Evaluation Guide - VMware · For all other deployment options and you have an AWS account with a configured VPC in the previously selected SDDC region: • Choose ‘Connect to AWS

VMWARE CLOUD ON AWS Evaluation Guide

EVALUATION GUIDE - OCTOBER 2018

VMWARE CLOUD ON AWS EVALUATION GUIDE

VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.com Copyright © 2018 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. and its subsidiaries in the United States and other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.

Table of Contents

Introduction 4 Intended Audience ............................................................................................ 4 Assumptions ..................................................................................................... 4

User Interface Walkthrough 4 Cloud Console Walkthrough ............................................................................. 4 VMware Cloud on AWS Walkthrough ............................................................... 5

SDDC Deployment 5 SDDC Properties .............................................................................................. 6 Connect to AWS ............................................................................................... 6 VPC and Subnet ............................................................................................... 7 Configure Network ............................................................................................ 7

Initial Network Configuration 8 Firewall Rule Management ............................................................................... 8

Login to vCenter Server 9

AWS Account Linking 10 Connect to AWS ............................................................................................. 10 VPC and Subnet ............................................................................................. 11

Network Configuration 11 Network Segment Creation ............................................................................. 12 Management Gateway VPN Setup ................................................................. 12 Compute Gateway VPN Setup ....................................................................... 13 L2 VPN Setup ................................................................................................. 14 NAT Setup ...................................................................................................... 14 Firewall Rule Management ............................................................................. 15

AWS Services Integrations 17 Enable Inbound ENI Traffic on the Compute Network .................................... 17 Enable Outbound ENI Traffic on the Compute Network ................................. 17 Enable Cross-ENI Traffic on the AWS Security Group ................................... 18 Enable S3 Traffic Across the ENI ................................................................... 19 Add Content Library to vCenter from S3 ......................................................... 20 Deploy a VM from the S3 Content Library ...................................................... 21 Enable EC2 Instances to Communicate with VMs.......................................... 22 Enable VMs to use RDS Databases ............................................................... 26 Enable VMs to use Application Load Balancers ............................................. 30

Hybridity and Mobility 34 Hybrid Linked Mode ........................................................................................ 34 Cold VM Migrations......................................................................................... 37 Live VM Migrations ......................................................................................... 38



Conclusion 39



Introduction

The purpose of this guide is to support a self-guided evaluation of VMware Cloud on AWS. This guide should allow customers to walk through the different features and offerings in the VMware Cloud on AWS service, and allow them to configure and test each one.

Intended Audience

This guide is intended for customers who wish to evaluate VMware Cloud on AWS. Although the majority of the VMware Cloud on AWS features are found in both the single-node offering and the 4-node offering, this guide was created using a single-host environment and as such, will have several variances to the larger offering based on resources, high-availability, etc.

Assumptions

This guide assumes that you have already received access to VMware Cloud on AWS, created with a MyVMware account, and have added an ‘Organization’.

User Interface Walkthrough Once you have created a VMware Cloud on AWS account and created an ‘Organization’, it is time to explore the user interface (UI). The main UI for all VMware Cloud Services is known as the Cloud Console. This is also where other information is located, such as Organization based management, billing and subscription access, support, and individual user account access.

Cloud Console Walkthrough

• Login to the Cloud Console: https://console.cloud.vmware.com/

• Click ‘Services’, if it’s not already selected

o This tab shows the VMware Cloud Services you already have access to, such as VMware Cloud on AWS, and other services you have the ability to request for use. Each tile can be interacted with, allowing you to access the service or to request access to the services.

• Click ‘Identity & Access Management’

o This tab shows Organization information. Here we can also invite new users, change permissions for existing users, and remove users.

• Click ‘Billing & Subscriptions’

o This tab allows us to view billing information. Note: a VMware ID will be needed to use this tab.

• Click ‘Support Center’

https://console.cloud.vmware.com/



o This tab allows us to view and create VMware support requests. Note: a VMware ID will be needed to use this tab.

VMware Cloud on AWS Walkthrough

• Access the VMware Cloud on AWS Service through one of the following methods:

o Click ‘Services’, then click ‘VMware Cloud on AWS’

o Click the area with 6 boxes on the top right corner, then click ‘VMware Cloud on AWS’

• Click ‘SDDCs’, if it’s not already selected

o This tab shows us the SDDCs in our environment, along with any additional information such as: Status, hardware metrics, and links to more information.

• Click ‘Subscriptions’

o This tab shows VMware Cloud on AWS subscription statuses

• Click ‘Activity Log’

o This tab shows a list of the recent tasks, including information such as: type, time, SDDC, username, associated event.

• Click ‘Tools’

o This tab gives easy access to tools, such as the Content Onboarding Assistant and vCenter Cloud Gateway, which help using the VMware Cloud on AWS service easier.

• Click ‘Developer Center’

o This tab gives easy access to developer and automation specialist resources such as: API Explorer, code samples, SDKs, other downloads.

SDDC Deployment Now that we have become familiar with the UI, the next step is to deploy a new Software-Defined Data Center (SDDC). We will walk through the steps it takes to deploy an SDDC.

• From the SDDCs tab, click CREATE SDDC.



SDDC Properties

• Select an AWS Region from the dropdown box. This is where your SDDC will be deployed.

• Select the appropriate Deployment option

• For a Stretched Cluster deployment, choose “Multi-Host” and check the box for Stretched Cluster

• Enter a name for the new SDDC

• Choose the desired Number of Hosts

o In the case of a Single Host deployment, this option will be unavailable

• Click Next

Connect to AWS

SDDC deployments are required to connect to an AWS account, regardless of whether the user intends to leverage AWS Services with their VMware stack or not. With single host deployments, a user has the option to skip the account association process for up to 14 days after an SDDC has been deployed.

When deploying a single host SDDC and opting not to associate an AWS account:

• Choose “Skip for now”

Note: On the SDDCs tab, you will see reminders of how many days are remaining before an AWS account has to be connected.



• Click Next, and skip to Configure Network

For all other deployment options and you have an AWS account with a configured VPC in the previously selected SDDC region:

• Choose ‘Connect to AWS now’

• Click ‘OPEN AWS CONSOLE WITH CLOUDFORMATION TEMPLATE’

• Login to AWS with your username and password

• Check ‘I acknowledge that AWS CloudFormation might create IAM resources’

• Click ‘Create’

• Return to the VMware Cloud on AWS SDDC Deploy tab and wait for

the account linking process to complete

• After receiving the ‘Congratulations!’ message, click ‘Next’

VPC and Subnet

After your SDDC to an AWS account, you will be prompted to select the correct VPC and the corresponding subnet that you prefer the SDDC to connect to.

• From the VPC drop down, select the desired VPC

• From the Subnet drop down, select the desired subnet

• Note: For stretched cluster deployments, you will be prompted to select two subnets.

• Click ‘Next’

Configure Network

In order to interact between your VPC and on-premises environment/s, you must ensure that the management and compute networks in VMware Cloud on AWS do not overlap subnets in either location.

• Input the desired subnet for the Management network.

Note: The default subnet of ‘10.2.0.0/16’ will be used if one is not entered.

• Select ‘DEPLOY SDDC’

The SDDC will begin to deploy and should be ready for use in roughly two hours.



Note: To avoid cross AZ traffic charges, we recommend ensuring that the SDDC deploys into the same availability zone as the subnet chosen here.

Initial Network Configuration

Once the SDDC finishes deploying, the next step will be to establish connectivity to the vCenter Server. The easiest way to do this is by creating a firewall rule. This firewall rule will allow network connectivity to the public IP assigned to the vCenter Server.

Firewall Rule Management

• Within the SDDC, click on the ‘Network & Security’ tab

• Beneath the ‘Security’ section, select ‘Edge Firewall’

• Ensure ‘Management Gateway’ is highlighted, click ‘ADD NEW

RULE’

• Create a firewall rule with the following settings:

o Enter a valid name, example: vCenter Inbound Rule – Public

o Click ‘Set Source’, ensure ‘Any’ is selected, click ‘SAVE’

o Click ‘Set Destination’, checkmark ‘vCenter’, click ‘SAVE’

o Click in the ‘Services’ section, select ‘HTTPS (TCP 443)’

• Click ‘PUBLISH’



Login to vCenter Server Each deployed vCenter will have a set of default administrator credentials to be used until an identity source is added or additional users have been added. Use the default credentials to login to vCenter.

• Click on the ‘Settings’ tab

• Expand ‘vSphere Client (HTML5)’

• Click on the URL link to open the vSphere Client

• Returning to the Cloud Console page, expand ‘Default vCenter User Account’

• Copy and paste the ‘User name’ and ‘Password’ into their corresponding textboxes on the vSphere Client login page.

• Click ‘Login’



AWS Account Linking

If you chose to delay account linking to AWS during the SDDC deployment,

you may follow the steps here to establish your account’s connection to

AWS. If you linked an account to AWS during deployment, you may skip this

section.

Connect to AWS

• On the main screen of the SDDC, click ‘CONNECT TO AWS

ACCOUNT’

• Click ‘OPEN AWS CONSOLE WITH CLOUDFORMATION TEMPLATE’

• Login to AWS with your username and password

• Check ‘I acknowledge that AWS CloudFormation might create IAM resources’


• Return to the VMware Cloud on AWS SDDC Deploy tab, waiting for the account linking process to complete

• Once you see the ‘Congratulations!’ message, click ‘Next’



VPC and Subnet

• From the VPC drop down, select the desired VPC

• From the Subnet drop down, select the desired subnet


Note: To avoid cross AZ traffic charges, we recommend ensuring that the SDDC deploys into the same availability zone as the subnet chosen here.

Network Configuration VMware Cloud on AWS SDDCs offer the flexibility to easily manage connectivity within the public cloud as well as the connection to on-premises environments. We will walk through some of the more common examples.



Network Segment Creation

Network segments are the backend for port groups used by VMs in the SDDC. We will create two example segments, one not using DHCP and one which does.

• Within the SDDC, click the ‘Network & Security’ tab

• Beneath the ‘Network’ section, click ‘Segments’

• Click ‘Add Segments’

• Give the segment a name, such as: VMC-192.168.8-Static

• Ensure ‘Routed’ is selected

• For ‘Gateway/Prefix Length’, enter the gateway followed by the subnet mask. Example: 192.168.8.1/24

• Add ‘192.168.8.1’ as the ‘Default Gateway IP’

• Click ‘SAVE’

• Click ‘Add Segments’

• Assign the network a name, such as: VMC-192.168.10-DHCP

• Ensure ‘Routed’ is selected

• For ‘Gateway/Prefix Length’, enter the gateway followed by the subnet mask. Example: 192.168.10.1/24

• For DHCP, select ‘Enabled’ from the drop-down box

• Enter the desired ‘DHCP IP Range’, example: 192.168.10.2 - 192.168.10.254


Management Gateway VPN Setup

A Management Gateway VPN enables easy connectivity from on-premises to your SDDC for items like hybridity and workload mobility. This process is optional and not required for standalone environments.


• Beneath the ‘Network’ section, expand ‘VPN’, click ‘Policy Based’



• Click ‘Add VPN’

• Give the VPN a name, such as: Management VPN

• For ‘Local IP Address’, select the appropriate public IP from the drop-down options

• For ‘Remote Public IP’, enter the public IP for the on-premises VPN

• For ‘Remote Networks’, add the on-premises network subnet that will communicate on the VPN

• For ‘Local Networks’, choose the SDDC based network which will communicate over the VPN. Example: Infrastructure Subnet

• Select the Encryption, Perfect Forward Secrecy, Diffie Hellman, IKE Version, and SHA Version that match your on-premises VPN settings

• Enter the Pre-Shared Key from your on-premises VPN configuration


Compute Gateway VPN Setup

A Compute Gateway VPN enables local VM connectivity to outside resources, like an on-premises environment and/or an AWS VPC. This process is optional and not required for standalone environments.


• Beneath the ‘Network’ section, expand ‘VPN’, click ‘Policy Based’

• Click ‘Add VPN’

• Give the VPN a name, such as: Compute VPN

• For ‘Local IP Address’, select the appropriate public IP from the

drop-down options


• For ‘Remote Networks’, add the on-premises network subnet that will communicate on the VPN

• For ‘Local Networks’, add the SDDC based network which will

communicate over the VPN. Example: sddc-cgw-network-1



• Select the Encryption, Perfect Forward Secrecy, Diffie Hellman, IKE Version, and SHA Version that match your on-premises VPN settings

• Enter the Pre-Shared Key from your on-premises VPN configuration


L2 VPN Setup


• Beneath the ‘Network’ section, expand ‘VPN’, click ‘Layer 2’

• Click ‘Add VPN Tunnel’

• For ‘Local IP Address’, select the appropriate IP from the drop-down options


• Click ‘Save’

• Click ‘Add Extended Segment’

• For ‘Name’, enter the segment name. Example: VMC-L2-1234

• For ‘Tunnel ID’, enter the tunnel ID. Example: 1234


NAT Setup




• Beneath the ‘Network’ section, click ‘NAT’

• Click ‘Add NAT Rule’

Note: if this is the first NAT rule you’ve created, there will be a prompt to ‘Request Public IP’ for usage.

• Give the NET Rule a name, such as: Jumpbox RDP NAT

• For ‘Public IP’, select the appropriate public IP from the drop-down options

• For ‘Service’, select the appropriate service/s from the drop-down. Example: RDP

• For ‘Internal IP’, choose a valid IP address from a VM in the

environment. Example: 192.168.8.25


Firewall Rule Management

We will continue the above example by creating a firewall rule to allow inbound access to our new NAT rule.


• Beneath the ‘Security’ section, select ‘Edge Firewall’

• Select ‘Compute Gateway’, and click ‘Add New Rule’


o Enter a valid name, example: Jumpbox Inbound Rule – Public

o Click ‘Set Source’, checkmark ‘Any’, click ‘SAVE’

o Click ‘Set Destination’, click ‘Create New Group’

▪ Enter a group name, such as: Jumpbox

▪ For ‘Member Type’, choose ‘IP Address’ from the drop-down

▪ For ‘Members’, enter the ‘Public IP’ address from the NAT rule creation process



▪ Click ‘Save’

o Click ‘Save’

o Click ‘Set-Service’ section, select ‘RDP’, click ‘Save’


Additional common VPN Rules may want to be created including the following:

• Accessing a VM’s Remote Console

o Gateway: Management

o Source: Inbound IP address, subnet, or ‘Any’

o Destination: ESXi

o Service: Remote Console (TCP 903)

• vCenter connection to on-premises environment via Management Gateway VPN


o Source: vCenter

o Destination: on-premises subnet

o Service: Any

• On-premises connection to vCenter for management via Management Gateway VPN



o Destination: vCenter

o Service: HTTPS (TCP 443)

• On-premises connection to ESXi for uploads via Management

Gateway VPN



o Destination: ESXi



o Service: Provisioning (TCP 902)

AWS Services Integrations Workload integrations with AWS services is one of the most appealing benefits for customers who already are running workloads in AWS. Here you will walk through steps to enable communication between the VMware stack and AWS service.

Enable Inbound ENI Traffic on the Compute Network


• Beneath the ‘Security’ section, select ‘Compute Gateway’

• Click ‘Add New Rule’


o Enter a valid name, example: ENI – Inbound

o Click ‘Set Source’, checkmark ‘Any’, click ‘SAVE’

o Click ‘Set Destination’, checkmark ‘Connected VPC Prefixes’, click ‘Save’

o Click ‘Set-Service’ section, select ‘Any’, click ‘Save’

o For ‘Applied To’, remove ‘All Uplinks’, and add ‘VPC Interface’


Enable Outbound ENI Traffic on the Compute Network


• Beneath the ‘Security’ section, select ‘Compute Gateway’

• Click ‘Add New Rule’


o Enter a valid name, example: ENI – Outbound



o Click ‘Set Source, checkmark ‘Connected VPC Prefixes’, click ‘Save’

o Click ‘Set Destination’, checkmark ‘Any’, click ‘Save’

o Click ‘Set-Service’ section, select ‘Any’, click ‘Save’

o For ‘Applied To’, remove ‘All Uplinks’, and add ‘VPC Interface’


Enable Cross-ENI Traffic on the AWS Security Group

You have configured inbound and outbound traffic for AWS services across the ENI from the SDDC-side of the environment. Now, you must also allow traffic into and out of the AWS VPC using the AWS Security Groups.

• Open a new browser tab and login to your AWS account at:

o https://console.aws.amazon.com

• Click on ‘EC2’

• In the left-pane, scroll down and click on ‘Security Groups’

• Select the Security Group for the associated VPC that is connected to the SDDC.

• Select the ‘Inbound’ tab

• Click the ‘Edit’ button

• Click ‘Add Rule’

• Under ‘Type’, select ‘All traffic’

• Under ‘Source’, select ‘Custom’ from the drop-down box and enter ‘192.168.0.0/16’ in the corresponding textbox

• Under ‘Description’, type ‘VM Traffic’


https://console.aws.amazon.com/



• Select the ‘Outbound’ tab

• Click ‘Edit’


• Under ‘Type’, select ‘All traffic’

• Under ‘Destination’, select ‘Custom’ from the drop-down box and

enter ‘192.168.0.0/16’ in the corresponding textbox

• Under ‘Description’, type ‘AWS Traffic’


Enable S3 Traffic Across the ENI

Once we’ve enabled communications across the Elastic Network Interface, we can enable an S3 Endpoint and allow all S3 traffic to navigate over the ENI rather than out the Internet Gateway (IGW).

• Within the AWS Console, Select ‘VPC’

• Click on ‘EC2’

• In the left-pane, find and click ‘Endpoints’

• Click ‘Create Endpoint’

• Under Service category, click ‘AWS Services’

• Find and select ‘com.amazonaws.us-[your region].s3’

• In the VPC combo-box, select the VPC linked to the SDDC

• Select the corresponding route table for the endpoint

• Find and click ‘Create Endpoint’



Add Content Library to vCenter from S3

Adding a Content Library allows users to quickly and easily begin deploying templates into their cloud SDDC. This task will walk you through the steps of adding a pre-created Content Library, which should only be used with the Evaluation Guide.

• Login to your SDDC’s vSphere Client

• Click ‘Menu’

• Select ‘Content Libraries’

• Click the ‘Add’ symbol

• Name the Content Library ‘vExpert-Content-Library’


• Select ‘Subscribed content library’

• Paste the following URL into the ‘Subscription URL’:

o https://s3-us-west-2.amazonaws.com/vexpert-content-library/lib.json

• For the ‘Download Content’ entry, select ‘Immediately’

• Click ‘NEXT’

• Accept the SSL thumbprint of the certificate by clicking ‘YES’

• Select ‘WorkloadDatastore’

• Click ‘NEXT’

• Click ‘FINISH’

https://s3-us-west-2.amazonaws.com/vexpert-content-library/lib.json

https://s3-us-west-2.amazonaws.com/vexpert-content-library/lib.json



Note: At this point, the Content Library will begin to sync. This process may take 15-20 minutes depending on the current size of the Content Library. You can refresh the vSphere Client periodically to see the number of templates and the storage consumed values.

Deploy a VM from the S3 Content Library

Once the Content Library has been added to the cloud SDDC, and the data sync’d, we can now begin deploying virtual machines from the Content Library into our environment.

• Login to the SDDC’s vSphere Client

• Click ‘Menu’

• Select ‘Content Libraries’

• Select the ‘vExpert-Content-Library’

• Click ‘Templates’

• Right-Click ‘Server-2012-r2’ and select ‘New VM from This Template’

• Give the VM a name, such as ‘Server-2012-01’

• Expand ‘SDDC-Datacenter’

• Select the ‘Workloads’ folder




• Expand ‘Cluster-1’, select ‘Compute-ResourcePool’


• On the ‘Review Details’ page, click ‘Next’

• Select the ‘WorkloadDatastore’

• Select the ‘sddc-cgw-network-1’ Destination Network


• Click ‘Finish’ to deploy the VM

Enable EC2 Instances to Communicate with VMs

Many customers are excited about the ability to allow EC2 instances to communicate with VMware virtual machines. This capability provides customers with the ability to choose which applications run on each technology. In this task we will deploy an EC2 instance that we will use to ping a VM workload with its private IP, and vice versa.

• From within the AWS Console, select ‘EC2’

• Click ‘Instances’

• Click ‘Launch Instance’



• Find and select “Microsoft Windows Server 2016 Base’

• Select ‘t2.micro – Free tier eligible’

• Click ‘Next: Configure Instance Details’

• Under ‘Network’, select the VPC that is connected to your SDDC

• Under ‘Subnet’, select the subnet of the SDDC

• Under ‘Auto-assign Public IP’, select ‘Enable’

• Click ‘Next: Add Storage’

• Click ‘Next: Add Tags’

• Click ‘Add Tag’

• Configure the following values:

o Key = ‘Name’

o Value = ‘Test EC2 to VM’

• Click ‘Next: Configure Security Group’

• Choose ‘Select an existing security group’

• Select the security group configured in the previous steps.

Note: We will need to add additional rules after the EC2 instance is deployed.

• Select ‘Review and Launch’

• Select ‘Launch’

• Create a new Key Pair

• Give the new key pair a name

• Click ‘Download Key Pair’



• Click ‘Launch Instances’

While we wait roughly 5 minutes for the instance to be in a running state, we can go ahead and edit the security group configuration.

• Click ‘View Instances’

• Scroll down in the left-pane and click on ‘Security Groups’

• Select the corresponding Security Group and click the ‘Inbound’ tab



• Configure the rule as follows:

o Type = ‘RDP’

o Source = ‘0.0.0.0/0’ (or your public IP if you choose)

o Description = ‘RDP to EC2 Test Instance’


• In the left-pane, find and select ‘Instances’

• Select the instance you previously deployed and click ‘Connect’

• Download the Remote Desktop File to your local machine

• Click ‘Get Password’

• Click ‘Choose File’ next to ‘Key Pair Path’ and select the Key Pair you created when deploying this instance.

• Click ‘Decrypt Password’



• Copy the password and open an RDP session to your EC2 instance using the Remote Desktop File

• Before we begin working in the EC2 instance, login to the SDDC’s vSphere Client, select the ‘Server-2012-01’ VM and take note of its IP Address from the VM summary page

Note: If the VM is not powered on, power it on at this point and wait for the IP Address to populate.

• Return to the RDP session and open the command prompt

• Ping the IP address of ‘Server-2012-01’

Note: You are pinging an internal IP address located in the VMware Cloud on AWS account from an internal IP address of an EC2 instance running in your own AWS account



• If you wish to terminate the EC2 instance to avoid hourly charges,

close the RDP session and return to the AWS Console

• Select your EC2 Instance and click ‘Actions’

• Maneuver to ‘Instant State’ > ‘Terminate’

• The EC2 Instance will power off and be deleted

Enable VMs to use RDS Databases

Just like customers are able to use EC2 Instances with VMware virtual machines, our virtual machines can take advantage of the Relational Database Service (RDS) and connect to databases in AWS.

• Login to your Cloud SDDC vCenter

• Click ‘Menu’ and select ‘Content Libraries’

• Select the ‘vExpert-Content-Library’ and click ‘Templates’

• Right-Click ‘Lychee-Automated-Demo’ and click ‘New VM from This Template’

• Name your VM ‘Frontend-With-RDS’




• Expand ‘Cluster-1’ and select ‘Compute-ResourcePool’


• Click ‘Next’ on the ‘Review Details’ page






• Click ‘Finish to deploy the VM

• Once the VM is deployed, Power-on the VM

• Open the AWS Console

• Click ‘Services’ and select ‘RDS’

• Click ‘Get Started Now’

• Select ‘MySQL’


• Select ‘Dev/Test – MySQL’, then click ‘Next’

• Scroll down to ‘DB instance class’

• Select ‘db.t2.micro’

• Scroll down to ‘Settings’

• Configure the following settings:

o DB instance identifier = ‘vmc’

o Master username = ‘vmcadmin’

o Master password = ‘VMware1!’


• In ‘Network & Security’, select the VPC that is connected to your

SDDC

• Ensure ‘Public accessibility’ is set to ‘No’

• Select the Availability Zone where you deployed your SDDC



• Choose existing VPC security groups and ensure the Security

Group you configured earlier is selected.

• Under ‘Database options’

• Name the database ‘MySQL_VMC’

• Scroll down to ‘Backup’

• Change the ‘Backup retention period’ to ‘0 days’

• Scroll to the bottom and click ‘Launch DB instance’

• Click ‘View DB instance details’

• Refresh the page periodically until ‘DB instance status’ shows ‘available’

• Scroll down until you see the ‘Endpoint’ address

• Keep this tab available and go back to vCenter Server



• Click on the ‘Frontend-With-RDS’ VM

• Click ‘Launch Web Console’

• Select the new tab with the web console and login to the ubuntu VM

• Login with credentials:

o User: brian

o Password: VMw@re123

• Open Firefox and go to ‘127.0.0.1’

• Here our web application is asking for the database credentials for our RDS instance.

o RDS Endpoint Address

o Username = ‘vmcadmin’

o Password = ‘VMware1!’

o Database name = ‘MySQL_VMC’

• Click ‘Connect’



• Enter the following credentials:

o User = ‘vmc’

o password = ‘vmc’

• Click ‘Create Login’

You’ve now successfully connected a front-end VM to and RDS database. To test out this app, you can either request a public IP, add an http firewall rule, and NAT rule to this VM, or you can move on to the next section on using Application Load balancers and apply the same steps there, with the private IP of this VM.

When you are finished, select your ‘vmc’ RDS instance and click ‘Instance Actions’ and select ‘Delete’ to avoid additional hourly charges for the instance.

Enable VMs to use Application Load Balancers

One of the easiest ways to take advantage of AWS services with webserver virtual machines is the Application Load Balancer (ELBv2). The ELBv2 allows for forwarding HTTP/S traffic to private IP addresses along with pointing to a specific EC2 instance.


• Click ‘Menu’ and select ‘Content Libraries’

• Select the ‘vExpert-Content-Library’ and click ‘Templates’

• Right-Click ‘Frontend-Apache-01’ and click ‘New VM from This

Template’

• Name your VM ‘Frontend-Apache-01’






• Expand ‘Cluster-1’ and select ‘Compute-ResourcePool’


• Click ‘Next’ on the ‘Review Details’ page




• Click ‘Finish to deploy the VM

• Once the VM is deployed, Power-on the VM

• Repeat the previous steps for ‘Frontend-Apache-02, 03, and 04’ (03 and 04 are optional but it makes the load balancer demo better to have 4 front-end web servers being used)

• Login to the AWS Console

• Click ‘Services’ and select ‘EC2’

• In the left-pane, scroll down and select ‘Target Groups’

• Click ‘Create target group’

• Enter the following information:

o ‘Target group name’ = ‘VM-Frontend-TG’

o Protocol = ‘HTTP’

o Port = ‘80’

o Target type = ‘IP’

o VPC = [VPC the SDDC is connected to]




• With our new Target Group selected, click the ‘Targets’ tab

• Click ‘Edit’, Select the ‘+’ button

• Under ‘Network’, select ‘Other private IP address’

• Set ‘Availability Zone’ to ‘All’

• Add the IP addresses of the 4 ‘Frontend-Apache-*’ VMs one by one, and click ‘Add to list’

• Click ‘Register

• In the left-pane scroll down and select ‘Load Balancers’

• Click ‘Create Load Balancer’

• Find ‘Application Load Balancer’ and click ‘Create’

• Name your load balancer ‘VMC-LB’

• Scroll down to ‘Availability Zones’



• Select the VPC that is linked to the SDDC

• Check the checkbox next to ‘Availability Zone’ to select all AZ’s

• Click ‘Next: Configure Security Settings’

• Click ‘Next: Configure Security Groups’

• Click ‘Select an existing security group’

• Choose the Security Group you have configured

• Click ‘Next: Configure Routing’

• Select ‘Existing target group’ next to ‘Target Group’

• Select the ‘VM-Frontend-TG’

• Click ‘Next: Register Targets’

• Click ‘Next: Review’


• Click the hyperlink on the load balancer ‘VMC-LB’ and wait until it is

finished provisioning

• While the load balancer is provisioning, in the left-pane, select

‘Security Groups’

• Select your Security Group and select the ‘Inbound’ tab



• Enter the following information:

o Type = ‘HTTP’

o Source = ‘Custom’, ‘0.0.0.0/0, ::/0’



o Description = ‘Load Balancer’


• Click back to the ‘Load Balancers’ page

• Copy the ‘DNS name’ address from the load balancer basic configuration and paste it in a new tab

• You will now see a static webpage with the VM name that is being resolved. Click ‘Refresh’ and watch as the Load Balancer distributes the request between your virtual machines

When you are finished with this demo, you can delete the load balancer and target groups from your AWS account.

Hybridity and Mobility

Hybrid Linked Mode

Hybrid Linked Mode gives users the ability to login to their cloud SDDC with their on-premises credentials, view and manage both on-premises and cloud resources from a single pane of glass, and migrate workloads from on-premises to the cloud.

Note: You must have VPN Connectivity to an on-premises environment to continue

• Login to your VMware Cloud on AWS Console

• Click on your SDDC

• Click the ‘Network’ tab

• Scroll down and expand ‘DNS’ under ‘Management Gateway’

• Update the DNS servers to point to your on-premises DNS servers



• Change the vCenter FQDN Resolution to ‘Private IP’



• Click ‘Menu’ and select ‘Administration’

• Click ‘Linked Domains’

• Under ‘Add Identity Source’, click ‘ADD’

• Enter your Active Directory Settings

Note: For more information on finding these settings, see the following video: https://www.youtube.com/watch?v=m28MR_U1LmQ

• Enter Domain administrator credentials for ‘Username’ and ‘Password’

• Select ‘Specific domain controllers’

• Enter the LDAP link to the DNS server(s)

https://www.youtube.com/watch?v=m28MR_U1LmQ



• Click ‘OK’

• Under ‘Add Cloud Administrators Group’, click ‘ADD’

• Change the ‘Identity Source’ to the AD Domain that was added in the previous steps

• Add an Active Directory Group

• Under ‘Link to On-premises Domain’, click ‘LINK’

• Add the address of your on-premises Platform Services Controller

• Add your SSO Domain Name and credentials as shown in the screenshot below



• Click ‘LINK’

• The domain should link successfully. Click ‘OK’

• Login to your Cloud SDDC vCenter with your on-premises credentials

• Click on ‘Hosts and Clusters’

• You should now see your on-premises vCenter Server(s) along with your VMware Cloud on AWS vCenter Server

Cold VM Migrations

Cold VM Migrations are migrations that occur when a virtual machine is powered off. These are workloads that can incur some downtime during a migration and have the least strict requirements including bandwidth and latency.

Note: There are a couple requirements before performing a cold VM migration. First, you must have VPN Connectivity to an on-premises



environment. Second, Hybrid Linked Mode has to be enabled. Lastly, firewall rules must be configured between the SDDC based hosts and the on-premises hosts, bi-directionally, for port TCP 8000.

• Login to your Cloud SDDC vCenter with your on-premises

credentials


• Expand your on-premises vCenter

• Select a powered-off VM from your on-premises environment

• Right-Click the VM and select ‘Migrate’

• Select ‘Change both compute resource and storage’ and click

‘NEXT’

• Select the ‘Compute-ResourcePool’ in your Cloud SDDC and click

‘NEXT’

• Select the ‘WorkloadDatastore’ and click ‘NEXT’

• Select the ‘Workloads’ folder and click ‘NEXT’

• In the ‘Destination Network’ dropdown, select ‘VMC-192.168.10-DHCP’ and click ‘NEXT’


Your on-premises virtual machine will begin to move to VMware Cloud on AWS

Live VM Migrations

Live VM Migrations, better known as vMotion, are migrations that occur when a virtual machine is powered on. There is no, or limited, downtime involved but do have strict requirements on bandwidth and latency.

Note: There are a couple requirements before performing a live VM migration. First, you must have VPN Connectivity to an on-premises environment. Second, Hybrid Linked Mode has to be enabled. Lastly, firewall rules must be configured between the SDDC based hosts and the on-premises hosts, bi-directionally, for port TCP 8000.

• Login to your Cloud SDDC vCenter with your on-premises credentials


• Expand your on-premises vCenter

• Select a powered-on VM from your on-premises environment

• Right-Click the VM and select ‘Migrate’



• Select ‘Change both compute resource and storage’ and click

‘NEXT’

• Select the ‘Compute-ResourcePool’ in your Cloud SDDC and click

‘NEXT’

• Select the ‘WorkloadDatastore’ and click ‘NEXT’

• Select the ‘Workloads’ folder and click ‘NEXT’

• In the ‘Destination Network’ dropdown, select ‘VMC-192.168.10-DHCP’ and click ‘NEXT’


Conclusion

Congratulations! You have now completed all of the tasks within the VMware Cloud on AWS Evaluation Guide. Please feel free to go back through the guide and try the different tasks again or to just explore VMware Cloud on AWS.

For additional questions/feedback/comments, please email us at [email protected].

mailto:[email protected]

Documents

Evaluation Guide - VMware · For all other deployment options and you have an AWS account with a configured VPC in the previously selected SDDC region: • Choose ‘Connect to AWS