Deploy your first SDDC in VMware Cloud on AWS

-
Gilles Chekroun
Lead NSX Systems Engineer - VMware Europe
---

On-boarding process

So you went ahead and talked to VMware about running the full stack SDDC in AWS.
Great !!
The on-boarding process is very simple but need a little bit of preparation.

Create or use your AWS VPC

Before we start with VMware Cloud on AWS on-boarding process we need to prepare the AWS environment that will be linked to VMware VPC running the SDDC Stack. To do that, create or use a VPC in the AWS region where you are going to deploy your SDDC.
In this example, I will create a new VPC and give it a CIDR of 172.16.0.0/16

Create Subnets in each Availability Zone

Log into your VMC dashboard

VMC dashboard is at : https://vmc.vmware.com/console/sddcs - login using your VMware ID credentials

Create SDDC

Step 1 - Link your AWS account with Cloud Formation Template

This step gives VMware permission to set up networking correctly for your SDDC on your AWS infrastructure using cross-account rules.

Step 2 - Setup your SDDC properties

Choose the AWS region you want to deploy to and give a name to your SDDC.
Choose the number of hosts in your Cluster. Today min number is 4 hosts. this will change in future releases.

Step 3 - VPC and Subnets

Select the VPC created earlier...
Select one Availability Zone 

Step 4 - Configure the management Network

IP range for the management Network can not be changed once the SDDC is deployed. Make sure you give a mask large enough to accommodate your needs.
SDDC deployment for 4 hosts takes about 2 hours. The complete SDDC stack is installed automatically including vSphere, NSX, vSAN and vCenter,
and after 2 hours . . . 

Configuring Basic FireWall rules

On a freshly deployed SDDC, there are no FW rules in place.
Select the Network Tab. Note the dotted lines to the Internet.
Let's create some basic rules to access the Management part: Allow HTTPS to vCenter.
vCenter is now connected to the Internet. Note the blue solid line.
Let's open the Compute part to the Internet as well. You may want to limit the port access but for this lab, I will open all ports.
The Source will be our DEFAULT Logical Network sddc-cgw-network-1 at 192.168.1.0/24
Our Compute part is now Internet connected.
At this point, we have a working environment.

Connect to vCenter

On SDDC screen Select "Connection Info"
Click on vCenter URL and use userID = cloudadmin@vmc.local, password can be seen by clicking on the little eye or copied to the clipboard.
And this is our VMware Cloud on AWS vCenter

Next Steps

The obvious next steps would be to configure the VPN to on-prem Data Center for the Management and Compute part. (probably another blog article)

At this stage we can start deploying VMs directly from our PC or eventually from an AWS S3 bucket as described in a previous blog article here.

Comments

Post a Comment

Populars

Egress VPC and AWS Transit Gateway (Part1)

-
Image
Gilles Chekroun
 Lead VMware Cloud on AWS Solutions Architect --- Usually my blog posts are customer driven and recently I have been working on a design that would include an Egress VPC and AWS Transit Gateway. This customer is going to use both VMware Managed Transit Gateway and also AWS Transit Gateway. I will split this post in 3 parts: The Egress VPC - this article Adding a VMC SDDC to the Egress VPC here Adding VMware Managed Transit Gateway here Why do we need an Egress VPC? Numerous posts on AWS site  will describe how to build an Egress VPC and the subtleties of the various route tables of the TGW and the Egress VPC itself. The main goal is to have ONE Internet gateway only  that will allow workloads to go out to internet on the Egress VPC. One of the most important point is redundancy and multi-availability zones. Applications usually reside in private subnets, while NAT Gateways reside in a public subnet. NAT Gateways To focus the Internet access to a single point, we can cre
Read more

AWS Transitive routing with Transit Gateways in the same region

-
Image
Gilles Chekroun Lead VMware Cloud on AWS Specialist --- At the AWS Re:invent 2019 conference, the long waited TGW peering functionality was announced and available in a few AWS regions. This is an INTER-REGION peering only meaning that the Transit Gateways need to be in different regions. Hoping that AWS will soon release an INTRA-REGION capability I discussed with a few AWS Solutions Architects in Las Vegas, among them Tom Adamski , about using a VPC as a bridge between two TGWs in the same region. Tom assured me that it is possible opening for the first time the transitive routing capability in AWS networking. Well . . . I needed to test that and see by myself. Test bed For a simple test, I will use 2 TGWs in the same regions with 2 VPCs attached each and another VPC as "bridge" connected to both TGWs. Yes you can connect a VPC up to 5 TGWs . The whole idea is to use this "bridging VPC" and point the default route of the TGWs to it. To do that I c
Read more

Considerations on vTGW to TGW Peering Link

-
Image
   Gilles Chekroun
 Lead VMware Cloud on AWS Solutions Architect --- Recently I was talking with a Customer on designing their VMware Cloud on AWS environment and linking it to their existing AWS infrastructure. The idea was to have 2 SDDCs, Test and Prod, and link them with a VMware Managed TGW and peer it to their existing TGW. The customer requirements were: VMs in each SDDC should have internet access from the SDDC out VMs from Test should be able to talk to VMs in Prod VMs in any SDDC should be able to access their own vCenter but also the other one Some VMs any SDDC should have a Public IP and NAT rule to be accessible from outside VMware traffic should stay within VMware SDDCs Other traffic, like on-prem, should go via the Customer TGW Test Setup Step1 - Create SDDC Group Create an SDDC Group and attach the 2 SDDCs Prod and Test Make sure the proper FireWall rules are open in each SDDC Compute GW. Step 2 - Attach the Customer TGW In the SDDC Groups, under External TGW TAB, add t
Read more