Network is the foundation on which all others services depend, and it is fundamental that from both the AWS and VMware perspective we get this right before doing anything else. In this blog which follows on from VMware Cloud on AWS Overview, VMware Cloud on AWS – Elastic Resource Management, and VMware Cloud on AWS – Storage overview we will go over the on boarding process and review what I have gleaned about the network setup.
AWS VCP and On-boarding
During the on-boarding process new customers must either create or link an existing AWS account to their VMware SDDC account.
If you need to create a new AWS account, here are some pointers, the master or root account is created with an email address as the user name, this account should be considered as super user access and used only to create other accounts.
You might find it best policy to create a new email distribution list and open the account with that mail.
AWS bets practice is to set up MFA (multi factor authentication) on root accounts, you can use google authenticator or buy a gemalto mfa device from Amazon. https://aws.amazon.com/iam/details/mfa.
Take time to put in place some best practice within your organization on who gets to enter as root, who has the MFA device etc.
For general day to day access to AWS (this assumes you are going to use more than VMC services, as those are billed directly from VMware) create nominal users in IAM and give these appropriate privileges, including the ability to see billing.
Another point that I expect you will encounter, is that you need to enter credit card details to set up an AWS account, in a large organization you may have to arrange for the CFO to enter credit card details.
It is a good idea to set up AWS billing alerts so you know if spend passes a set amount. For audit purposes AWS has a service called CloudTrail, that will collect logs and can be turned on and used for auditing of account logon access.
The impression I got from VMware is that they will help you though this phase, once the AWS account is setup, you will basically hand over privileged access to VMware so they can set up and manage VMC on your behalf.
Customer AWS VPC Configuration
The first configuration task is the creation of a VPC, in AWS this is a private CIDR range that can be used to create multiple subnets, for example 10.0.0.0/16, with 10.0.0.0/20 subnets for example.
Make a special note that VCP subnets should not overlap the on premises network, otherwise you will have a routing headache back at the office.
From what I understand the customer VPCs are used to connect to a VMware’s single tenant VPC where ESXI hosts live.
The customer must have a VPC in place so that the Endpoints – VMware ENI’s can connect to the VMware VPC.
On setup the VMC is configured with a management network and a compute network, and from the VMC console it should look something like this.
Two NSX edge devices act as gateways. The management gateway connects ESXi hosts, vCenter Server, NSX to on-premises. The compute gateway provides connectivity for all workload virtual machines.
For traffic between VMC and on-premises a L3 VPN connection is currently used, AWS direct connect should be available soon.
However access to the AWS infrastructure is through an Elastic Network Interface (ENI).
The ESXi hosts themselves are connected VPC via an AWS Elastic Networking Adapter (ENA) that support 10Gbps+ throughput.
Advantages of having vSphere in AWS
You might have thought initially this was a colocation cloud, but start to think how you can consume AWS services and why having an SDDC in AWS infrastructure is a game changer.
For example S3 is charged based on Storage used, GET and other requests, Inter Region Transfer Out and Data Transfer out of the AWS infrastructure
Here are some quick numbers for US-East
If I store 50 TB on S3 Standard, the month costs is $1177, if I add an 10 TB of Inter Region Transfer costs another $205, but moving 10 TB out of the AWS platform is a whopping $921.
AWS Availability Zones are physically independent datacenters connected by high speed networks, some services are Region wide, in other words they replicate between AZs, but many are in a single availability zone, with multi AZ as an option. The point is when you access services such as S3 from within the region, the Transfer Out costs disappear.
You can access an S3 bucket in your connected AWS account by creating an S3 endpoint and avoid the charges in transferring from S3 to your vms in VMC
You can also deploy EC2 instances in your connected Amazon VPC and allow a connection between those instances and the virtual machines in your SDDC. Once again this traffic is stay inside the region, for minimum latency keep it in the same AZ.
The win-win situation is the proximity of VMC to the other AWS services, as we get further down this path we will see how services such as File or Volume Gateway can be incorporated, Database services, Analytics and Bigdata services are now living next door to your vSphere infrastructure, so maybe you should get to know them a bit better.