Adding a VMware Cloud on AWS SDDC to an Egress VPC (Part 2)

Gilles Chekroun

Lead VMware Cloud on AWS Solutions Architect
As a follow up to Part 1 on Egress VPC here, I want to add an SDDC to the picture and allow the Virtual Machines on the NSX networks to go out to internet via the Egress VPC and NAT Gateways.

Lab Setup

Similarly to the setup in Part 1, I will now connect an SDDC with VPN to the TGW like this:

Generic considerations

  • Since we want the SDDC internet access via the Egress VPC for Security reasons, we will need a global route on the VPN.
  • That's now basically cutting the SDDC IGW access. Because of that, we will need to take care of 2 things:
    1. How to access vCenter if we don't have internet on the  SDDC?
    2. How do we resolve DNS ?

Point 1

For vCenter access I decided to use the SDDC attached VPC via the ENI and deploy a Windows JumpHost there. The attached VPC has its own Internet Gateway.

The vCenter resolution will now need to be changed to "Private IP" as described below:

Point 2

The DNS default for CGW and MGW is set to and This needs to be fixed because we don't have access to public DNS anymore. 

Our only way out of the SDDC is VPN to TGW and ENI to the attached VPC and here, we have the capability to use the embedded VPC DNS at the reserved IP address CIDR+2.

The IP address of the VPC DNS server is the reserved IP address at the base of the VPC IPv4 network range plus two

Make sure the attached VPC has DNS Resolution enabled.

Set the SDDC System DNS to the Attached VPC CIDR + 2

VPN setup

We will build a Route based VPN from the SDDC to the TGW. By default AWS gives 2 tunnels per VPN Connection.

Create a new TGW attachment as VPN.

On the "Site to Site VPN" note the public IPs of the tunnels.
and configure them in the SDDC Route based VPN tab.

TGW new Route Table

Now that we have our SDDC connected to the TGW via VPN, we need to add a new route table. Similarly to the Egress route table and the Apps route table, I will now create an SDDC route table, associate it with the VPN attachment and just create one global route pointing to our Egress VPC.

Having this global static route, it will be advertised to the SDDC via BGP on our VPN tunnels. Let's check that.
Same for the second tunnel
At this point, any non-SDDC IP address will go out on the VPN tunnel.

Egress VPC public route tables

Update the Egress VPC public route tables for AZa and  AZb to include the route back to the SDDC via the TGW

Egress VPC attachment route table

Update also the TGW route table for the Egress VPC to include the SDDC segment.


That's it - we can now start testing.
I have an Ubuntu VM inside my SDDC on segment with  IP at .5
  • SSH to the JumpHost
  • SSH to the Ubuntu VM (
  • Ping any  external address like
  • Traceroute the same address and verify the we go via one of the NAT Gateways

Blackhole routes

In the next post (Part 3) we will use a VMware Manage TGW to connect the SDDC and the Apps VPCs at high speed (VPC attachments).
At this stage it's important to drop the  traffic from the SDDC via the VPN to the Apps VPCs
Once again the blackhole routes in the SDDC Route Table are playing a role.
Let's try to ping EC2s in Apps VPCs:
Thanks for reading.


  1. Hello Gilles,
    Thank you for the great post. I'm in the process of designing SDDC. Am I able to route internet traffic via vTGW to my existing VPC and IGW? instead of using VPN to AWS TGW.

    1. Good question and today it’s not possible but this feature will be available soon. We need to be able to program a static route pointing to the egress VPC to do that. Soon ....


Post a Comment


Egress VPC and AWS Transit Gateway (Part1)

AWS Transitive routing with Transit Gateways in the same region

Build a VMware Cloud on AWS Content Library using AWS S3