Adding a VMware Cloud on AWS SDDC to an Egress VPC (Part 2)

-

Gilles Chekroun


Lead VMware Cloud on AWS Solutions Architect
---
As a follow up to Part 1 on Egress VPC here, I want to add an SDDC to the picture and allow the Virtual Machines on the NSX networks to go out to internet via the Egress VPC and NAT Gateways.

Lab Setup

Similarly to the setup in Part 1, I will now connect an SDDC with VPN to the TGW like this:

Generic considerations

  • Since we want the SDDC internet access via the Egress VPC for Security reasons, we will need a global 0.0.0.0/0 route on the VPN.
  • That's now basically cutting the SDDC IGW access. Because of that, we will need to take care of 2 things:
    1. How to access vCenter if we don't have internet on the  SDDC?
    2. How do we resolve DNS ?

Point 1

For vCenter access I decided to use the SDDC attached VPC via the ENI and deploy a Windows JumpHost there. The attached VPC has its own Internet Gateway.

The vCenter resolution will now need to be changed to "Private IP" as described below:

Point 2

The DNS default for CGW and MGW is set to 8.8.8.8 and 8.8.4.4. This needs to be fixed because we don't have access to public DNS anymore. 

Our only way out of the SDDC is VPN to TGW and ENI to the attached VPC and here, we have the capability to use the embedded VPC DNS at the reserved IP address CIDR+2.

The IP address of the VPC DNS server is the reserved IP address at the base of the VPC IPv4 network range plus two

Make sure the attached VPC has DNS Resolution enabled.

Set the SDDC System DNS to the Attached VPC CIDR + 2

VPN setup

We will build a Route based VPN from the SDDC to the TGW. By default AWS gives 2 tunnels per VPN Connection.

Create a new TGW attachment as VPN.

On the "Site to Site VPN" note the public IPs of the tunnels.
and configure them in the SDDC Route based VPN tab.

TGW new Route Table

Now that we have our SDDC connected to the TGW via VPN, we need to add a new route table. Similarly to the Egress route table and the Apps route table, I will now create an SDDC route table, associate it with the VPN attachment and just create one global 0.0.0.0/0 route pointing to our Egress VPC.

Having this global static route, it will be advertised to the SDDC via BGP on our VPN tunnels. Let's check that.
Same for the second tunnel
At this point, any non-SDDC IP address will go out on the VPN tunnel.

Egress VPC public route tables

Update the Egress VPC public route tables for AZa and  AZb to include the route back to the SDDC via the TGW

Egress VPC attachment route table

Update also the TGW route table for the Egress VPC to include the SDDC segment.

Tests

That's it - we can now start testing.
I have an Ubuntu VM inside my SDDC on segment 192.168.1.0 with  IP at .5
  • SSH to the JumpHost
  • SSH to the Ubuntu VM (192.168.1.5)
  • Ping any  external address like amazon.com
  • Traceroute the same address and verify the we go via one of the NAT Gateways

Blackhole routes

In the next post (Part 3) we will use a VMware Manage TGW to connect the SDDC and the Apps VPCs at high speed (VPC attachments).
At this stage it's important to drop the  traffic from the SDDC via the VPN to the Apps VPCs
Once again the blackhole routes in the SDDC Route Table are playing a role.
Let's try to ping EC2s in Apps VPCs:
Thanks for reading.








Comments

  1. chandraFebruary 2, 2021 at 2:33 PM

    Hello Gilles,
    Thank you for the great post. I'm in the process of designing SDDC. Am I able to route internet traffic via vTGW to my existing VPC and IGW? instead of using VPN to AWS TGW.

    ReplyDelete
    Replies
    1. Gilles ChekrounFebruary 2, 2021 at 4:11 PM

      Good question and today it’s not possible but this feature will be available soon. We need to be able to program a static 0.0.0.0/0 route pointing to the egress VPC to do that. Soon ....

      Delete

Post a Comment

Populars

Egress VPC and AWS Transit Gateway (Part1)

-
Image
Gilles Chekroun
 Lead VMware Cloud on AWS Solutions Architect --- Usually my blog posts are customer driven and recently I have been working on a design that would include an Egress VPC and AWS Transit Gateway. This customer is going to use both VMware Managed Transit Gateway and also AWS Transit Gateway. I will split this post in 3 parts: The Egress VPC - this article Adding a VMC SDDC to the Egress VPC here Adding VMware Managed Transit Gateway here Why do we need an Egress VPC? Numerous posts on AWS site  will describe how to build an Egress VPC and the subtleties of the various route tables of the TGW and the Egress VPC itself. The main goal is to have ONE Internet gateway only  that will allow workloads to go out to internet on the Egress VPC. One of the most important point is redundancy and multi-availability zones. Applications usually reside in private subnets, while NAT Gateways reside in a public subnet. NAT Gateways To focus the Internet access to a single point, we can cre
Read more

AWS Transitive routing with Transit Gateways in the same region

-
Image
Gilles Chekroun Lead VMware Cloud on AWS Specialist --- At the AWS Re:invent 2019 conference, the long waited TGW peering functionality was announced and available in a few AWS regions. This is an INTER-REGION peering only meaning that the Transit Gateways need to be in different regions. Hoping that AWS will soon release an INTRA-REGION capability I discussed with a few AWS Solutions Architects in Las Vegas, among them Tom Adamski , about using a VPC as a bridge between two TGWs in the same region. Tom assured me that it is possible opening for the first time the transitive routing capability in AWS networking. Well . . . I needed to test that and see by myself. Test bed For a simple test, I will use 2 TGWs in the same regions with 2 VPCs attached each and another VPC as "bridge" connected to both TGWs. Yes you can connect a VPC up to 5 TGWs . The whole idea is to use this "bridging VPC" and point the default route of the TGWs to it. To do that I c
Read more

Considerations on vTGW to TGW Peering Link

-
Image
   Gilles Chekroun
 Lead VMware Cloud on AWS Solutions Architect --- Recently I was talking with a Customer on designing their VMware Cloud on AWS environment and linking it to their existing AWS infrastructure. The idea was to have 2 SDDCs, Test and Prod, and link them with a VMware Managed TGW and peer it to their existing TGW. The customer requirements were: VMs in each SDDC should have internet access from the SDDC out VMs from Test should be able to talk to VMs in Prod VMs in any SDDC should be able to access their own vCenter but also the other one Some VMs any SDDC should have a Public IP and NAT rule to be accessible from outside VMware traffic should stay within VMware SDDCs Other traffic, like on-prem, should go via the Customer TGW Test Setup Step1 - Create SDDC Group Create an SDDC Group and attach the 2 SDDCs Prod and Test Make sure the proper FireWall rules are open in each SDDC Compute GW. Step 2 - Attach the Customer TGW In the SDDC Groups, under External TGW TAB, add t
Read more