Networking Architecture

Confidential │ ©2021 VMware, Inc.

Networking Architecture

VMC on AWS

November 2021

Confidential │ ©2021 VMware, Inc. 2

Agenda VMC on AWS Networking Design

NSX-T Overview

VMC on AWS SDDC and NSX-T

L3 & L2 in the SDDC

Gateway Services

Intrinsic Security in the SDDC

Visibility & Troubleshooting


VMC on AWS Networking DesignOverview


Partition Placement Groups (PPG) Ensure Resiliency

• AWS provides PPGs to control physical host rack placement

• Clusters automatically use these underlying constructs

• Hosts from different clusters may reside in the same rack

• Supports max cluster size (16)

Each physical host is placed in a separate PPG to reduce impact of rack failure

Rack Rack Rack Rack

Cluster-1 Cluster-2


How are the Hosts connected

VMC on AWS Physical Networking

With VMware Cloud on AWS, Amazon directly administers the physical network that each ESXi host connects to.

AWS network hardware is configured with a minimum maximum transmission unit (MTU) of 1600+ and VLAN trunks.

VMware and AWS engineers work together to optimize the network.


Host Adapters

VMC on AWS Physical Networking

Amazon provides each host with one Elastic Network Adapter (ENA), instead of the traditional NIC. Each ENA provides 25 or 100 Gbps of bandwidth through multiple physical network connections.


VMware Cloud on AWS Physical Networking (2)Host Adapters

Amazon provides each host with one Elastic Network Adapter (ENA), instead of the traditional NIC. Each ENA provides 25 Gbps of bandwidth through multiple physical network connections.


Isolation

VMC on AWS VPC

When a VMware Cloud on AWS SDDC is created, an AWS Virtual Private Cloud (VPC) is created.

Managed by VMware, this VPC is not configurable by administrators.

The VPC enforces logical isolation between VMware Cloud on AWS SDDCs and other AWS resources managed by the administrator.

.


Reserved IP RangesVMC on AWS

Reserved IPs Description

• 10.0.0.0/15• 172.31.0.0/16

These ranges are reserved within the SDDC management subnet, but can be used in your on-premises networks or SDDC compute network segments

• 100.64.0.0/16 Reserved for carrier-grade NAT per RFC 6598. Avoid using addresses in this range in SDDC networks and others. They are not likely to be reachable within the SDDC or from outside it. See VMware Knowledge Base article 76022 for a detailed breakdown of how SDDC networks use this address range

• 169.254.0.0/19 • 169.254.64.0/24 • 169.254.101.0/30• 169.254.105.0/24• 169.254.106.0/24

Per RFC 3927, all of 169.254.0.0/16 is a link-local range that cannot be routed beyond a single subnet. However, with the exception of these CIDR blocks, you can use 169.254.0.0/16 addresses for your virtual tunnel interfaces.

• 192.168.1.0/24 This the default compute segment CIDR for a single-host starterSDDC and is not reserved in other configurations.

https://kb.vmware.com/s/article/76022


Local connectivity via ENI

Connected VPC


How does it work?High-bandwidth, low latency ENI connection between VPC and SDDC

• Traffic flows between VMware SDDC and AWS VPC through ENI

• There are firewalls on both ends of this connection

• By default, no traffic allowed for either direction

• No egress charges across the ENI within the same AZ


Consuming Native AWS ServicesUse case – Using AWS Application Load balancer to load balance Web server VMs

SDDC

Edge

CGW

MGW

NSX</> HCXvCenter

Connected

VPC


Consuming Native AWS ServicesEconomical and high throughput service consumption

SDDC

Edge

CGW

MGW

NSX</> HCXvCenter

Connected VPC

14Confidential │ ©2020 VMware, Inc.

NSX-TOverview


Networking Inside the SDDCPowered by VMware NSX-T

▪ Key features from on-premises brought to the cloud

▪ Networking

▪ Security

▪ Scalable and easy to consume networking

▪ Simplified Interface

▪ API access available

▪ Multiple connectivity options


Connectivity to physical

Switching

Gateway Firewalling

VPN

NSX-T Networking and Security ServicesComplete Networking and security services in software

RoutingDHCPNAT

URL Filtering

L4 – L7 Firewall

Distributed IDS/IPS

User ID Firewall


NSX-T Data Center Architecture View (1)

NSX-T Data Center components provide internal networking to the VMware Cloud on AWS SDDC.



NSX-T Data Center uses Tier 0 router to provide external networking to VMware Cloud on AWS SDDC.



NSX-T Data Center uses Tier 0 router to provide connectivity between VMware Cloud on AWS SDDC and other AWS services through ENIs.


NSX-T Distributed Firewall

Enforces FW rules for all VMC on AWS workloads

Static & Dynamic grouping based on Compute object, Tags and User

Stateful enforcement based on 5-tuple

Micro-Segmentation for Overlay-backed workloads

Context-aware firewall

User ID Firewall Policies

FQDN Filtering

Stateful Distributed L2-L7 Services for all workloads

ESXi ESXi

Virtual Distributed Switch

Distributed Firewall


NSX-T Distributed Firewall

App

DMZ

Services

DB

Perimeterfirewall

AD NTP DHCP DNS CERT

Insidefirewall

Finance EngineeringHR

Zero Trust/Least Privilege Model

Each VM can now be its own perimeter

Policies align with logical groups

Prevents threats from spreading

Network Topology Agnostic

Micro-segmentation Simplifies Network Security


VMC on AWS and NSX-TOverview



NSX-T Overview


L3 & L2 in the SDDC

Gateway Services




Quick & Simple Connectivity

Default Network Logical Topology

Default Network & Security Topology for every SDDC

• 1x Edge Router (HA Pair) - T0

• 1x Management Gateway (MGW) (HA Pair) – T1

• 1x Compute Gateway (CGW) (HA Pair) – T1

• Firewall policy created automatically based on the default topology and blocked to the outside world

• i.e. vCenter access only after firewall policy is created

MGW

CGW

Edge

SDDC

NSX</>vCenter

192.168.1.0/24

Connected VPC

S3 EP RDS EC2

Internet

FSx ELB


Networking Inside the SDDC A Closer Look

MGW

CGW

Edge

SDDC

NSX</>

vCenter

Edge Router

• All connectivity to workloads flows through the Edge

• Configured for Active/Standby to provide High Availability (HA)

Management Gateway

• Management traffic for vCenter, NSX, ESXi hosts, etc.

Compute Gateway

• Workload traffic, including network to network

Programmatic route configuration

• No routing protocol overhead

Pervasive security

• Edge firewall

• Distributed firewall


NSX User InterfaceOverview

Simplified, easy to use interface

No need to be a network guru


Segments Inside the SDDCOverlay Networks


DHCP Server

Networking & Security – DHCP Server Profiles


DHCP Relay

Networking & Security – DHCP Server Profiles


Networking & Security – Segments - Set DHCP Config


Networking and Security – Segment Statistics



NSX-T Overview


L3 & L2 in the SDDC

Gateway Services




Management Gateway Compute Gateway

Gateway ServicesFirewall


Firewall – Predefined & User Defined Groups

Gateway Services


Firewall – vCenter Access Policy

Gateway Services


Quick & Simple Connectivity

Accessing vCenter


Gateway ServicesRoute-based IPSec VPN

Route-Based is the recommended L3 VPN in VMC on AWS

Uses BGP (Dynamic routing Protocol)

We will discuss further in Module 4


Gateway ServicesPolicy-Based IPSec VPN

Policy-Based IPsec is favored when BGP isn’t an option due to:

• Hardware

• Corporate policy

• Technical proficiency

• Etc…

We will discuss this further in Module 4


NAT

Gateway Services



NSX-T Overview


L3 & L2 in the SDDC

Gateway Services




Intrinsic SecurityGateway Firewall (N/S Security)

Multiple layers of native security within the SDDC

Two levels of firewalling

• Gateway (perimeter) firewalls

• One for management

• One for compute

• Distributed firewalling


Establishing a Security Baseline

Distributed Firewall Design Topology

Internet

CGW

Edge

SDDC

172.16.10.10

172.16.10.11

172.16.10.12

Web Tier App Tier DB Tier

Micro-Segmentation - DFW

172.16.10.13



Group Definition

Group Options



Dynamic Membership in Distributed Firewall

Where do tags come from?



Distributed Firewall Rule

Internet

CGW

Edge

SDDC

Development Production


Networking and Security – DFW Time Based Policy



NSX-T Overview


L3 & L2 in the SDDC

Gateway Services




Operations – IPFIX

Collect stats on network traffic


Tools for Better Visibility

Firewall Logging in VMware Cloud on AWS

Configuration of logging can be done per-rule by clicking the gear icon to the right of the rule

Compute Gateway Rule

Distributed Firewall Rule


vRealize Log Insight Cloud for VMware Cloud on AWSTools for Better Visibility

vRealize Log Insight Cloud(Firewall Logs)

• Identify Traffic Patterns – Monitor traffic being allowed or dropped

• Maintain Security – Identify, monitor and tune the firewall policies being serviced from the traffic patterns


LABLab 3: SDDC Networking & Native AWS Integration

1. Enable Photo App access to Native AWS Services

2. Enable Public (internet) access to Photo App

3. Configure Photo App to Consume AWS RDS

4. Test the Photo App Application

5. Configure Photo App consumption of AWS EFS (Shared File System) ***OPTIONAL

6. Configure AWS ApplicationLoad Balancer (ALB) to Loadbalance Photo App VMs ***OPTIONAL

SDDC

Edge

CGW

MGW

Connected VPC

NSX</> HCXvCenter

Desktop-Net

Demo-Net

Thank You


Documents

Networking Architecture