VMware Cloud Expert

Lab 03 - SDDC Networking & Native AWS Integration



One of the most compelling reasons to adopt VMware Cloud on AWS is to integrate your existing systems which sit in your VMware Cloud environment, with application platforms that reside in your AWS Virtual Private Cloud (VPC) environment. The integration which VMware and AWS have created allows for these services to communicate, for free, across a private network address space for services such as EC2 instances, which connect into subnets within a native AWS VPC, or with platform services that have the ability to connect to a VPC Endpoint, such as S3 Storage.

Understanding Integration with AWS Services

As the above diagram illustrates, the VMware stack not only sits next to the AWS services but is tightly integrated with these services. This introduces a new way of thinking about how to design and leverage AWS services with your VMware SDDC. Some integrations our customers are using include:

  • VMware front-end and RDS backend
  • VMware back-end and EC2 front-end
  • AWS Application Load Balancer (ELBv2) with VMware front-end (pointing to private IPs)
  • Lambda, Simple Queueing Service (SQS), Simple Notification Service (SNS), S3, Route53, and Cognito
  • AWS Lex, and Alexa with the VMware Cloud APIs

These are only a few of the integrations we’ve seen. There are many different services that can be integrated into your environment. In this exercise we’ll be exploring integrations with both AWS Simple Storage Service (S3) and AWS Relational Database Service (RDS).

How are these integrations possible?

In addition to sitting within the AWS Infrastructure, there is an Elastic Network Interface (ENI) connecting VMware Cloud on AWS and the customer’s Virtual Private Cloud (VPC), providing a high-bandwidth, low latency connection between the VPC and the SDDC. This is where the traffic flows between the two technologies (VMware and AWS). To leverage native AWS services on your SDDCs, deploy your AWS EC2 workloads in the same availability zone to avoid cross AZ traffic charge.

How is traffic across the ENI secured?

From the VMware side (see image below), the ENI comes into the SDDC at the Compute Gateway (NSX Edge). This means, on this end of the technology we allow and disallow traffic from the ENI with NSX Firewall rules. By default, no ENI traffic can enter the SDDC. Think of this as a security gate blocking traffic to and from AWS Services on the ENI until the rules are modified.

On the AWS Services side (see image below), Security Groups are utilized. For those who are not familiar with Security Groups, they act as a virtual firewall for different services (VPCs, Databases, EC2 Instances, etc). This should be configured to deny traffic to and from the VMware SDDC unless otherwise configured.

In this exercise, everything has been configured on the AWS side for you. You will however walk through how to open AWS traffic to come in and out of your VMware Cloud on AWS SDDC.

Note:There is a requirement in this lab to have completed all the steps in the Working with your SDDC Lab.


Task 1 - Allow traffic through the ENI

In this lab, you will configure service integration and consumption between the SDDC and AWS Connected VPC. We will use the web server VMs you created in the previous lab to consume services in AWS. We start by consuming an RDS database. We then have optional exercises where you'll consume other services such as ELB, & NFS

Task 1.1 - Create Security Groups

We will now create a security group we will use in the firewall rules to allow traffic to and from the AWS RDS.

  1. In the VMware Cloud on AWS portal click the Networking & Security tab
  2. Click Groups in the left pane
  3. Click Compute Groups
  4. Click ADD GROUP
  1. Type PhotoAppVM for the Name
  2. Click the  Set Member link
  3. In the popup, Select Members Tab
  4. From the Drop Down change the Category to Virtual Machines
  5. Select and check Webserver01 and Webserver02
  6. Click Apply to close the popup then Save

Task 1.2 - Create Gateway Firewall rule

We will now create the required firewall rules to allow the PhotoAppVM access to Services running in the Connected VPC and vice versa.

  1. Click Networking & Security tab in your VMware Cloud on AWS Portal
  2. Click Gateway Firewall in the left pane
  3. Click and select Compute Gateway
  4. Click+ ADD RULE
  5. Click on the "New Rule" Text to change the name of your new rule to AWS Inbound
  6. Hover over the Source field and click on the blue Edit button 
  7. In the popup, Select Connected VPC Prefixes
  8. Click Apply to close the popup
  9. Hover over the Destination field and click on the blue Edit button
  10. In the popup, Select PhotoAppVM
  11. Click Apply
  12. Leave Service as Any
  13. Leave applied to as All Uplinks
  14. Repeat Steps 4 - 13 to create a 2nd rule - This time set 
    • Name the Rule AWS Outbound
    • PhotoAppVM as the Source 
    • Connected VPC Prefixes as the destination
      MySQL for Services. You can use the filter in top right of the popup or scroll to find it
  15. Add a 3rd Firewall rule Named Public In & set as follows:
    • Any as Source
    • PhotoAppVM as Destination
    • HTTP as Services
  16. To the far right of each rule click the GEAR
  17. Slide the Slider in the Dialog to enable logging
  18. Click APPLY
  19. Click PUBLISH to save and activate the rules

Note: Make sure to leave All Uplinks in the Applied To section.

Task 2 - Enable Public Internet access to the PhotoAppVM

The PhotoAppVM (webserver01) currently has a private IP address (10.10.X.X) and thus not internet routable. to allow public internet access to the VM You'll first need to request a Public IP address. After the public IP address is provisioned, you will configure NAT to direct traffic from the public IP address to the private IP address of the PhotoAppVM.

Task 2.1 - Request a public IP address

You can request public IP addresses to assign to workload VMs to allow access to these VMs from the internet. VMware Cloud on AWS provisions the IP address from AWS.

As a best practice, release the public IP addresses that are not in use.


Verify that your VM has been assigned an IP address assigned from its logical network.

You will be using the VM created in the previous module in order to complete this exercise.

  1. In your vCenter interface for VMware Cloud on AWS, find your Webserver01 VM you deployed, and ensure it has been assigned an IP address as shown in the graphic.
  2. Take note of the IP address (Record the IP in the Excel Workbook provided)
Task 2.1.1 - Request Public IP
  1. Go back to your VMware Cloud on AWS portal and click on the Networking & Security tab in order to request a Public IP address
  2. Click Public IPs in the left pane
  3. Click on REQUEST NEW IP
  4. In the notes area type PhotoAppIP
  5. Click SAVE
  6. Take Note of and record this Public IP address (It will be used in the next task to setup Network Address Translation (NAT) for webserver01)

Task 2.2 - Create a NAT Rule

  1. Click NAT in the left pane
  2. Click ADD NAT RULE
  3. Type PhotoApp NAT for Name
  4. Ensure the Public IP you requested in the previous step appears under Public IP (it should auto populate, but if it does not click back on the Public IPs menu item and take note of the IP)
  5. Leave All Traffic(no change)
  6. For the Internal IP, type the IP address of your Webserver01 VM you noted in task 2.1
    See your Excel workbook for this IP if you've forgotten it
  7. Move the Slider to the right (YES) to enable Logging
  8. Click SAVE (a green successful notification should appear momentarily)
Task 3 - AWS Relational Database Service (RDS) Integration

Amazon RDS makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching, and backups. It frees you to focus on your applications so you can give them the fast performance, high availability, security, and compatibility they need.

In this exercise, you will be able to integrate a VMware Cloud on AWS virtual machine to work in conjunction with a relational database running in Amazon Web Services (AWS) that has been previously set up on your behalf.

Task 3.1 - View AWS RDS Instance

On your browser, open a new tab and go to: https://vmcexpert{#}.signin.aws.amazon.com/console where {#} indicates your AWS environment (1, 2 or 3)

The Credentials below are from the AWS Console portion of your student lab assignment sheet

  1. Account ID or alias:  vmcexpert# i.e vmcexpert1, vmcexpert2 or vmcexpert3
  2. IAM user name:        VMCEXPERT#-XX(where # is your Environment ID and XX is the number assigned to you)
  3. Password:                 <AWS Console PW provided By your instructor

Click Sign In


  1. You are now signed into the AWS console. Make sure the region selected is US West Oregon us-west-2 If you are using vmcexpert1 or vmcexpert2 environments or chose Europe (Frankfurt) eu-central-1, if you are using vmcexpert3
  2. Expand the All Services drop down then select  the RDS service under the Database group
  1. In the Amazon RDS left pane click on Databases
  2. Search for your student number (i.e. 01 through 31) Click the text under the DB Identifier column into the RDS instance that corresponds to your designated student number
  3. Ensure that you are on the Connectivity & Security Tab, Scroll down to the Connectivity & Security section, look inside the Security subsection at the Public Accessibility details
    Notice the RDS instance is not publicly accessible, meaning this instance can only be accessed from within AWS.

Task 3.2 - View the AWS RDS pre-configured Security Policy settings

  1. Click on the blue hyperlink corresponding to your Student##-RDS underneath the VPC Security groups text
  2. Check / Select the Student##-RDS-Inbound RDS Security group corresponding to you (may not match your student number.
  3. After highlighting the appropriate security group click on the Inbound tab in the pane below
  4. Review the Inbound rules, and note that your PhotoAppVM should be allowed access to TCP Port 3306
  5. Click Outbound tab
  6. You can see All traffic (internal to AWS) is allowed; this includes your VMware Cloud on AWS SDDC logical networks.

Note: VMware Cloud on AWS establishes routing in the default VPC Security Group, only RDS can leverage this or create its own

Task 3.2.1 - View the AWS RDS ENI Settings

AWS Relational Database Service (RDS), also creates its own Elastic Network Interface (ENI) for access which is separate from the ENI created by VMware Cloud on AWS.

  1. Click on the Services drop down to go back to the Main Console
  2. Click on EC2 under Compute
  3. In the upper left-hand corner move the slider left to close the New EC2 Experience page
    If you get the Feedback to EC2 dialog, click Cancel


  1. From the EC2 Dashboard navigate to the Network & Security menu in the left panel then click Network Interfaces.
  2. All Student environments belong to the same AWS account, therefore, hundreds of ENI’s may exist.
    In order to minimize the view type
    RDS in the search area and press Enter to add a filter
  3. Expand the Security Group column to see the names or the Primary Private IPv4 column (the 2nd and 3rd number in the 2nd octet corresponding to your student number) and to find your VMCEXPERT#-XX-RDS-Inbound security group corresponding to your student number.
  4. Check the box to your corresponding RDS SG as found in the steps above
    Note: In the screenshot below <vmcexpert3-01-RDS-Inbound>
  5. Once selected, look in the details pane below to find the Primary private IPv4 IP. Copy this address to your notes for the next step

Task 3.3 - Configure & Test the PhotoApp against the AWS RDS

You will now access the PhotoApp and update it's Database Connection (DSN - Data Source Name) by pointing it to the RDS instance. Once this is done you'll test the app by uploading some photos into the gallery.

  1. On your smart phone (tablet or personal computer), open up a browser and type your public IP address you requested in the VMware Cloud on AWS portal in the browser address bar followed by /Lychee (case sensitive) ie:

NOTE: This is the IP You used to setup the NAT Rule for webserver01 (Task 2.1.1, Steps 3 - 6).  See your worksheet, if you recorded it there.

  1. Enter the database connection information below (case sensitive), using the IP address (Primary Private IP) you noted in the previous task from the RDS ENI:
    • Database Host: x.x.x.x
    • Database Username: admin 
    • Database Password: <AWS Console PW provided By your instructor>
  2. Click Connect (Username and Password are Case-Sensitive)
  1. In the 'Enter a username and password for your installation dialog type
    • admin
    • AWS Console PW provided By your instructor (you will use this PW to login in the upcoming lab tasks so ensure you set it with appropriate case)
  2. Click Create Login
  3. Upload a few images into the Public folder 

Congratulations, you have successfully logged in to the photo app, configured it to use the AWS RDS Database running in the Connected VPC and uploaded some images.



In summary, the front end (web server) is running in VMware Cloud on AWS as a VM, the back end which is a MySQL database is running in AWS Relational Database Service (RDS) and communicating through the Elastic Network Interface (ENI) that gets established upon the creation of the SDDC.

You have completed the required AWS Integration Lab.


VMware Cloud on AWS enables you to have a hybrid cloud platform by running your VMware workloads in the cloud while having seamless connectivity to your AWS native services.

The integration which VMware and AWS have created allows for these services to communicate, for free, across a private network address space for services such as EC2 instances, which connect into subnets within a native AWS VPC, or with platform services which have the ability to connect to a VPC Endpoint, such as S3 Storage.

In these optional lab exercises we will build on what we learned from the previous lab tasks by configuring integration with other Native AWS Services such as:

  • Amazon Elastic File System (EFS)
  • Elastic Load Balancing (ELB)

When you deploy an SDDC on VMware Cloud on AWS, it is created within an AWS account and VPC dedicated to your organization and managed by VMware. You must also connect the SDDC to an AWS account belonging to you, referred to as the customer AWS account. This connection allows your VMC SDDC to access AWS services belonging to your AWS VPC account.

Additional Lab 1 - Consuming EFS Storage in VMC on AWS

Although the VMware Cloud on AWS SDDC Provides a multi-TB datastore for storing Virtual Machines and supporting files, there may be specific criteria of application data that you want running on your NVMe drives, and other data that is classified as ‘lower tier’. If that is the case, one of the options you have with VMware Cloud on AWS is to leverage Amazon Elastic File System (EFS) for additional data. You can think of EFS as a very simple and easy to use Network File Share. A single EFS can be added to multiple VMs if you choose to do so, or to single VM


  • Configure Compute Gateway Firewall Rules for Elastic Network Interface (ENI) traffic
  • Configure AWS Security Groups to allow traffic to/from VMware Cloud on AWS (VMC)
  • Amazon supports this for Linux operating systems only at this time.

Task 1 - Configure VMC on AWS Gateway Firewall Rules

Because all traffic over the ENI is denied by default, you need modify the gateway firewall to allow the required traffic to flow uninterrupted. For this reason we will modify the "AWS Outbound" rule on the Compute Gateway to allow access to EFS over the ENI.

  1. In the VMC on AWS Console Click the Networking & Security tab
  2. Click Gateway Firewall
  3. Click Compute Gateway
  4. Hover over the Services field of the "AWS Outbound" Rule and Click the Edit (Pencil Icon)
  5. In the Search field of the Set Services Dialog Type NFS & Press Enter
  6. Select NFS(TCP) & NFS(UDP)
  7. Click Apply
  8. Click Publish

Task 2 - Review the EFS Settings in AWS

We will now access the AWS Console to confirm the existence of a pre-deployed EFS. We'll also need to identify the IP address of the EFS, as we'll need to to create the mount in your Virtual Machine.


  1. Log into the AWS console using the AWS console link and credentials in the student lab assignments worksheet.
  2. Confirm you are administering services in the Oregon Region (top right corner drop down)
  3. If not, Click the drop-down and select US West (Oregon) us-west-2 (If you are using vmcexpert1 or vmcexpert2 environment)
    select Europe (Frankfurt) eu-central-1 (if you are using vmcexpert3)
  4. Click the Services drop down then select Storage > EFS 
  5. In the list of file systems find your EFS (VMCExpert#-xx, where # is the Environment ID, and xx is your student number)
  6. Click <your EFS Instance> vmcexpert#-xx text  to view its details
  7. Click the Network tab
  8. Record the IP address of your EFS (e.g.
  9. Note: You will need this IP to mount the share in your Webserver01 VM

Task 3 - Mount an EFS share in a VM running in VMC on AWS


  1. If the browser tab to the SDDC vCenter is still open navigate to it. If not Open a new Tab and log onto the VMC SDDC vCenter.
  2. NOTE: You can access the vCenter Information and login details from the settings tab of the VMC on AWS Console
  3. Select webserver01
  5. In the browser tab for webserver01. if needed, Log in as
  6. login: root 
  7. password: VMware1!


  1. At the shell prompt enter the following commands (note, your current directory must be /var/www/html/Lychee for the prep-webserver-1.sh script to work correctly - make sure to run the cd command as shown):
<p>cd /var/www/html/Lychee
./prep-webserver-1.sh <your_efs_ip></your_efs_ip></p>

This script converts the storage of the photo app from the local file system to an NFS share on AWS EFS

to view the operations performed by the script let's take a look at the script

<p>cat /var/www/html/Lychee/prep-webserver-1.sh</p>

Now let's take a look at the NFS mount to confirm the Images were copied

<p>ls /var/www/html/Lychee/uploads/big</p>

Task 4 - Clone Webserver01  

We will now clone webserver01 to create a new Virtual Machine "webserver03". We preform this task to confirm webserver03 continues to have access to the files in the central repository as webserver01.


  1. In the vSphere Client Select and right-click webserver01
  2. Select clone --> Clone to Virtual Machine
  3. On the Select a Name and Folder page name the virtual machine name enter webserver03
  4. Expand the SDDC > SDDC DC > and highlight Workloads
  5. Click Next
  6. On the Select a Compute Resource page select the Compute-ResourcePool
  7. Click Next
  8. On the Select Storage page select the WorkloadDatastore
  9. Click next
  10. On the Select Clone Options page click the following check-boxes
    • Customize the operating system 
    • Do not Select Power on virtual machine after creation 
  11. Click Next to continue.
  12. On the Customize Guest OS page select the LinuxSpec customization specification.
  13. Click Next to continue.
  14. Review the information for accuracy and click Finish to clone the virtual machine.

It should take a couple of minutes for the virtual machine to clone. While this happens upload a couple of additional images to the Public Gallery from webserver01

Task 4.1 - Add webserver03 to PhotoAppVM Group


In a previous task we created the PhotoAppVM Group which we used in the Gateway firewall rule. We need to add webserver03 to this group. Doing so will add it to the firewall rule along with webserver01

  1. In the VMC on AWS SDDC Console click the Networking & Security tab
  2. Click Groups
  3. Click the 3 vertical dots next to the PhotoAppVM Group
  4. Click Edit
  5. Click Members
  6. Click the Members tab
  7. Select webserver03 to add it to the group
  8. Click APPLY
  9. Click SAVE

The clone of webserver03 should be complete by now. In the vSphere Client select webserver03 and power it on (or reboot it if it's already powered on).

NOTE: If the VM powered-on before you modified the group in the steps above, you'll need to reboot it before proceeding


Task 4.2 - Verify Access to NFS from webserver03


  1. Select webserver03
  2. Review and record webserver03 IP address (You'll need this IP when creating a NAT rule for webserver03)
  4. In the browser tab for webserver03. Log in as
  5. login:        root
  6. password: VMware1!


  1. At the shell prompt enter the following commands
<p>mount | grep nfs</p>

You should see a mount point at /var/www/html/Lychee/uploads

<p>ls /var/www/html/Lychee/uploads/big/</p>

You should see the two additional files you uploaded in the previous task

Additional Lab 2 - Load-balancing Applications in VMC on AWS with Amazon Application Load balancer

In this lab, we will show how to leverage an Amazon Application Load Balancer (ALB) with Virtual Machines running in a VMware Cloud on AWS SDDC.

In this session we will load balance webserver01 and webserver03 (PhotoAppVM). We will then test connectivity to the PhotoVMApp via the Amazon Application Load-Balancer.

We will begin by requesting a public IP for webserver03 and define a NAT rule for it. Doing so ensure webserver03 is addressable from the internet and not just the private application network.  

Task 1 - Request a public IP for Webserver03

Make sure you're logged into the VMC on AWS Console, and viewing the details of your SDDC (VMCEXPERT#-XX)

  1. Click the Networking and Security Tab
  2. Click Public IPs
  4. In the Noted Field type PhotoAppVM-Web03
  5. Click Save
  6. Record the Newly requested Public IP, you will use it to Configure the NAT rule for webserver03

Task 2 - Setup a NAT rule for Webserver03

To setup a NAT rule we need the Public IP (which you already requested and recorded in the previous task) and the Private IP of webserver03. We will begin this task by confiring the IP address of webserver03


  1. In the vSphere Client Click webserver03
  2. From the summary screen view and record the IP address of Webserver03
  3. On the Networking and Security tab Click NAT
  4. Click ADD NAT RULE
    1. Type PhotoApp-Web03 NAT in the Name field
    2. Select <your Newly requested Public IP> in the Drop-down field for Public IP
    3. Type the <Private IP for webserver03> in the Internal IP field (10.10.x.x)
    4. Click Save.

If needed, you can access the vSphere Client URL and cloudadmin username and password from the Settings tab of the VMC on AWS Console


On your Phone or Computer access the PhotoApp on webserver03 by typing http://<Public ip>/Lychee in your browser.
When prompted to login, enter (if not prompted select the arrow at the top left)

  1. admin
  2. <AWS Console Password Provided by your instructor> for Password
  3. Click Sign In

Task 3 - Configure AWS Native ALB to load balance PhotoApp

On your browser, open a new tab and go to: https://vmcexpert{#}.signin.aws.amazon.com/console where {#} indicates your AWS environment (1, 2 or 3)

Account ID or alias:  vmcexpert{#} i.e vmcexpert1

IAM user name:        VMCEXPERT#-XX(where # is the Environment ID and xx is the number assigned to you)

Password:                 <AWS Console PW provided By your instructor>

Click Sign In

Task 3.1 - Add Web Servers to the Amazon Application Load Balancer


  1. In the upper left-hand Click Services then EC2
  2. In the upper left-hand corner move the slider Right to enable the New EC2 Experience page

NOTE: In the previous lab, we disabled "New EC2 Experience" dashboard. This steps reverts back to the "New EC2 Experience". Not enabling this mode will cause a mismatch between the lab steps and your interface.

  1. In the Left pane under Load Balancing, Click Target Groups
  2. Find and click the text for your target group <vmcexpert#-xx-default> (where XX is your student number)


  1. Click the Targets tab
  2. Click Register targets


  1. In the Network Drop-Down list, select Other Private IP address
  2. In the IP Field Enter the <Private IP address of Webserver01>
  3. Click Include as pending below 
  4. Repeat steps 6 & 7, this time using the <Private IP for webserver03>
  5. Click Register pending targets
  6. Wait 10-20 seconds, click the refresh circle, the status should turn from ‘initial’ to ‘healthy
Task 3.2 - Validate the Application Load Balancing


  1. Click Load Balancers
  2. Type <VMCEXPERT#-XX> in the Search field to Find your load balance, Where XX = your student number. i.e. VMCEXPERT3-01
  3. Select the Load Balancer
  4. From the Description tab copy the DNS name <VMCEXPERT#-XX-UID.(region).elb.amazonaws.com>


  1. Paste the DNS Name in your browser and append /Lychee  to access the PhotoApp via ALB
    i.e. vmcexpert3-01
  2. If you aren't prompted for a login, Click the exit icon in the upper-right hand of the application page
  3. When prompted to login in use the following:
    • admin for Username (where XX is your student number)
    • <Password Provided by your instructor> for Password
    • Click Sign In
Task 3.2.1 - Test Load Balancer functionality


  1. In your browser type <your ALB DNSName>/Lychee/plugins/Diagnostics (Note Case-sensitivity)
  2. i.e.  student20-1218955224.us-west-2.elb.amazonaws.com/Lychee/plugins/Diagnostics/  
    The output should report to you the server currently displaying the page


  1. In the vSphere Client select the <webserver VM> reported above
  2. Click Power-off to Power-off the <webserver VM>
  1. In the AWS Console, select Target Groups under Load Balancing
  2. to review the status of the targets
  3. Select your <VMCEXPERT#-XX>-default (Your Load Balancer Target Group) where XX is your student number
  4. Click the Targets tab
  5. After 60 secs the powered off VM state should report unhealthy


  1. In a new Google Chrome incognito window type <your ALB DNSName>/Lychee
    i.e.  vmcexpert3-01-1218955224.eu-central-1.elb.amazonaws.com/Lychee
  2. You can repeat step one to confirm your load-balancer is directing request to your other web server
  3. Power-on your previously powered-off vm in step 2


A separate software load balancer is not required  to be deployed in the VMware stack to provide load-balancing functionality for your Applications running in VMware Cloud on AWS. There is no additional updating or maintenance to be performed with your load balancer as you can instead use the one provided by AWS.


Add your comment

E-Mail me when someone replies to this comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Previous Article Lab 02 - Working with your SDDC
Next Article Lab 04 - On-Premises integration with VMC on AWS