VMware Cloud Expert

Lab 06 - Inter-SDDC and Native VPC Connectivity

Updated on

Introduction

An SDDC deployment group uses VMware Transit Connect to provide high-bandwidth, low-latency connections between SDDCs in the group and other VPCs in the same region. You can also add a Direct Connect Gateway (DXGW) to provide centralized connectivity to your on-premises SDDCs.

An SDDC deployment group (SDDC Group) is a logical entity designed to simplify the management of your organization's VMware Cloud on AWS resources at scale. Collecting SDDCs into an SDDC Group provides several benefits to an organization with multiple SDDCs whose workloads need a high-bandwidth, low-latency connection to each other. All network traffic between group members travels over a VMware Transit Connect network. Routing between compute networks of all SDDCs in a group is managed automatically by VMware Transit Connect as subnets are added and deleted. You control network traffic among group member workloads with compute gateway firewall rules.

VMware Transit Connect is a VMware Managed Transit Gateway. It Eliminates the overhead of self-deploying and managing complex configurations to establish a connectivity fabric across VMware Cloud on AWS SDDCs, AWS VPCs, and on-premises environments.

VMware Transit Connect easily enables connectivity across environments and adds networks with an automatic setup of all the necessary routing policy configurations, transparent to the user. The solution is based on the highly available AWS Transit Gateway. It integrates with AWS Direct Connect Gateway to simplify connectivity to on-premises data centers.

Any organization member who has a VMC service role of Administrator or Administrator (Delete Restricted) can create or modify an SDDC Group.

In this lab, we will first create an SDDC Group with a single SDDC, the purpose of this exercise is to show that an SDDC group can contain a single SDDC, but also to highlight that the VMware Transit connect of the SDDC Group can be used to allow high-bandwidth, low-latency connectivity from SDDC(s) in a group to Native AWS VPC(s). 

TASKS

Task 1 - Create a Single SDDC SDDC Group

In order to deploy a VMware Transit Gateway, we'll need to create an SDDC Group.  In the lab our group will only have one SDDC, but it will still have a VMware Transit Gateway.

In the Google Chrome Browser from the VDI desktop:

  1. Click the VMware Cloud SDDC bookmark
    • Login as vmcexpert#-xx@vmware-hol.com (Where # is the Environment ID and xx is your student number) i.e. [email protected]
    • Password = VMware1!
  2. Click on Inventory in the left SDDC navigation column. You should see both your SDDC and your partner's SDDC
  3. In the top right, Click Actions
  4. Under the Actions Dropdown Click Create SDDC Group
  5. In the Name and Description page Name the Group vmcexpert#-XX-SDDC-Grp (Where # is the Environment ID and xx is your student number)
  6. Click Next
  1.  On the Membership page Select <your SDDC> i.e. VMCEXPERT1-01
  2. Click Next
  3. on the  Acknowledgment page Check the Configuring VMware Transit Connect for your group will incur charges per attachment and Data Transfer checkbox
  4. Click Create Group

Only add your Student SDDC to the group

  1. Monitor the Group creation status (this could take up to 10 minutes to complete)
  2. While you are waiting, review the blue box below and explore the SDDC Groups tab
  3. Click View Details once the status changes to Connected

While waiting for the process to complete, let’s review the SDDC Group tabs

vCenter Linking Tab  Allows the Cloud administrator to log in as [email protected] and use the vSphere Client to manage all the vCenter Server systems in the group. If the [email protected] account configures these systems to use single sign-on, then users with accounts in that single sign-on domain can access all the linked systems in the group.

After vCenter linking has been enabled in an SDDC group, the vCenter Server systems in SDDCs added to the group are linked automatically, and vCenter Server systems in SDDCs that are removed from the group are unlinked automatically.

Direct Connect Gateway Tab  After you create an SDDC Group, you can attach an AWS Direct Connect Gateway to it to support high-bandwidth, low-latency connections to your on-premises SDDC.

VMware Transit Connect handles all compute and management network traffic among SDDC group members. Many SDDC group members will also need to make network connections to external endpoints such as on-premises SDDCs, VPCs outside the group, and AWS services that run in them. To enable these kinds of connections, associate an AWS Direct Connect Gateway with the group's VMware Managed Transit Gateway.

Attaching a Direct Connect Gateway to the SDDC group is a multi-step process that requires you to use both the VMC Console and the AWS console. You use the VMC Console to make the VTGW (an AWS resource) available for sharing. You then use the AWS console to accept the shared resource and associate it with the Direct Connect Gateway you'd like to attach to the SDDC Group.

External VPC Tab  Once the SDDC Group has been configured, you can add existing Native AWS VPC to the group. Doing so allows the VMware Transit connect to establish and manage a High-bandwidth, low-latency connection between the SDDC and the Native VPC(s).

External TGW Tab  Allows you to peer the VMware Transit connect of the SDDC Group to an AWS Native Transit Gateway

Routing Tab  The Routing tab displays all of the learned routes to the VMware Transit connect as well as all of the Advertised routes from the Transit Connect.

SDDC Groups will typically include 2 or more SDDCs and not a Single SDDC as we have done in this task. The only exception is when you have one or more Native AWS VPC with Services you need to consume in your SDDC or vice-versa and/or connect your On-Premises to your SDDC(s) via a Direct Connect Gateway.

Task 2 - Associate you AWS account with the SDDC Group

Next we need to associate the customer AWS account with the SDDC Group, so that we can initiate an attachment request to our VPC in the customer account.

  1. Click the Inventory tab
  2. Click Networking & Security tab
  3. Scroll down to find section Connected VPC
  4. Record the AWS Account ID, We will use it to Attach a Native VPC to your SDDC Group
  5. Review the Transit Connect Tile to confirm it is connected to your SDDC
  1. At the top left hand corner of the page, click Inventory
  2. Click SDDC Groups
  3. Click View Details at the bottom of your SDDC Group Tile
  4. Click the External VPC Tab
  5. Click Add account
  6. In the Dialog, Type in/Paste in the <AWS Account IDyou recorder in Step 5
  7. Click ADD
  8. Record your Resource Share Name, You'll need it to confirm the association in AWS

Once added the State of the Account should read ASSOCIATING, it will stay there until we go to the AWS Console to approve the association

 

  1. From your VDI desktop open a new browser tab and go to the AWS Console - https://vmcexpert{#}.signin.aws.amazon.com/consolwhere {#} indicates your AWS environment (1, 2 or 3)
  2. Login using the following details. Your actual credentials can be obtained from the Student lab assignment sheet or Excel workbook
    • Account ID or alias:  vmcexpert# i.e vmcexpert1, vmcexpert2 or vmcexpert3
    • IAM user name:        VMCEXPERT#-XX(where # is your Environment ID and XX is the number assigned to you)
    • Password:                 <AWS Console PW provided By your instructor
  3. Click Sign In
  1. Click Services in the upper left section of the page
  2. Click on Security, Identity and Compliance (you may have to scroll down)
  3. Click Resource Access Manager (you may have to scroll down)
  1. In the left pane click Resource Shares under Shared with me
  2. Click on your resource share (you should see it in a Pending state)
  3. Click Accept Resource Share
  4. Click ACCEPT
  1. Go back to the browser tab for your SDDC Console. The state of the Association should now read ASSOCIATED

This can take up to 5 mins to Update. You may need to refresh the page

  1. Click the Support tab
  2. Record the TGW ID, you'll need it for the next task
Task 3 - Connect the Native VPC to the Transit Connect

With the AWS Account now associated with the SDDC group our next task is to create a transit Gateway attachment for the Native VPC. this task will be performed from the AWS Console.

  1. In the AWS Console Browser tab, click Services
  2. Click on Networking & Content Delivery
  3. Click on VPC

 

  1. In the Left pane, under Transit Gateways, click Transit Gateway Attachments. (you may have to scroll down)
  2. Click the Create Transit Gateway Attachment Button
  1. In the Create Transit Gateway Attachment page, fill in the following information:
    1. Name tag: leave blank
    2. Transit Gateway ID: Select <your Transit Connect>
      NOTE: You can Identify your transit connect by its ID. You recorded the ID in Task 2.1 step 25
    3. Attachment type: VPC
    4. VPC Attachment:  Leave DNS Support checked, others unchecked.
    5. VPC ID: Select <your VPC> (you can type in #-XX to filter the options)
      NOTE: your VPC will be VMCEXPERT#-XX-FSx (Where # is your Environment ID and XX is your student number)
    6. Leave Subnet IDs as is.
    7. Click Create Transit Gateway Attachment (you may need to scroll down)
  2. Click Close

Make sure to pick the VPC that ends with FSx, there will be another VPC with your VMCEXPERT#-XX

  1. Return to your SDDC Browser tab
  2. Click External VPC
  3. Expand the AWS Account attachment by clicking the double arrow (greater-than signs)
  4. Select the checkbox for the Attachment association
  5. Click Accept

NOTE: The association can take up to 10 mins to Update (Show up). You may need to refresh the page, and wait for it to appear before proceeding

  1. Wait until the Status changes from PENDING to AVAILABLE before proceeding

NOTE: This process can take as much as 5 mins to update, you may have to refresh or move off the tab and come back.

Task 4 - Add a route to the Native VPC

With the Attachment now complete we need to update the VPC routing table to populate the VMC connected networks as reachable via the VTGW.  We will accomplish this in the AWS Console for the FSx VPC (VMCEXPERT#-XX-FSx).

  1. Go back to the browser tab for your AWS console
  2. Click Route Tables in the left pane under Virtual Private Cloud
  3. In the search field type in <your VMC on AWS account string> to find the routing table for your FSx VPC. i.e. vmcexpert3-02.
  4. NOTE: Your FSx VPC route table will be named VMCExpert#-XX-FSx-Public Route Table
  5. Select the route table by checking the box on the left (don't click on the blue link)
  6. Click the Routes tab
  7. Click Edit Routes
  1. Click Add Route, and configure the route as follows:
    1. Destination: <The Network Segment for Desktop-Net> i.e 10.10.1xx.0/24
    2. Target:  Transit Gateway --> <Your Transit Connect
    3. Click Save Changes
Task 5 - Identity the FSx Service for Consumption

The File System Service has been preconfigured for us in the Customer VPC, we need to locate it and determine it's IP address so that we can create firewall rules, and later mount it from our Desktop VM.

  1. Go to  the browser tab for your AWS Console
  2. In the upper left-hand section of the page click Services
  3. Click Storage
  4. Click FSx
  5. In the left pane Click File Systems
  1. Type  VMCEXPERT#-XX in the search box (Where # is your environment ID and XX is your student number)
  2. Locate your FSx File System Service. It should be named VMCEXPERT#-XX
  3. Click on the blue link for <your FSx File System> once located
  4. Locate and record the Preferred File Server IP Address of the service

We will use this IP to mount the File System Share on our client Virtual Machine later

Task 6 - Configure Firewall Access from the SDDC to the Native VPC

As with any connection in to or out of our SDDC, we'll need to configure firewall rules to allow for connectivity.  In this case we'll add a generic rule to allow all traffic between our SDDC and the Customer VPC prefixes in both directions.

  1. In the browser tab for your VMC on AWS SDDC console, login if your previous session timed out
  2. Click View Details on your SDDC tile
  3. In the VMware Cloud on AWS portal click the OPEN NSX MANAGER button
  4. Click ACCESS VIA THE INTERNET to connect to NSX Manager UI
  5. Select Security tab
  6. Click Gateway Firewall
  7. Click the Compute Gateway tab
  8. Click ADD RULE
  9. Add 2 rules and Configure them as follows:
    1. Rule 1
      • Name: AWS VPCs to SDDC
      • Source: Transit Connect Native VPCs Prefixes
      • Destination: SDDC-Workloads
      • Service: Any
      • Applied to: All Uplinks
      • Action: Allow
    2. Rule 2
      • Name: SDDC to AWS VPCs
      • Source: SDDC-Workloads
      • Destination: Transit Connect Native VPCs Prefixes
      • Service: Any
      • Applied to: All Uplinks
      • Action: Allow
  10. Click PUBLISH
Task 7 - Mount the FSx Share on a Windows VM in the SDDC

Finally, we'll map a drive on our Windows Desktop VM to our FSx share, confirming that we have routing and security properly configured.

  1. Go to the Browser tab for your SDDC vCenter, if you no longer have the tab open, or if your session has expired, Go to the Settings tab of the SDDC to launch a tab to vCenter and/or retrieve the login credentials
  2. Once logged into the SDDC vCenter, locate Win10-Desktop VM
  3. Select it and Click LAUNCH WEB CONSOLE
  4. In the browser tab for  Win10-Desktop Console, click Send Ctrl+Alt+Delete
  5. login as:
    • student
    • VMware1!
  6. Bring up the windows command prompt or PowerShell window
  7. In command prompt or PowerShell
  8. Type the following
<p>net use z: \\{your efs preferred ip}\share</p>
Click to copy
  1. when prompted for user credential type the following:
    • username: <vmcexpert#-xx>\admin i.e. vmcexpert3-02\admin
    • Password <Your AWS Console PWD>
  1. Open Windows explorer (File Explorer)
  2. Click This PC
  3. You'll see the Z: drive
  4. Open it

Conclusion

We have now created a transit gateway by creating an SDDC Group, created an association between that SDDC Group and our Customer AWS account so that we can attach a customer VPC to the transit gateway.  Once we have routing and security configured, we can use resources in VPCs other than our connected VPC.  

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Previous Article Lab 05 - L7 Security - L7 FW, FQDN Filtering & IDPS
Next Article L07 - SDDC Migration with HCX - Configure HCX Connect & Service Mesh