Adding a VMware Cloud on AWS SDDC to an Egress VPC (Part 2)

Gilles Chekroun


Lead VMware Cloud on AWS Solutions Architect
---
As a follow up to Part 1 on Egress VPC here, I want to add an SDDC to the picture and allow the Virtual Machines on the NSX networks to go out to internet via the Egress VPC and NAT Gateways.

Lab Setup

Similarly to the setup in Part 1, I will now connect an SDDC with VPN to the TGW like this:

Generic considerations

  • Since we want the SDDC internet access via the Egress VPC for Security reasons, we will need a global 0.0.0.0/0 route on the VPN.
  • That's now basically cutting the SDDC IGW access. Because of that, we will need to take care of 2 things:
    1. How to access vCenter if we don't have internet on the  SDDC?
    2. How do we resolve DNS ?

Point 1

For vCenter access I decided to use the SDDC attached VPC via the ENI and deploy a Windows JumpHost there. The attached VPC has its own Internet Gateway.

The vCenter resolution will now need to be changed to "Private IP" as described below:

Point 2

The DNS default for CGW and MGW is set to 8.8.8.8 and 8.8.4.4. This needs to be fixed because we don't have access to public DNS anymore. 

Our only way out of the SDDC is VPN to TGW and ENI to the attached VPC and here, we have the capability to use the embedded VPC DNS at the reserved IP address CIDR+2.

The IP address of the VPC DNS server is the reserved IP address at the base of the VPC IPv4 network range plus two

Make sure the attached VPC has DNS Resolution enabled.

Set the SDDC System DNS to the Attached VPC CIDR + 2

VPN setup

We will build a Route based VPN from the SDDC to the TGW. By default AWS gives 2 tunnels per VPN Connection.

Create a new TGW attachment as VPN.

On the "Site to Site VPN" note the public IPs of the tunnels.
and configure them in the SDDC Route based VPN tab.

TGW new Route Table

Now that we have our SDDC connected to the TGW via VPN, we need to add a new route table. Similarly to the Egress route table and the Apps route table, I will now create an SDDC route table, associate it with the VPN attachment and just create one global 0.0.0.0/0 route pointing to our Egress VPC.

Having this global static route, it will be advertised to the SDDC via BGP on our VPN tunnels. Let's check that.
Same for the second tunnel
At this point, any non-SDDC IP address will go out on the VPN tunnel.

Egress VPC public route tables

Update the Egress VPC public route tables for AZa and  AZb to include the route back to the SDDC via the TGW

Egress VPC attachment route table

Update also the TGW route table for the Egress VPC to include the SDDC segment.

Tests

That's it - we can now start testing.
I have an Ubuntu VM inside my SDDC on segment 192.168.1.0 with  IP at .5
  • SSH to the JumpHost
  • SSH to the Ubuntu VM (192.168.1.5)
  • Ping any  external address like amazon.com
  • Traceroute the same address and verify the we go via one of the NAT Gateways

Blackhole routes

In the next post (Part 3) we will use a VMware Manage TGW to connect the SDDC and the Apps VPCs at high speed (VPC attachments).
At this stage it's important to drop the  traffic from the SDDC via the VPN to the Apps VPCs
Once again the blackhole routes in the SDDC Route Table are playing a role.
Let's try to ping EC2s in Apps VPCs:
Thanks for reading.








Comments

Populars

AWS Transit Gateway and VMware Cloud on AWS

AWS Transit Gateway and Multiple Accounts

Using Terraform with multiple providers in multiple phases to deploy and configure VMware Cloud on AWS