VMworld 2018: VMware Cloud on AWS with NSX – Use Cases, Design, and Implementation

VMworld 2018: VMware Cloud on AWS with NSX - Use Cases, Design, and Implementation

Many of you who have followed my personal blog and/or posts on VMware Network Virtualization blog, know I have focused on and presented on NSX Multi-site Solutions and Disaster Recovery the last few years at VMworld. This year, I transitioned to focus specifically on VMware Cloud on AWS. Below I give a brief overview of some of the details I covered in the session. You can now see the recorded session for free here. I will also be repeating this session at VMworld in Barcelona in November.

I always enjoy attending VMworld to present and meet with customers. This year, I had the added bonus of doing a book signing for my new VMware Press Book: VMware NSX Multi-site Solutions and Cross-vCenter NSX Design; you can download the free PDF/eBook here.

VMware Press: VMware NSX Multi-Site Solutions and Cross-vCenter NSX Design

VMware Press: VMware NSX Multi-Site Solutions and Cross-vCenter NSX Design

Also, I was excited this year to present on the latest and greatest with NSX networking and security in VMware Cloud on AWS. In my session, VMware Cloud on AWS with NSX – Use Cases, Design, and Implementation, I utilized the majority of the the time to discuss the advanced networking and security capabilities coming to VMware Cloud on AWS with the underlying networking and security platform changing from NSX-V to NSX-T; currently in preview mode.

See my prior post on VMware Network Virtualization Blog: VMware Cloud on AWS: Advanced Networking and Security with NSX-T SDDC where I discuss a lot of these new advanced networking and security capabilities.

Figure 1: NSX-T Features for VMware Cloud on AWS SDDC

Figure 1: NSX-T Features for VMware Cloud on AWS SDDC


In the VMworld session, before digging into the above features, I also provide some details on underlying architecture changes and respective benefits.
Figure 2: VMware Cloud on AWS: NSX-T Architecture

Figure 2: VMware Cloud on AWS: NSX-T Architecture


Below are some details on changes in underlying architecture and benefits from the NSX-T design.

1. vCenter management network is an overlay: can leverage same operational/troubleshooting tools as for compute workloads

Figure 3: vCenter Management Network is an Overlay

Figure 3: vCenter Management Network is an Overlay

2. Workloads behind CGW can talk to management components behind MGW via T0 router; workloads on network segments can can run management tools and automation scripts calling vCenter and NSX Policy Appliance private endpoint APIs

Figure 4: Workloads Behind CGW Can Talk to Management Components Behind MGW via T0 Router

Figure 4: Workloads Behind CGW Can Talk to Management Components Behind MGW via T0 Router

3. ESXi host access from overlay; leveraged by new port mirroring and IPFIX capabilities. You can now run tools like Wireshark and Plixer Scrutinizer on workloads behind CGW and leverage port mirroring and IPFIX capabilities that need access to the ESXi hosts

Figure 5: ESXi Host Access from Overlay

Figure 5: ESXi Host Access from Overlay

4. vCenter management network accessible from native AWS customer VPC; can leverage automation tools running on EC2 instances which can access the vCenter management network

Figure 6: vCenter Management Network Accessible from Native AWS Customer VPC

Figure 6: vCenter Management Network Accessible from Native AWS Customer VPC

5. All traffic (ESXi hosts, management appliance, workload, vMotion, and cold migration traffic) is supported over Direct Connect Private VIF simplifying Direct Connect connectivity from on-prem to VMware Cloud on AWS SDDC

Figure 7: All traffic is Supported over Direct Connect Private VIF

Figure 7: All traffic is Supported over Direct Connect Private VIF


I also discuss the new layout for the Networking & Security tab and how it has been enhanced to provide ease of usability; the menu on the left can be used to easily identify and move between different configurations.
Figure 8: VMware Cloud on AWS Portal - Networking and Security

Figure 8: VMware Cloud on AWS Portal - Networking and Security


Finally, I wrap-up with some design considerations for connectivity to on-prem with Direct Connect and IPSEC Route Based VPN, and L2VPN.

With NSX-T SDDC comes the enhancement where all traffic is now supported over Direct Connect Private VIF. This greatly simplifies connectivity and configuration, and VPNs are no longer required to carry certain traffic. Prior, only ESXi managemnet, vMotion, and cold migration traffic were supported over Direct Connect and IPSEC VPNs had to be established either over Internet or Direct Connect public VIF to carry all other traffic; needless to say, there was more complexity involved here then desired. See my prior blog post on this on the VMware Network Virtualization Blog here.

Now Direct Connect private VIF can be utilized to carry all traffic between on-Prem and VMware Cloud on AWS SDDC, simplifying the solution. Once, Direct Connect is established, the entire VPC CIDR, Mgmt Appliance Network, and NSX Network Segments are automatically advertised to on-prem via BGP. Below is an illustrated example; users’s can setup multiple Direct Connect private VIFs for redundancy.

This entry was posted in Amazon, AWS, AWS, Network Architecture, Network Security, Networking, Security, Tech Events, Technology, Virtualization and Cloud Computing, VMware, VMware, VMware, VMworld 2018 and tagged , , , , , , , , , , , , , , , , , , , . Bookmark the permalink.

1 Response to VMworld 2018: VMware Cloud on AWS with NSX – Use Cases, Design, and Implementation

  1. Thanks a lot for the article post.Much thanks again. Fantastic.

Leave a Reply

Your email address will not be published. Required fields are marked *


9 − two =