Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Connectivity Options for VMware Cloud on AWS Software Defined Data Centers (SDDC) (NET321) - AWS re:Invent 2018

196 views

Published on

VMware Cloud on AWS enables customers to have a hybrid cloud platform by running their VMware workloads in the cloud while having seamless connectivity to on-premises and AWS native services. In this session, we do a technical deep dive on SDDC networking and NSX-T's recent announcement on full routing over AWS Direct Connect to enable optimized migrations and cloud extension use cases. We also demonstrate a live vMotion for on-premises workload to VMware SDDC cluster on AWS with minimum to no network distribution over AWS Direct Connect.

  • Be the first to comment

Connectivity Options for VMware Cloud on AWS Software Defined Data Centers (SDDC) (NET321) - AWS re:Invent 2018

  1. 1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Connectivity Options for VMware Cloud on AWS Software Defined Data Centers (SDDC) Haider Witwit Sr. Solutions Architect AWS/WWPS N E T 3 2 1 Humair Ahmed Sr. Technical Product Manager VMware/NSBU
  2. 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda Quick recap of VMware Cloud on AWS NSX Networking and Security Connectivity to native AWS Services Hybrid Connectivity Architectures Demo
  3. 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  4. 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VMware Cloud on AWS – service overview AWS Global Infrastructure VMware Cloud on AWS Powered by VMware Cloud Foundation AWS Global Infrastructure Customer Data Center vSphere vSAN NSX Operational Management Native AWS Services vRealize Suite, ISV ecosystem vCentervCenter • VMware Software Defined Datacenter on dedicated Amazon EC2 bare metal instances • Powered by VMware Cloud Foundation • Global AWS footprint, reach, availability • Full operational consistency with on-premises vSphere deployments • Direct access to native AWS services Service Highlights AWS CLI
  5. 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Account Structure VMware Cloud SDDC account Is owned, operated, and paid Private to VMware Cloud SDDC. Full access to the A new AWS account to run Is owned, operated, and for all
  6. 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VMware Software Defined Datacenter (SDDC) ENI Subnet2 10.2.2.0/24 Customer VPC AWS Region Subnet1 10.2.1.0/24 VPC Network 10.2.0.0/16 VPC Network 10.1.0.0/16 Mgmt. Network (Overlay) 192.168.1.0/24 192.168.2.0/24 Compute Network (Overlay) Router MGW IGW Amazon EC2 Bare Metal ESXi vCenter VGW VMware VPC CGW Customer Managed VMware Managed
  7. 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Single AZ SDDC Customer Managed Customer VPC *Logical networks 10.101.1.0/24 10.101.2.0/24 VMware VPC Host-1 Host-2 Host-3 Availability Zone Availability Zone CGW VPC Network 10.100.0.0/16 MGW VMware Managed AWS Region
  8. 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Multi-AZ Stretched SDDC Customer Managed VMware VPC Host-1 Host-2 Host-3 Host-4 Host-5 Host-6 Availability Zone Availability Zone MGW CGW XMGW CGW VMware Managed AWS Region Availability ZoneAvailability Zone Customer VPC
  9. 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  10. 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VMware Cloud on AWS - NSX-T SDDC Similarities to NSX-V SDDC • Still same MGW and CGW model • All logical networks automatically connect to CGW Key Differences to NSX-V SDDC • MGW and CGW are logical constructs inside edge appliance • Tier 0 and Tier1 Routers: * MGW = T1, CGW = T1 * MGW and CGW connected via T0 • DPDK based edge • Non-NSX Management appliances are on Overlay Segment VPC Network 10.1.0.0/16 Appliance Mgmt. Network (Overlay) 192.168.1.0/24 192.168.2.0/24 Compute Network (Overlay) Router Logical Switch MGW Amazon EC2 Bare Metal ESXi vCenter VMware Managed IGW Edge Appliance CGW
  11. 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. GUI layout for NSX-T networking and security Supported Add-ons: 1. Distributed Firewall (DFW) 2. Service Insertion (Futures) 3. Load Balancer (Futures) Paid Add-Ons - DFW is free trial initially - Services will be Enabled via Paid Add-On in Future
  12. 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. New features with NSX-T - Security CGW Compute Networks (Overlay) Micro-segmentation with DFW • Granular stateful firewall at VM level • Micro-segmentation within the same L2 network or across different networks • Can have create multi-tenant environments (no overlapping IPs) • Can easily isolate networks (Prod, Test, Dev) • Can easily create DMZ environments 192.168.2.0/24 192.168.1.0/24  Customers can now migrate workloads to the cloud and get the same level of security that they have on-prem.
  13. 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. New features with NSX-T - Security Grouping Objects • Create groups based on different matching criteria. 192.168.1.0/24 IP Address VM Instance VM Name Security Tag Web1 Web2 Drop
  14. 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. New features with NSX-T - Networking/Connectivity vCenter On-Premises CGW Compute Networks (Overlay) Mgmt. Network (Overlay) Router MGW 192.168.1.0/24192.168.1.0/2410.3.10.0/24 172.16.10.0/24 Compute Networks vCenter Mgmt. Network VMware Cloud on AWS SDDC 10.2.0.0/23 VTI 1 172.0.0.2 VTI 1 172.0.0.1 VTI 2 172.1.1.1 VTI 2 172.1.1.2 Route-based IPSec VPN Entire VPC CIDR advertised Mgmt Appliance Network NSX Network Segments • Single VPN tunnel design Private and Public address
  15. 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. New features with NSX-T - Networking/Connectivity VGW DX Location AWS Direct Connect (DX) Private VIF All traffic supported over AWS Direct Connect (DX) Private VIF Entire VPC CIDR advertised Mgmt Appliance Network NSX Network Segments vCenter CGW Compute Networks (Overlay) Mgmt. Network (Overlay) MGW 192.168.1.0/24192.168.1.0/2410.3.10.0/24 VMware Cloud on AWS SDDC 10.2.0.0/23 On-Premises 172.16.10.0/24 Compute Networks vCenter Mgmt. Network Router
  16. 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Extending Networks to On-Premises via L2VPN Compute Networks (Overlay) MGW - Gateway is always on-premises for extended networks Edge Appliance On-Premises 10.3.20.0/24 Compute Networks vCenter Mgmt. Network CGW AWS Direct Connect (DX) VLAN or NSX VXLAN Backed Networks GW: 10.3.20.254 L2VPN OVA Tunnel ID = 50 Tunnel ID = 50 WEB 10.3.20.0/24 GW: 10.3.20.254 VMware Cloud on AWS Router
  17. 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. New features with NSX-T - Networking/Connectivity vCenter CGW Compute Networks (Overlay) Mgmt. Network (Overlay) Router MGW 192.168.1.0/24192.168.1.0/2410.3.10.0/24 SDDC 10.2.0.0/16 Connectivity from Compute to Management network Local routing between Compute and vCenter Management networks VMware Cloud on AWS
  18. 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. New features with NSX-T - Networking/Connectivity Router 192.168.1.0/24192.168.1.0/24 10.3.10.0/24 SDDC 10.2.0.0/16 vCenter Management Network access from connected VPC ENI Subnet2 Subnet1 VPC 10.1.0.0/16 Customer connected VPC Management Workloads Compute Networks (Overlay) Mgmt. Network (Overlay) VMware Cloud on AWS CGW MGW
  19. 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. New features with NSX-T - Operations 10.3.20.0/24 10.3.10.0/24 Port Mirroring and IPFIX VPC 10.1.0.0/16 Subnet2 Subnet1 Customer connected VPC VMware Cloud on AWS Compute Networks (Overlay) ENI Router MGW
  20. 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. New features with NSX-T Other new features: • Network Segment Creation from Console • Multiple DNS Zones • Role Based Access Control (RBAC) • NSX-T APIs - Public and Private Endpoints
  21. 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security considerations for connectivity between workloads, connected VPC, and on-prem CGW FW Rules InternetDirect Connect Customer Native AWS VPC VPN LS LS MGW CGW LS Management vCenter Monitoring App LS Workloads Router Default Route to T0 MGW FW Rules Allow
  22. 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Internet access and security Internet LS LS MGW CGW LS Management LS Workloads DNAT EdgeFW Routing SNAT EdgeFW  Routing Web - All VMs already have SNAT and Internet access by default - Can also configure DNAT for incoming traffic Use natted private IPs when configuring Edge and DFW rules vCenter Router
  23. 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  24. 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Services access models Private VPC Gateway Endpoints VPC Interface Endpoints (PrivateLink powered) Service endpoints within a customer managed VPC Public Direct access to public endpoints
  25. 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Services access models Private VPC Gateway Endpoints VPC Interface Endpoints (PrivateLink powered) Service endpoints within a customer managed VPC Public Direct access to public endpoints
  26. 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Services access models Private VPC Gateway Endpoints VPC Interface Endpoints (PrivateLink powered) Service endpoints within a customer managed VPC Public Direct access to public endpoints
  27. 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC Gateway Endpoint - Amazon S3 Amazon S3 S3 endpoint 192.168.1.0/24 192.168.2.0/24 Router ESXi VMware Managed IGW Customer Managed ENI Subnet2 10.2.2.0/24 Customer VPC Subnet1 10.2.1.0/24 VPC Network 10.2.0.0/16 VMware VPC VPC Network 10.1.0.0/16 Manag. Network (Overlay) Compute Network (Overlay) MGW Amazon EC2 Bare Metal vCenter CGW
  28. 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC Gateway Endpoints VPC Interface Endpoints (PrivateLink powered) Service endpoints within a customer managed VPC AWS Services access models Public Direct access to public endpoints Private
  29. 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What services can be accessed using PrivateLink? • AWS Services: • Amazon CloudWatch Logs • AWS CodeBuild • Amazon EC2 API • Elastic Load Balancing API • AWS Key Management Service • Amazon Kinesis Data Streams • AWS Service Catalog • Amazon SNS • AWS Systems Manager • And more… • Endpoint services hosted by other AWS accounts • Supported AWS Marketplace partner services
  30. 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS PrivateLink overview ENI Customer VPCService VPC Interface endpoint Service Provider NLB Consumer CGW 192.168.1.0/24 192.168.2.0/24 Compute Network (Overlay) AWS Region Router VMware VPC ssm.us-east-1.amazonaws.com Route 53 Resolver 10.1.0.11 10.1.1.11 VPC Network 10.1.0.0/16 AWS Systems Manager VPC .2 resolver DNS forwarder Consumer
  31. 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC Gateway Endpoints VPC Interface Endpoints Service endpoints within a customer managed VPC Private AWS Services access models Public Direct access to public endpoints
  32. 32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Services within a customer managed VPC Customer Managed RDS CGW 192.168.1.0/24 192.168.2.0/24 Compute Network (Overlay) Router VMware Managed ENIfile share EFS
  33. 33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Customer Managed ENI Connected VPC WorkSpaces Workspaces VPC AWS Managed eth1 eth0 user PCoIP (SSL) Internet Data AWS Direct Connect (DX) On-Premises CGW 192.168.1.0/24 192.168.2.0/24 Compute Network (Overlay) Router VMware VPC VMware Managed AWS Services within a customer managed VPC
  34. 34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Application protection using Amazon ALB Customer Managed CGW 192.168.1.0/24 192.168.2.0/24 Compute Network (Overlay) Router VMware Managed ENI WAF Visitor Shield ALBIGW IP Target Group • 192.168.1.10 • 192.168.1.11
  35. 35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  36. 36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. ENI ENIVPC1 Shared Services VPC2 DXGW VGW VGW VGW AWS Region AWS DX Router Design Architectures CGW 192.168.1.0/24 Router MGW vCenter SDDC1 Management Network Compute Networks VGW 172.16.0.0/24 vCenter Management NetworkCompute Networks On-Premises AWS Direct Connect (DX) Customer Router CGW 192.168.2.0/24 Router MGW vCenter SDDC2 Management Network Compute Networks VGW Requirements 1. Connect SDDC1 to On-Premises 2. Connect SDDC1 to the Shared Services VPC 3. Provide similar connectivity for SDDC2 4. Connect SDDC1 with SDDC2 5. Connect all VPCs to On-Premises 6. Connection resiliency – no SPF. Peering Peering
  37. 37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. ENI ENIVPC1 VPC2 VGW VGW VGW AWS DX Router Design Architectures - Resiliency CGW 192.168.1.0/24 Router MGW vCenter Management Network Compute Networks VGW 172.16.0.0/24 vCenter Management NetworkCompute Networks On-Premises Customer Router CGW 192.168.2.0/24 Router MGW vCenter Management Network Compute Networks VGW Requirements 6. Connection resiliency – no SPF. AWS Direct Connect (DX) SDDC1 SDDC2 DXGW AWS Region Shared Services Peering Peering
  38. 38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VGW Design Architectures - Resiliency CGW 192.168.2.0/24 Router MGW vCenter Management Network Compute Networks Pub. IP1 Pub. IP2 VGW CGW 192.168.1.0/24 Router MGW vCenter Management Network Compute Networks Requirements 6. Connection resiliency – no SPF. SDDC2 SDDC1 Shared Services
  39. 39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. ENI ENI VGW VGW VGW AWS DX Router Design Architectures - Resiliency CGW 192.168.1.0/24 Router MGW vCenter Management Network Compute Networks VGW 172.16.0.0/24 vCenter Management NetworkCompute Networks On-Premises Customer Router CGW 192.168.2.0/24 Router MGW vCenter Management Network Compute Networks VGW Requirements 6. Connection resiliency – no SPF. VPC1 VPC2 AWS Direct Connect (DX) SDDC1 SDDC2 DXGW AWS Region Shared Services Peering Peering
  40. 40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS DX Router Design Architectures - Encryption 172.16.0.0/24 vCenter Management NetworkCompute Networks On-Premises Customer Router CGW 192.168.2.0/24 Router MGW vCenter Management Network Compute Networks VGW CGW 192.168.1.0/24 Router MGW vCenter Management Network Compute Networks VGW DX Private VIF Requirements 6. Connection resiliency – no SPF. 7. Encrypt connectivity to On- Premises Private IP of NSX edge AWS Direct Connect (DX) SDDC1 SDDC2AWS Region
  41. 41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS DX Router Design Architectures - Encryption 172.16.0.0/24 vCenter Management NetworkCompute Networks On-Premises Customer Router CGW 192.168.2.0/24 Router MGW vCenter Management Network Compute Networks CGW 192.168.1.0/24 Router MGW vCenter Management Network Compute Networks VPC1 VPC2 VGW VGW VGW ENI ENI Requirements 6. Connection resiliency – no SPF. 7. Encrypt connectivity to On- Premises 8. Scalability DX Public VIF Public IP of NSX edge AWS Direct Connect (DX) SDDC1 SDDC2AWS Region Shared Services
  42. 42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Design Architectures 172.16.0.0/24 vCenter Management NetworkCompute Networks On-Premises Customer Router CGW 192.168.2.0/24 Router MGW vCenter Management Network Compute Networks CGW 192.168.1.0/24 Router MGW vCenter Management Network Compute Networks VPC1 VPC2 VGW VGW VGW ENI ENI Requirements 6. Connection resiliency – no SPF. 7. Encrypt connectivity to On- Premises 8. Scalability Transit VPC AWS Direct Connect (DX) SDDC1 SDDC2AWS Region Shared Services
  43. 43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. ENI ENI VGW Design Architectures CGW 192.168.1.0/24 Router MGW vCenter Management Network Compute Networks CGW 192.168.2.0/24 Router MGW vCenter Management Network Compute Networks VPC1 VPC2 SDDC1 SDDC2AWS Region Requirements 6. Connection resiliency – no SPF. 7. Encrypt connectivity to On- Premises 8. Scalability (Bonus) NLB Shared Services PL endpoint PL endpoint Peering Peering
  44. 44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  45. 45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Related breakouts Monday, Nov 26 CMP305-R – [REPEAT] VMware Cloud on AWS: Deep Dive 6:15 PM - 7:15 PM | Venetian, Level 3, Murano 3205 Monday, Nov 29 ENT215-R1 - [REPEAT1] Top Strategic Priorities You Can Tackle with VMware Cloud on AWS 2:30 PM - 3:30 PM | Venetian, Level 3, San Polo 3405. Monday, Nov 26 GPSTEC307 - Storage Deep Dive and Data Protection with VMware Cloud on AWS 4:45 PM - 5:45 PM | MGM, Level 3, Premier Ballroom 319
  46. 46. Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Humair Ahmed Sr. Technical Product Manager hahmed@vmware.com Haider Witwit Sr. Solutions Architect Haiderw@amazon.com
  47. 47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

×