In the Clouds ...

Gilles Chekroun
 Lead VMware Cloud on AWS Solutions Architect --- UPDATE 6 NOV 2020 : Github terraform code here Finally, here is Part 3 of this blog "series" around Egress VPC. Part 1 is  here and Part 2 is  here After setting up the  Egress VPC in part 1 and adding a VPN connected SDDC in part 2 I want to connect the SDDC and the Apps VPCs via a VMware Transit Connect a.k.a. VMware managed Transit gateway. Lab Setup Creating an SDDC Group I have described in deep details the way to create SDDC group and attach Customer VPCs in this article . Let's go and do that quickly. Create an SDDC group and Attach the SDDC. This step will create the vTGW. Under "VPC Connectivity" tab, configure the Customer AWS  account number so the vTGW resource can be shared. On Customer AWS console, go to RAM (Resource Access Manager) and look for "Resources shared  with me" Accept the vTGW resource Connecting Apps VPCs We have now accepted the shared vTGW resource and

Gilles Chekroun
 Lead VMware Cloud on AWS Solutions Architect --- As a follow up to Part 1 on Egress VPC here , I want to add an SDDC to the picture and allow the Virtual Machines on the NSX networks to go out to internet via the Egress VPC and NAT Gateways. Lab Setup Similarly to the setup in Part 1, I will now connect an SDDC with VPN to the TGW like this: Generic considerations Since we want the SDDC internet access via the Egress VPC for Security reasons, we will need a global 0.0.0.0/0 route on the VPN. That's now basically cutting the SDDC IGW access. Because of that, we will need to take care of 2 things: How to access vCenter if we don't have internet on the  SDDC? How do we resolve DNS ? Point 1 For vCenter access I decided to use the SDDC attached VPC via the ENI and deploy a Windows JumpHost there. The attached VPC has its own Internet Gateway. The vCenter resolution will now need to be changed to "Private IP" as described below: Point 2 The DNS default for

Gilles Chekroun
 Lead VMware Cloud on AWS Solutions Architect --- Usually my blog posts are customer driven and recently I have been working on a design that would include an Egress VPC and AWS Transit Gateway. This customer is going to use both VMware Managed Transit Gateway and also AWS Transit Gateway. I will split this post in 3 parts: The Egress VPC - this article Adding a VMC SDDC to the Egress VPC here Adding VMware Managed Transit Gateway here Why do we need an Egress VPC? Numerous posts on AWS site  will describe how to build an Egress VPC and the subtleties of the various route tables of the TGW and the Egress VPC itself. The main goal is to have ONE Internet gateway only  that will allow workloads to go out to internet on the Egress VPC. One of the most important point is redundancy and multi-availability zones. Applications usually reside in private subnets, while NAT Gateways reside in a public subnet. NAT Gateways To focus the Internet access to a single point, we can cre