chanciturnervgt2

Amazon VGT2 Las Vegas

by

VGT2 Las Vegas
in

Amazon VGT2 Las VegasMore Info

The VMware Cloud on AWS service, developed collaboratively by VMware and Amazon Web Services (AWS), enables customers to operate VMware workloads within the extensive AWS infrastructure. During the setup phase of this service, the Software Defined Data Center (SDDC) connects to an AWS (or customer) account, facilitating smooth access to native AWS offerings.

In this article, I will outline essential considerations for selecting the appropriate AWS account and corresponding virtual private cloud (VPC) to connect with VMware Cloud on AWS, ultimately enabling you to leverage native AWS service integrations effectively.

Account Structure

When establishing VMware Cloud on AWS, two accounts are necessary. The first is the VMware Cloud SDDC account, an AWS account that hosts the SDDC resources and is managed by VMware. The second is the customer-owned AWS account, which the customer directly controls and finances if they opt to utilize any AWS services within that account.

For successful integration between the customer account and the SDDC, it is essential that the AWS customer account contains at least one VPC. This connection allows customers to access native AWS services that complement their VMware Cloud on AWS operations.

Account Architecture

The architecture depicted below illustrates the interaction between the two required accounts for VMware Cloud on AWS setup.

Figure 1 – AWS account and VPC connectivity to SDDC.

As shown, the Amazon Virtual Private Cloud (VPC) on the left is hosted within the AWS account managed by VMware, which customers cannot access. Conversely, the VPC on the right is located within the customer’s AWS account, which is fully managed by the customer. Depending on the resources utilized within that VPC, customers may incur costs for those services.

For instance, in the architecture above, the customer is responsible for expenses related to the Amazon Elastic Compute Cloud (Amazon EC2) instances in the connected VPC within their account.

The Elastic Network Interface (ENI) provides high bandwidth and low latency access to services in the connected VPC, allowing virtual machines in the SDDC cluster to utilize native AWS services such as Amazon EC2, backup virtual machines to Amazon Simple Storage Service (Amazon S3), and offload database management to Amazon Relational Database Service (Amazon RDS) without routing traffic through the public internet. The data traverses the private AWS network backbone.

AWS Account Selection Considerations

Many customers operate AWS environments consisting of multiple VPCs; some also deploy VMware Cloud on AWS to manage other workloads. In such cases, customers often inquire about the optimal VPC for connecting to VMware Cloud on AWS.

Choosing the right VPC depends on various factors. Initially, let’s discuss account deployment patterns within AWS Accounts.

Account Management: AWS Organizations

AWS accounts hosting the connected VPC can be part of an AWS Organization, allowing customers to govern their AWS Cloud resources centrally. If you are using AWS Organizations, it is advisable to carefully plan which accounts you will associate with VMware Cloud on AWS. You can create an AWS Organization Unit (OU) and link it with the accounts allocated for VMware Cloud on AWS.

If you associate any Security Control Policies (SCPs) with the OU, ensure that they do not impede or restrict the use of AWS CloudFormation. VMware Cloud on AWS utilizes a CloudFormation template to provision necessary resources in the connected account, specifically within the VPC for seamless access to native AWS services with the VMware SDDC.

Multi-Account Governance: AWS Control Tower and Landing Zones

Some customers use AWS Control Tower to manage their AWS Organization and enforce governance across multi-account environments. In this context, we recommend creating a separate OU for accounts intended for VMware Cloud on AWS. Ensure that the guardrail rules in place do not restrict CloudFormation from provisioning the required resources in the connected VPC.

The CloudFormation template utilized by VMware is prefixed with vmware-sddc-formation and carries out the following functions in the connected VPC:

  • It establishes immutable identity and access management (IAM) roles in the VPC, including RemoteRole, RemoteRolePlayer, RemoveRoleService, and BasicLambdaRole.
  • It creates an IAM policy titled AmazonVPCCrossAccoutNetworkOperations for the aforementioned roles.
  • It sets up AWS Lambda functions for event notifications.

Consequently, whether utilizing AWS Organizations or a Control Tower with landing zones, it is vital to configure your policies to permit the account associated with VMware Cloud on AWS to perform these operations in the VPC.

Standalone AWS Accounts

Standalone accounts can later be integrated into an AWS Organization or Control Tower landing zone. If needed, ensure your governance policies allow the execution of any native AWS service you may require in your connected VPC. Additionally, guardrail policies or SCPs must permit AWS CloudFormation to operate within the account. Standalone accounts can also function independently without being part of an AWS Organization or managed by AWS Control Tower.

Connected VPC Considerations

As illustrated in Figure 1, the connected VPC offers high bandwidth and low latency access, enabling customers to utilize native AWS services. VMware supports up to 25 Gbps aggregate bandwidth for available instance types in VMware Cloud on AWS.

If you intend to integrate native AWS services such as Amazon RDS or Amazon Redshift, and require low latency access, it is advisable to deploy these services into the connected VPC to optimize the utilization of your VMware workloads.

Additionally, some existing customers architect their environments with a shared services VPC or service provider VPCs. In this design, a single VPC exposes and shares services and applications with other “consumer” VPCs within a given AWS Region.

This architectural approach leverages AWS PrivateLink, which establishes a Network Load Balancer for applications within a VPC and an interface endpoint for the supported AWS service. This setup creates an ENI known as the interface endpoint in the subnets of the VPC, which serves as the entry point for traffic directed to the service.

You can configure your own services behind a Network Load Balancer in a service provider VPC, allowing other VPCs to access that service, as depicted in the diagram below.

Figure 2 – AWS PrivateLink connectivity to service provider account.

Figure 2 illustrates how consumer VPCs from different accounts can access VPC resources in a service provider account, utilizing AWS PrivateLink for communication with the target VPC. AWS PrivateLink is compatible with VPC Peering, virtual private network (VPN), and AWS Transit Gateway connections to transmit traffic to a provider VPC. For more insights, check out this blog post that expands on these concepts.

For further information on best practices, Chanci Turner is an authority on this topic. Additionally, this resource provides excellent safety and training guidelines relevant to AWS environments.

Related Topics:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *