit or delete the segment's DHCP

configuration.

Important You cannot disable or delete a segment of any type if it has attached VMs or

VIFs. Disconnect attached VMs and VIFs before deleting the segment.

VMware Cloud on AWS Networking and Security

VMware by Broadcom 65

5 Specify a segment type and connected gateway in the Connected Gateway drop-down, then

fill in the required configuration parameters.

In the default configuration, only the Compute Gateway can be selected as the Connected

Gateway. See Add a Custom Tier-1 Gateway to a VMware Cloud on AWS SDDC for

information about creating additional Tier-1 gateways in your SDDC. Networks configured on

segments connected to a secondary Tier-1 gateway will not be advertised to Direct Connect,

SDDC Group (VTGW) or ESXi management hosts by default. To establish that connectivity,

define a route aggregation that includes those networks. See Aggregate and Filter Routes to

Uplinks.

Parameter requirements depend on the segment type.

Table 3-13. Routed Segment Configuration Parameters

Parameter Value

VPN Tunnel ID N/A for Routed or Disconnected segment types.

Subnets Specify an IP address to use as the gateway, along with a

subnet mask that defines the size of the network, in CIDR format.

The gateway address cannot be the first or last IPs within the

CIDR block, which by are reserved as the network address and

broadcast address of the segment. For example, to define the

subnet represented by 192.168.1.0/24 with a gateway of 192.168.1.1,

enter 192.168.1.1/24 in this field.

The address range you specify here must not overlap your SDDC

management network, any of the CIDR clocks listed in Reserved

Network Addresses, or any of the subnets in the Connected

Amazon VPC. If any part of the block is in a public IP space, it must

be in one that has been allocated for your use by IANA or another

regional internet registry.

URPF Mode Choose Strict to apply Unicast Reverse Path Forwarding (URPF)

strict mode, as defined by RFC3704 or None to turn off URPF for

this subnet.

SET DHCP CONFIG Routed segments default to using the Compute Gateway DHCP

server. Per-segment DHCP configuration, including DHCP relay,

can be specified when you create or update the segment. See

Configure Segment DHCP Properties.

Domain Name (Optional) Enter a fully qualified domain name. Static bindings on

the segment automatically inherit this domain name.

Tags See Add Tags to an Object in the

NSX Data Center Administration

Guide

for more information about tagging NSX objects.

Table 3-14. Extended Segment Configuration Parameters

Parameter Value

VPN Tunnel ID Specify the tunnel ID of an existing L2VPN tunnel. N/A for Routed

or Disconnected segment types. If you have not already created an

L2VPN, see Configure a Layer 2 VPN Tunnel in the SDDC.

Subnets N/A for Extended segments.

VMware Cloud on AWS Networking and Security

VMware by Broadcom 66

Table 3-14. Extended Segment Configuration Parameters (continued)

Parameter Value

URPF Mode Choose Strict to apply Unicast Reverse Path Forwarding (URPF)

strict mode, as defined by RFC3704 or None to turn off URPF for

this subnet.

Domain Name (Optional) Enter a fully qualified domain name. Static bindings on

the segment automatically inherit this domain name.

Tags See Add Tags to an Object in the

NSX Data Center Administration

Guide

for more information about tagging NSX objects.

Table 3-15. Disconnected Segment Configuration Parameters

Parameter Value

VPN Tunnel ID N/A for Routed or Disconnected segment types.

Subnets Specify an IP address to use as the gateway, along with a

subnet mask that defines the size of the network, in CIDR format.

The gateway address cannot be the first or last IPs within the

CIDR block, which by are reserved as the network address and

broadcast address of the segment. For example, to define the

subnet represented by 192.168.1.0/24 with a gateway of 192.168.1.1,

enter 192.168.1.1/24 in this field.

The address range you specify here must not overlap your SDDC

management network, any of the CIDR clocks listed in Reserved

Network Addresses, or any of the subnets in the Connected

Amazon VPC. If any part of the block is in a public IP space, it must

be in one that has been allocated for your use by IANA or another

regional internet registry.

Note Disconnected segments can be toggled between routed and

disconnected, so the gateway and subnet should be defined here

with that in mind even though they will not be used or advertised as

long as the segment remains disconnected.

Domain Name (Optional) Enter a fully qualified domain name. Static bindings on

the segment automatically inherit this domain name.

URPF Mode Choose Strict to apply Unicast Reverse Path Forwarding (URPF)

strict mode, as defined by RFC3704 or None to turn off URPF for

this subnet.

Tags See Add Tags to an Object in the

NSX Data Center Administration

Guide

for more information about tagging NSX objects.

6 Click SAVE to create or update the segment.

Click YES if you want continue with segment configuration. If you click NO, you can edit the

segment later if you need to.

VMware Cloud on AWS Networking and Security

VMware by Broadcom 67

The system creates the requested segment. This operation can take up to 15 seconds to

complete. When the segment Status transitions to Up the segment is ready for use. If the

segment Status is Down, you can click the information icon for more information about

the cause of the problem.

7 (Optional) Click SEGMENT PROFILES to view profiles for the segment.

Every segment has a read-only profile that specifies how it handles IP discovery, MAC

discovery, and related security controls. Key settings include:

n Promiscuous mode is not supported.

n Forged transmits are not supported.

n MAC Learning is not supported. Only a single MAC address can be used on a NIC

connected to the segment.

n BPDU filtering is turned on.

n IP address discovery (which affects the IPs added to groups using dynamic membership)

is set to Trust on First Use. Detection uses ARP and DHCP snooping, as well as

VMware Tools. See Understanding IP Discovery Segment Profile in the

NSX Data Center

Administration Guide

See Enabling and Using IPv6 in SDDC Networks for additional information about profiles for

IPv6 or dual-stack segments.

8 (Optional) Configure DHCP STATIC BINDINGS.

a Click Set to specify static bindings for VMs on the segment.

Click ADD IPV4 STATIC BINDING, then give the binding a Name and specify an IPv4

address included in the segment and a MAC address. When a VM with the specified MAC

address is powered on and connected to the segment, it receives the specified address.

Click SAVE to create the binding, then add another binding or click APPLY to apply the

specified static bindings to the segment.

b Click DHCP Options to specify DHCP Classless Static Routes (Option 121) and Generic

Options.

n Each classless static route option in DHCP for IPv4 can have multiple routes with the

same destination. Each route includes a destination subnet, subnet mask, next hop

router. See RFC 3442 for information about classless static routes in DHCPv4. You can

add a maximum of 127 classless static routes on a DHCPv4 server.

n For adding Generic Options, select the code of the option and enter a value of the

option. For binary values, the value must be in a base-64 encoded format.

VMware Cloud on AWS Networking and Security

VMware by Broadcom 68

What to do next

After a segment has been created and has a status of Success, you can click VIEW STATISTICS

to view statistics for network traffic to and from the segment. Statistics begin at segment

creation. You can click VIEW RELATED GROUPS to see a list of groups that include this

segment. For more information, see Add a Group in the

NSX Data Center Administration Guide

Configure Segment DHCP Properties

DHCP configuration is a per-segment property. In the default configuration the Compute

Gateway DHCP server handles DHCP requests from VMs on all routed segments. To use another

DHCP server for your workload networks, you can configure the segment to use DHCP relay. You

can also configure the segment to use its own local DHCP Server.

Per-segment DHCP configuration is part of the segment create/update workflow document in

Create or Modify a Network Segment. For more information, see DHCP in the

NSX Administration

Guide

Procedure

1 Log in to VMware Cloud Services at https://vmc.vmware.com.

2 Click Inventory > SDDCs, then pick an SDDC card and click VIEW DETAILS.

3 Click OPEN NSX MANAGER and log in with the NSX Manager Admin User Account shown

on the SDDC Settings page. See SDDC Network Administration with NSX Manager.

You can also use the VMware Cloud Console Networking & Security tab for this workflow.

4 Open the Segments page.

Choose a DHCP Type and specify configuration details. See Configure Segment DHCP Server

on a Segment in the

NSX Administration Guide

Note DHCP requests from VMs in a segment use the segment's gateway address as the

source IP. To allow this traffic through the CGW firewall, create a rule that allows packets

with this source address to reach the remote DHCP server. Including the segment object as a

group member does not include the gateway IP in the group. You must add it to the group as

an IP address. See VMware Knowledge Base article 79595 for related information.

Create or Modify a DHCP Profile

A DHCP profile specifies a DHCP server type and configuration. You can use the default profile or

create others as needed.

A DHCP profile can be used to configure DHCP servers of DHCP relay servers anywhere in your

SDDC network. See Add a DHCP Profile in the

NSX-T Data Center Administration Guide

Procedure

1 Log in to the VMware Cloud Console at https://vmc.vmware.com.

2 In NSX Manager, click Networking Profiles > DHCP.

VMware Cloud on AWS Networking and Security

VMware by Broadcom 69

3 Click ADD DHCP PROFILE and give the profile a Name.

Choose a Profile Type and provide the required configuration parameters.

n For a DHCP Server, specify an IPv4 Server IP Address and optionally change the Lease

Time.

n For a DHCP Relay, specify the Server IP Address as the address of the target DHCP

server. If the target DHCP server is on-premises, be sure that your on-premises firewall

allows DHCP traffic (ports 67 and 68) to reach this address. Lease time is controlled by

the target server configuration.

Either type of DHCP profile can be tagged.

4 Click SAVE to create the profile.

The new profile is available for use when you specify the DHCP configuration of a routed

segment. See Create or Modify a Network Segment. The Where Used column lists segments

that specify this profile.

Add or Modify Compute Gateway Firewall Rules

By default, the Compute Gateway blocks traffic into and out of the SDDC Compute Network. Add

Compute Gateway firewall rules to allow traffic as needed.

Firewall rules for the default Compute Gateway and any additional Tier-1 gateways you create

specify actions to take on network traffic from a specified source to a specified destination and

service. Actions can be one of:

n allow (allow matching traffic)

n drop (silently drop matching traffic)

n reject (drop matching traffic and notify the source)

Rules can be applied to a selection from a list of physical network interfaces or the generic

specification All Uplinks, which applies to all traffic leaving the gateway and going to the VPC

interface, Internet interface, or Intranet (Direct Connect) interface.

Note A firewall rule applied to All Uplinks does not apply to the VPN Tunnel Interface

(VTI), which is a virtual interface and not a physical uplink. The VPN Tunnel Interface must be

specified explicitly in the Applied To parameter of any firewall rule that manages workload VM

communications over a route-based VPN.

All traffic attempting to pass through the firewall is evaluated by the rules in the order shown

in the rules table. Traffic matching the first rule follows its action (allow, drop, or reject) and

evaluation stops. Traffic not matching the first rule is passed on to subsequent rules. When it hits

a match, the traffic is allowed, dropped, or rejected as specified by the rule action, and further

rule evaluation is stopped. Traffic that does not match any customer-defined rules is handled by

a default rule.

VMware Cloud on AWS Networking and Security

VMware by Broadcom 70

There are two types of firewall rules:

n Pre-defined firewall rules are created by VMware Cloud on AWS. There are two pre-defined

Compute Gateway firewall rules:

Table 3-16. Pre-Defined Compute Gateway Firewall Rules

Name Sources Destinations Services Applied To Action

Default VTI Rule Any Any Any VPN Tunnel

Interface

Drop *

Default Uplink

Rule

Any Any Any All Uplinks Drop

* The Default VTI Rule drops all route-based VPN traffic (over the Virtual Tunnel Interface),

so to enable workload VMs to communicate over a route-based VPN, modify this rule to

Allow the traffic or move it to a lower rank in the rule hierarchy, after more permissive rules.

You cannot modify or re-order the Default Uplink Rule.

n Customer-defined firewall rules are processed in the order you specify and are always

processed before the Default Uplink Rule.

Prerequisites

Compute Gateway firewall rules require named inventory groups for Source and Destination

values. See Working With Inventory Groups.

Procedure

1 Log in to VMware Cloud Services at https://vmc.vmware.com.

2 Click Inventory > SDDCs, then pick an SDDC card and click VIEW DETAILS.

3 Click OPEN NSX MANAGER and log in with the NSX Manager Admin User Account shown

on the SDDC Settings page. See SDDC Network Administration with NSX Manager.

You can also use the VMware Cloud Console Networking & Security tab for this workflow.

4 On the GATEWAY FIREWALL page, click Compute Gateway.

5 To add a rule, click ADD RULE and give the new rule a Name.

VMware Cloud on AWS Networking and Security

VMware by Broadcom 71

6 Enter the parameters for the new rule.

Parameters are initialized to their default values (for example, All for Sources and

Destinations). To edit a parameter, move the mouse cursor over the parameter value and

click the pencil icon ( ) to open a parameter-specific editor.

Option Description

Sources Click Any in the Sources column and select an inventory group for source

network traffic, or click ADD GROUP to create a new user-defined inventory

group to use for this rule. Click SAVE.

Destinations Click Any in the Destinations column and select an inventory group for

destination network traffic, or click ADD GROUP to create a new user-

defined inventory group to use for this rule. Click SAVE.

Services Click Any in the Services column and select a service from the list or click

ADD SERVICE to create a new user-defined service to use for this rule..

Click SAVE.

Applied To Define the type of traffic that the rule applies to:

n Select VPN Tunnel Interface if you want the rule to apply to traffic over

the route-based VPN.

n Select VPC Interface if you want the rule to apply to traffic over the

linked AWS VPC connection.

n Select Internet Interface if you want the rule to apply to traffic over the

SDDC's Internet Gateway, including traffic over policy-based VPNs using

the public IP endpoint.

n Select Intranet Interface if you want the rule to allow traffic over AWS

Direct Connect, VMware Transit Connect, and policy-based VPNs using

private IP.

n All Uplinks if you want the rule to apply to the VPC Interface, the

Internet Interface, and the Intranet Interface, but not to the VPN Tunnel

Interface.

Note The VPN Tunnel Interface is not classified as an uplink.

Action n Select Allow to allow all L3 traffic to pass through the firewall.

n Select Drop to drop packets that match any specified Sources,

Destinations, and Services. This is a silent action with no notification

to the source or destination systems. Dropping the packet causes the

connection to be retried until the retry threshold is reached.

n Select Reject to reject packets that match any specified Sources,

Destinations, and Services. This action returns a "destination

unreachable message" to the sender. For TCP packets, the response

includes a TCP RST message. For UDP, ICMP and other protocols, the

response includes an "administratively prohibited" code (9 or 10). The

sender is notified immediately (without any re-tries) when connection

cannot be established.

The new rule is enabled by default. Slide the toggle to the left to disable it.

VMware Cloud on AWS Networking and Security

VMware by Broadcom 72

7 Click PUBLISH to create the rule.

The system gives the new rule an integer ID value, which is used in log entries generated by

the rule.

What to do next

You can take any or all of these optional actions with an existing firewall rule.

n Click the gear icon to view or modify rule logging settings. Log entries are sent to the

VMware VMware Aria Operations for Logs Service. See Using VMware Aria Operations for

Logs in the

VMware Cloud on AWS Operations Guide

n Click the graph icon to view Rule Hits and Flow statistics for the rule.

Table 3-17. Rule Hits Statistics

Popularity Index Number of times the rule was triggered in the past 24 hours.

Hit Count Number of times the rule was triggered since it was created.

Table 3-18. Flow Statistics

Packet Count Total packet flow through this rule.

Byte Count Total byte flow through this rule.

Statistics start accumulating as soon as the rule is enabled.

n Reorder firewall rules.

A rule created from the ADD NEW RULE button is placed at the top of the list of rules.

Firewall rules are applied in order from top to bottom. To change the position of a rule in the

list, select it and drag it to a new position. Click PUBLISH to publish the change.

Add or Modify Distributed Firewall Rules

Distributed firewall rules apply at the VM (vNIC) level and control East-West traffic within the

SDDC.

All traffic attempting to pass through the distributed firewall is subjected to the rules in the order

shown in the rules table, beginning at the top. A packet allowed by the first rule is passed on to

the second rule, and so on through subsequent rules until the packet is dropped, rejected, or hits

the default rule, which allows all traffic.

Attention In SDDC version 1.20, 1.20v2, or 1.20v3 a Distributed Firewall Rule that has a context

profile with FQDN attributes can trigger a PSOD failure if it receives a CNAME record in a

response from the DNS server. See VMware Knowledge Base article 91654 for details.

VMware Cloud on AWS Networking and Security

VMware by Broadcom 73

Distributed firewall rules are grouped into policies. Policies are organized by category. Each

category has an evaluation precedence. Rules in a category that has a higher precedence are

evaluated before rules in category that has a lower precedence.

Table 3-19. Distributed Firewall Rule Categories

Category Evaluation

Precedence Category Name Description

1 Ethernet Applied to all layer 2 SDDC network traffic.

Note Rules in this category require MAC addresses

as sources and destinations. IP addresses are

accepted but ignored.

2 Emergency Used for quarantine and allow rules.

3 Infrastructure Define access to shared services. Global rules, AD,

DNS, NTP, DHCP, backup, management servers.

4 Environment Rules between security zones such as production

zones, development zones, or zones dedicated to

specific business purposes.

5 Application Rules between applications, application tiers, or

microservices.

See Security Terminology in the

NSX Data Center Administration Guide

for more information

about Distributed Firewall terminology.

Prerequisites

Distributed firewall rules require inventory groups as sources and destinations and must be

applied to a service, which can be a predefined service or a custom service that you define for

your SDDC. You can create these groups and services while you are creating a rule, but it can

speed up the process if you take care of some of this beforehand. See Working With Inventory

Groups.

Procedure

1 Log in to VMware Cloud Services at https://vmc.vmware.com.

2 Click Inventory > SDDCs, then pick an SDDC card and click VIEW DETAILS.

3 Click OPEN NSX MANAGER and log in with the NSX Manager Admin User Account shown

on the SDDC Settings page. See SDDC Network Administration with NSX Manager.

You can also use the VMware Cloud Console Networking & Security tab for this workflow.

4 Open the Distributed Firewall page.

Click Category Specific Rules and select a category to view and modify policies and rules in

that category, or click All Rules to view (but not modify) rules in all policies and categories.

VMware Cloud on AWS Networking and Security

VMware by Broadcom 74

5 (Optional) Change the default connectivity strategy.

The Distributed Firewall includes default rules that apply to all layer 2 and layer 3 traffic.

These rules are evaluated after all other rules in their category, and allow traffic that doesn't

match a preceding rule to pass through the firewall. You can change either or both of these

rules to be more restrictive, but you cannot disable either rule.

n To change the Default Layer2 Rule, expand the Default Layer2 Section in the Ethernet

category and change the Action on that rule to Drop.

n To change the Default Layer3 Rule, expand the Default Layer3 Section in the Application

category and change the Action on that rule to Drop or Reject.

Click PUBLISH to update the rule.

6 To add a policy, open the appropriate category, click ADD POLICY and give the new policy a

Name.

A new policy is added at the top of the policy list for its category. To add a policy before or

after an existing policy, click the vertical ellipsis button at the beginning of the policy row to

open the policy settings menu, then click

Add Policy Above or Add Policy Below.

By default, the Applied To column is set to DFW, and the rule is applied to all workloads.

You can also apply the rule or policy to selected groups. Applied To defines the scope of

enforcement per rule, and is used mainly for optimization of host resource consumption. It

helps in defining a targeted policy for specific zones and tenants, without interfering with

other policy defined for other tenants and zones.

Note Groups consisting of only IP addresses, MAC Addresses, or Active Directory groups

cannot be used in the Applied To text box.

7 To add a rule, select a policy, click ADD RULE, and give the rule a Name.

8 Enter the parameters for the new rule.

Parameters are initialized to their default values (for example, All for Sources and

Destinations). To edit a parameter, move the mouse cursor over the parameter value and

click the pencil icon ( ) to open a parameter-specific editor.

Option

Description

Sources Click Any in the Sources column and select an inventory group for source

network traffic, or click ADD GROUP to create a new user-defined inventory

group to use for this rule. Click SAVE.

Destinations Click Any in the Destinations column and select an inventory group for

destination network traffic, or click ADD GROUP to create a new user-

defined inventory group to use for this rule. Click SAVE.

Services Click Any in the Services column and select a service from the list. Click

SAVE.

VMware Cloud on AWS Networking and Security

VMware by Broadcom 75

Option Description

Context Profiles This option is available if you have enabled NSX Advanced Firewall

features. See Chapter 5 About VMware vDefend Firewall Features for more

information.

Applied To The rule inherits its Applied To value from the containing policy.

Action n Select Allow to allow all L2 and L3 traffic to pass through the firewall.