Posts

AWS Transitive routing with Transit Gateways in the same region

Image
Gilles Chekroun
Lead VMware Cloud on AWS Specialist
---
At the AWS Re:invent 2019 conference, the long waited TGW peering functionality was announced and available in a few AWS regions. This is an INTER-REGION peering only meaning that the Transit Gateways need to be in different regions.
Hoping that AWS will soon release an INTRA-REGION capability I discussed with a few AWS Solutions Architects in Las Vegas, among them Tom Adamski, about using a VPC as a bridge between two TGWs in the same region. Tom assured me that it is possible opening for the first time the transitive routing capability in AWS networking.

Well . . . I needed to test that and see by myself.
Test bed
For a simple test, I will use 2 TGWs in the same regions with 2 VPCs attached each and another VPC as "bridge" connected to both TGWs. Yes you can connect a VPC up to 5 TGWs.
The whole idea is to use this "bridging VPC" and point the default route of the TGWs to it. To do that I create 2 subnets on the bri…

VMware Cloud on AWS: SDDC Design Considerations

Image
Gilles Chekroun
Lead VMware Cloud on AWS Specialist
---
With the recent August 2019 release of VMware Cloud on AWS 1.8, a few interesting improvements are now available concerning the vSAN and Elastic vSAN storage capabilities.
The goal of this blog article is to recap the different options around SDDC design and specifically about stretched and non-stretched clusters.
AWS EC2 Bare metal InstancesAs of now, the VMware Cloud on AWS Service is available with two types of EC2 bare metal instances from AWS:
i3.metalR5.metalThe AWS i3.metal specs are:               The AWS R5.metal specs are: - Intel Xeon E5-2686 v4 processors- Intel® Xeon® Platinum 8000 Series (Skylake-SP)- 36 cores- 48 cores- 2.3 GHz- 2.5 GHz- 512 GiB RAM- 768 GiB RAM- 15TB NVMe flash- EBS Storage only (15-35 TB)- 25 Gbps Networking- 14 Gbps EBS Bandwidth- 25 Gbps Networking
Other instances in specific areas like GPU or high memory will come later.
Elastic vSANElastic vSAN, with R5.metal hosts, is a VMware Cloud on AWS cl…

VMware Cloud on AWS: NSX networking and Security eBook

Image
Gilles Chekroun
Lead VMware Cloud on AWS Specialist
---
It's off the press and ready to download.
It was a great pleasure to write this book together with my colleagues Humair Ahmed and Nico Vibert

Download the e-book

Use PowerCLI to set your SDDC Policy Based VPN

Image
Gilles Chekroun
Lead VMware Cloud on AWS Specialist
---
In the previous post, we talked about using PowerCLI to setup a route-based VPN. This post will show how to setup a policy based VPN.
For that I will use a new AWS VPC and a Customer Gateway with a Virtual Gateway in AWS natively.
This sets up 2 VPN tunnels with static routes compared to the BGP routes with the route-based VPN.


PowerCLI FunctionsNew-NSXTPolicyBasedVPNGet-NSXTPolicyBasedVPNRemove-NSXTPolicyBasedVPNJSON and PSObjectsIn this post I want to go a bit deeper on the relation between JSON and the PowerShell Objects. To set the VPN Tunnels, we use API calls and with that we need to pass a payload that will carry our multiple parameters like IP addresses, passwords, IKE and Tunnel encryption digest / algorithms.

The Java Script Object Notation (JSON) is mostly used with APIs and our NSX-T Policy APIs are not any exception. When we write a PowerCLI function we need to map the JSON notation to PowerShell.
For example, [...] in JSON …

Use PowerCLI to set your SDDC Route Based VPN

Image
Gilles Chekroun
Lead VMware Cloud on AWS Specialist
---
To Create a Site-to-Site VPN, there are basically 2 methods:
- a route based VPN
- a policy based VPN
This article will describe the route based VPN between VMware Cloud on AWS as local site and AWS Transit Gateway as remote site.
Following up on my previous article on building SDDC Firewall rules using PowerCLI, William and I did more work to build new functions related to VMware Cloud on AWS Route based VPN.
We examined the 5 API calls needed to build a route based VPN tunnel here. This was using Python code.
PowerCLI functionsUsing Power Shell and PowerCLI is more simple.
We built 3 functions:

    - Create Route Based VPN
    - Get Route Based VPN info
    - Delete Route Based VPN

Create Route Base VPNStep 1 - Get the NSX-T and VMC PowerShell modules. Download and import VMware.VMC.NSXT and VMware.VMC.
    Import-Module ./VMware.VMC.NSXT.psd1     Import-Module ./VMware.VMC.psd1     Step 2 - Get the Refresh-Token, Org name and SDDC name and a…

Use PowerCLI to set your SDDC Firewall rules

Image
Gilles Chekroun
Lead VMware Cloud on AWS Specialist
---
One thing I really like about VMware is the team spirit of that company. People are always here to help you, sharing their experiences and knowledge. We have our EPIC2 values and one guy in particular stands out for Passion and Community.
It's William Lam
He is well known in our community for his "virtuallyGhetto" blog and the 1000+ posts he wrote over many subjects and technologies. Recently, I asked him what API should i use to retrieve the VMC SDDC Public IP address and he replied to me with a blog post !! Amazing.
William wrote many PowerShell modules and in particular the ones for NSX-T and VMC.
Download and import VMware.VMC.NSXT and VMware.VMC PowerShell modules. We will need them later.
This article will describe how to automate tasks after SDDC deployment like creating logical segments, setting up Firewall rules on MGW (the Management Gateway) and most importantly on CGW (the Compute Gateway).

PowerShell Install o…