Introduction
An SDDC deployment group uses VMware Transit Connect to provide high-bandwidth, low-latency connections between SDDCs in the group and to other VPCs in the same region. You can also add a Direct Connect Gateway (DXGW) to provide centralized connectivity to your on-premises SDDCs.
An SDDC deployment group (SDDC Group) is a logical entity designed to simplify the management of your organization's VMware Cloud on AWS resources at scale. Collecting SDDCs into an SDDC Group provides several benefits to an organization with multiple SDDCs whose workloads need a high-bandwidth, low-latency connection to each other. All network traffic between group members travels over a VMware Transit Connect network. Routing between compute networks of all SDDCs in a group is managed automatically by VMware Transit Connect as subnets are added and deleted. You control network traffic among group member workloads with compute gateway firewall rules.
VMware Transit Connect is a VMware Managed Transit Gateway. It Eliminates the overhead of self-deploying and managing complex configurations to establish a connectivity fabric across VMware Cloud on AWS SDDCs, AWS VPCs, and on-premises environments.
VMware Transit Connect easily enables connectivity across environments and adds networks with automatic set up of all the necessary routing policy configuration, transparent to the user. The solution is based on the highly available AWS Transit Gateway. It integrates with AWS Direct Connect Gateway to simplify connectivity to on-premises data centers.
Any organization member who has a VMC service role of Administrator or Administrator (Delete Restricted) can create or modify an SDDC Group.
In this lab, we will first create an SDDC Group with a single SDDC, the purpose of this exercise is to show that an SDDC group can contain a single SDDC, but also to highlight that the VMware Transit connect of the SDDC Group can be used to allow high-bandwidth, low-latency connectivity from SDDC(s) in a group to Native AWS VPC(s). We’ll later I the lab, create a new SDDC Group, and populate it with 2 SDDCs.
TASKS
In the Google Chrome Browser from the VDI desktop
- Click the VMware Cloud SDDC bookmark
- Login as vmcexpert#-xx@vmware-hol.com (Where # is the Environment ID and xx is your student number) i.e. [email protected]
- Password = VMware1!
- Navigate to the SDDC item in the menu. You should see both your SDDC and your partner's SDDC
- In the top right, Click Actions
- Under the Actions Dropdown Click Create SDDC Group
- In the Name and Description page Name the Group vmcexpert#-XX-SDDC-Grp (Where # is the Environment ID and xx is your student number)
- Click Next
- On the Membership page Select <your SDDC>
NOTE: Only add your Student SDDC to the group - Click Next
- on the Acknowledgment page Check the Configuring VMware Transit Connect for your group will incur charges per attachment and Data Transfer checkbox
- Click Create Group
- Monitor the Group creation status (this could take up to 10 minutes to complete)
- While you are waiting, review the blue box below and explore the SDDC Groups tab
- Click View Details once the status changes to Connected
While waiting for the process to complete, let’s review the SDDC Group tabs
vCenter Linking Tab Allows Cloud administrator to log in as [email protected] and use the vSphere Client to manage all the vCenter Server systems in the group. If the [email protected] account configures these systems to use single sign-on, then users with accounts in that single sign-on domain can access all the linked systems in the group.
After vCenter linking has been enabled in an SDDC group, the vCenter Server systems in SDDCs added to the group are linked automatically, and vCenter Server systems in SDDCs that are removed from the group are unlinked automatically.
Direct Connect Gateway Tab After you create an SDDC Group, you can attach an AWS Direct Connect Gateway to it to support high-bandwidth, low-latency connections to your on-premises SDDC.
VMware Transit Connect handles all compute and management network traffic among SDDC group members. Many SDDC group members will also need to make network connections to external endpoints such as on-premises SDDCs, VPCs outside the group, and AWS services that run in them. To enable these kinds of connections, associate an AWS Direct Connect Gateway with the group's VMware Managed Transit Gateway.
Attaching a Direct Connect Gateway to the SDDC group is a multi-step process that requires you to use both the VMC Console and the AWS console. You use the VMC Console to make the VTGW (an AWS resource) available for sharing. You then use the AWS console to accept the shared resource and associate it with the Direct Connect Gateway you'd like to attach to the SDDC Group.
VPC Connectivity Tab Once the SDDC Group has been configured, you can add existing Native AWS VPC to the group. Doing so allows the VMware Transit connect to establish and manage a High-bandwidth, low-latency connection between the SDDC and the Native VPC(s).
Routing Tab The Routing tab displays all of the learned routes to the VMware Transit connect as well as all of the Advertised routes from the Transit Connect.
Note: SDDC Groups will typically include 2 or more SDDCs and not a Single SDDC as we have done in this task. The only exception is when you have one or more Native AWS VPC with Services you need to consume in your SDDC or vice-versa and/or connect your On-Premises to your SDDC(s) via a Direct Connect Gateway.
Task 2.1 - Associate you AWS account with the SDDC Group
- Click the SDDCs tab
- Click view details at the bottom of your SDDC tile
- Click Networking & Security tab
- In the left pane, click Connected VPC
- Record the AWS Account ID, We will use it to Attach a Native VPC to your SDDC Group
- At the top left hand corner of the page, click All SDDCs
- Click SDDC Groups
- Click View Details at the bottom of your SDDC Group Tile
- Click the External VPC Tab
- Click Add account
- In the Dialog, Type in/Paste in the <AWS Account ID> you recorder in Step 5
- Click ADD
- Record your Resource Share Name, You'll need it to confirm the association in AWS
Once added the State of the Account should read ASSOCIATING, we'll go to the AWS Console to approve the association
- From your VDI desktop open a new browser tab and go to the AWS Console - https://vmcexpert{#}.signin.aws.amazon.com/console where {#} indicates your AWS environment (1, 2 or 3)
- Login using the following details. Your actual credentials can be obtained from the Student lab assignment sheet or Excel workbook
- Account ID or alias: vmcexpert# i.e vmcexpert1, vmcexpert2 or vmcexpert3
- IAM user name: VMCEXPERT#-XX(where # is your Environment ID and XX is the number assigned to you)
- Password: <AWS Console PW provided By your instructor>
- Click Sign In
- In the upper left section of the page click Services
- Click Resource Access Manager under Security, Identity and Compliance
- In the left pane click Resource Shares under Resources Shared with me
- You should see your resource share in a Pending state
- Click it
- Click Accept Resource Share
- Click OK
- Go back to the browser tab for your SDDC Console. The state of the Association should now read ASSOCIATED
NOTE: This can take up to 5 mins to Update. You may need to refresh the page - Click the Support tab
- Record the TGW ID, you'll need it for the next task
Task 2.2 - Connect the Native VPC to the Transit Connect
With the AWS Account now associated with the SDDC group our next task is to create a transit Gateway attachment for the Native VPC. this task will be performed from the AWS Console.
- In the AWS Console Browser tab, click Services, then VPC under Networking and Content Delivery
- In the Left pane Click Transit Gateway Attachments, Under transit Gateways
- Click the Create Transit Gateway Attachment Button
- In the Create Transit Gateway Attachment page, Select <your Transit Connect> from the Transit Gateway ID dropdown list
NOTE: You can Identify your transit connect by its ID. You recorded the ID in Task 2.1 step 25 - Select <your VPC>. Look the the VPC Name column to identify your VPC
NOTE: your VPC will be VMCEXPERT#-XX-FSx (Where # is your Environment ID and XX is your student number) - Click Create Attachment
- Click Close
- Back on your SDDC Browser tab, Click External VPC
- Expand the AWS Account attachment by clicking the double arrow (greater-than signs)
- Select the checkbox for the Attachment association
NOTE: The association can take up to 10 mins to Update (Show up). You may need to refresh the page, and wait for it to appear before proceeding - Click Accept
- Wait until the Status changes from PENDING to AVAILABLE before proceeding
NOTE: This process can take as much as 5 mins
Task 2.3 - Add a route to the Native VPC
With the Attachment now complete we need to update the VPC routing table to populate the VMC connected networks as reachable via the VTGW. We will accomplish this in the AWS Console for the FSx VPC (VMCEXPERT#-XX-FSx)
- Go back to the browser tab for your AWS console
- Click Route Tables in the left pane
- In the search field type in <your AWS account string> to find the routing table for your FSx PC. i.e. vmcexpert3-02.
NOTE: Your FSx VPC route table will be named VMCExpert#-XX-FSx-Public Route Table - Select the route table
- Click the Routes tab
- Click Edit Routes
- Click Add Route, and configure the route as follows:
- Destination: <The Network Segment for Desktop-Net> i.e 10.10.1xx.0/24
- Target: <Your Transit Connect>
- Click Save Changes
Task 3.1 - Identity the FSx Service for Consumption
- Go to the browser tab for your AWS Console
- In the upper left-hand section of the page click Services
- Click FSx, under Storage
- Locate your FSx File System Service. It should be named VMCEXPERT#-XX (Where # is your environment ID and XX is your student number
- Click on your FSx File System once located
- Locate and record the Preferred File Server IP Address of the service
We will use this IP to mount the File System Share on our client Virtual Machine later
Task 3.2 - Configure Firewall Access from the SDDC to the Native VPC
- In the browser tab for your VMC on AWS SDDC console, login if your previous session timed out
- vmcexpert#[email protected]
- VMware1!
- Click View Details on your SDDC tile
- Click Networking & Security tab
- Click Gateway Firewall
- Click the Compute Gateway tab
- Click ADD RULE
- Add 2 rules and Configure them as follows:
-
Rule 1
- Name: AWS VPCs to SDDC
- Source: Transit Connect Native VPCs Prefixes
- Destination: SDDC-Workloads
- Service: Any
- Applied to: All Uplinks
- Action: Allow
- Rule 2
- Name: SDDC to AWS VPCs
- Source: SDDC-Workloads
- Destination: Transit Connect Native VPCs Prefixes
- Service: Any
- Applied to: All Uplinks
- Action: Allow
-
Rule 1
- Click PUBLISH
Task 3.3 - Mount the FSx Share on a Windows VM in the SDDC
- Go to the Browser tab for your SDDC vCenter, if you no longer have the tab open, or if your session has expired, Go to the Settings tab of the SDDC to launch a tab to vCenter and/or retrieve the login credentials
- Once logged into the SDDC vCenter, locate Win10-Desktop VM
- Select it and Click LAUNCH WEB CONSOLE
- In the browser tab for Win10-Desktop Console, click Send Ctrl+Alt+Delete
- login as:
- student
- VMware1!
- Bring up the windows command prompt or PowerShell window
- In command prompt or PowerShell
- Type the following
<p>net use z: \\<your efs preferred ip>\share</your></p>- when prompted for user credential type the following:
- username: <vmcexpert#-xx>\admin i.e. vmcexpert3-02\admin
- Password <Your AWS Console PWD>
- Open Windows explorer (File Explorer)
- Click This PC
- You'll see the Z: drive
- Open it
0 Comments
Add your comment