View
4
Download
0
Category
Preview:
Citation preview
Architecture and Design for ExtendingVMware Validated Design to VMwareCloud on AWS
03 SEP 2019VMware Validated Design 5.1VMware Cloud on AWS
You can find the most up-to-date technical documentation on the VMware website at:
https://docs.vmware.com/
If you have comments about this documentation, submit your feedback to
docfeedback@vmware.com
VMware, Inc.3401 Hillview Ave.Palo Alto, CA 94304www.vmware.com
Copyright © 2019 VMware, Inc. All rights reserved. Copyright and trademark information.
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 2
Contents
About Architecture and Design for Extending VMware Validated Design to VMwareCloud on AWS 4
1 Applying the Guidance for Extending VMware Validated Design to VMware Cloud onAWS 6
2 Architecture Overview 7Physical Infrastructure Architecture for Extending the SDDC to VMware Cloud on AWS 7
Availability Zones and Regions 8
Virtual Infrastructure Architecture for Extending the SDDC to VMware Cloud on AWS 8
Operations Management Architecture for Extending the SDDC to VMware Cloud on AWS 10
Cloud Management Architecture for Extending the SDDC to VMware Cloud on AWS 11
3 Detailed Design 12Physical Infrastructure Design for Extending the SDDC to VMware Cloud on AWS 12
Physical Design Fundamentals of the SDDC Infrastructure on VMware Cloud on AWS 13
Physical Networking Design of the SDDC Infrastructure on VMware Cloud on AWS 15
Virtual Infrastructure Design for Extending the SDDC to VMware Cloud on AWS 24
Hybrid Linked Mode Design 24
Resource Reservation Design 26
Operations Management Design for Extending the SDDC to VMware Cloud on AWS 26
vRealize Operations Manager Design for the SDDC Infrastructure on VMware Cloud on AWS 27
vRealize Log Insight and Log Intelligence Design for the SDDC Infrastructure on VMware Cloud onAWS 30
Cloud Management Design for Extending the SDDC to VMware Cloud on AWS 32
VMware, Inc. 3
About Architecture and Design forExtending VMware Validated Design toVMware Cloud on AWS
The Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWSdocumentation provides a detailed design for extending your on-premises VMware Validated Design™
SDDC to a hybrid SDDC by adding and configuring an SDDC on VMware Cloud™ on AWS as a thirdregion, Region C.
VMware Cloud on AWS is an integrated cloud offering jointly developed by Amazon Web Services andVMware delivering a highly scalable, secure, and innovative service. With VMware Cloud on AWS,organizations can seamlessly migrate and extend their on-premises VMware vSphere® environments tothe AWS Cloud running on an Amazon EC2 bare metal infrastructure.
The VMware Validated Design for SDDC traditionally uses on-premises data centers to host separateregions. Having multiple regions enables features, such as high availability, disaster recovery, datalocality or sovereignty, and the ability to scale out capacity of the SDDC. If your organization does nothave the ability to deploy infrastructure in any additional data center, you can extending your on-premisesSDDC to a hybrid SDDC. To extend your VMware Validated Design SDDC to a hybrid SDDC, you canimplement one or more regions by connecting your on-premises infrastructure with VMware Cloud onAWS.
PrerequisitesYou must have a VMware Validated Design for Software-Defined Data Center 5.x deployed in at least asingle region. See the VMware Validated Design documentation page.
Intended AudienceThis design is intended for architects and administrators who want to use VMware Cloud™ on AWS fortenant workloads.
Required VMware SoftwareArchitecture and Design for Extending VMware Validated Design to VMware Cloud on AWS is compliantand validated with certain product versions. See VMware Validated Design Release Notes for moreinformation about supported product versions.
n Software components for VMware Validated Design™ for Software-Defined Data Center 5.x
VMware, Inc. 4
n VMware vCenter Cloud Gateway
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 5
Applying the Guidance forExtending VMware ValidatedDesign to VMware Cloud onAWS 1The content in Architecture and Design or Extending VMware Validated Design to VMware Cloud onAWS supplements Architecture and Design in VMware Validated Design for Software-Defined DataCenter, also referred to as the Standard SDDC.
Before You Design the Virtual Infrastructure for Extendingthe SDDC to VMware Cloud on AWSBefore you follow this documentation, you must deploy the components for the Standard SDDC accordingto VMware Validated Design for Software-Defined Data Center. See Architecture and Design, Planningand Preparation, Deployment for Region A, and Deployment for Region B in the VMware ValidatedDesign documentation.
n VMware ESXi™
n VMware Platform Services Controller™ pair and Management vCenter Server®
n VMware NSX® Data Center for vSphere®
n VMware vRealize® Lifecycle Manager™
n vSphere® Update Manager™
n VMware vRealize® Operations Manager™
n VMware vRealize® Log Insight™
n VMware vRealize® Automation™ with embedded vRealize® Orchestrator™
n VMware vRealize® Business™ for Cloud
Designing a Virtual Infrastructure for Extending the SDDCto VMware Cloud on AWSNext, directly follow this guidance to design the virtual infrastructure for your new region on VMwareCloud™ on AWS:
VMware, Inc. 6
Architecture Overview 2By extending your deployed VMware Validated Design SDDC to VMware Cloud on AWS, you can extendand integrate your on-premises environment to the VMware Cloud on AWS service.
This chapter includes the following topics:
n Physical Infrastructure Architecture for Extending the SDDC to VMware Cloud on AWS
n Virtual Infrastructure Architecture for Extending the SDDC to VMware Cloud on AWS
n Operations Management Architecture for Extending the SDDC to VMware Cloud on AWS
n Cloud Management Architecture for Extending the SDDC to VMware Cloud on AWS
Physical Infrastructure Architecture for Extending theSDDC to VMware Cloud on AWSThe physical infrastructure architecture includes details for the physical properties of the SDDC onVMware Cloud on AWS implementation as Region C in this design.
Each SDDC on VMware Cloud on AWS contains at least a single vSphere HA and a DRS cluster thatruns all management virtual machines and customer workload virtual machines. The initial clustercontains at least three ESXi hosts. Each ESXi host provides 36 cores running at 2.3 GHz, 512 GB RAM,and 16 TB all-flash NVMe devices to the cluster. The workload virtual machines running inside the SDDCcluster consume a dedicated cluster-wide vSAN datastore. A cluster can be expanded up to 16 hosts, allof which have identical hardware capabilities.
Each ESXi host provides 25 Gb/s of network bandwidth within the SDDC on VMware Cloud on AWS.Network I/O Control prioritizes the bandwidth between the several network traffic streams if contentionoccurs. The SDDC cluster uses native NSX technology that integrates AWS networking infrastructure.The customer can create logical networks to provide VMs network connectivity to other networks and theInternet if necessary. The management virtual machines, such as the vCenter Server, NSX Manager, andNSX Edge virtual machines run inside the cluster and are grouped in a separate vSphere DRS resourcepool.
VMware, Inc. 7
Each SDDC cluster is dedicated to a single customer. Existing AWS controls ensure customersegregation by using dedicated AWS accounts and AWS Virtual Private Connections (VPC) for eachSDDC deployment on VMware Cloud on AWS. Because vSAN is built out of instance local storage andeach ESXi host is dedicated to a single customer, there is no sharing of resources across differentcustomers inside the SDDC compute, network, or storage layers.
n Availability Zones and Regions
In an SDDC, availability zones are collections of infrastructure components. Availability zones areisolated from each other to prevent the propagation of failure or outage across the data center. Useregions to place workloads closer to your customers, comply with data privacy laws and restrictions,and support disaster recovery solutions for the entire SDDC.
Availability Zones and RegionsIn an SDDC, availability zones are collections of infrastructure components. Availability zones are isolatedfrom each other to prevent the propagation of failure or outage across the data center. Use regions toplace workloads closer to your customers, comply with data privacy laws and restrictions, and supportdisaster recovery solutions for the entire SDDC.
This hybrid cloud design uses an on-premises protected region (Region A) for SDDC managementcomponents with one or two availability zones, an on-premises recovery region (Region B) with a singleavailability zone, and a region on VMware Cloud on AWS (Region C) with a single availability zone. Youcan place workloads in each availability zone and region. You can expand the design to include multipleavailability zones.
Figure 2-1. Availability Zones and Regions
AvailabilityZone
AvailabilityZone 1
AvailabilityZone 2
FutureAvailability
ZoneFuture
AvailabilityZone
Region B: LAXRegion A: SFO
AvailabilityZone
FutureAvailability
Zone
Region C: VMC
Virtual Infrastructure Architecture for Extending theSDDC to VMware Cloud on AWSThe architecture of the virtual components and services that are available in the SDDC on VMware Cloudon AWS as Region C supports the integration with the on-premises SDDC. The architecture allocates allresources required for the operation of the SDDC and isolates the management components in the cloudfrom the tenant workloads.
An SDDC on VMware Cloud on AWS can contain up to 10 clusters. VMware manages the vSphere HA,DRS, and vSAN settings, therefore your cloud administrator has a read-only view of the clusterconfiguration settings. Cloud administrators can configure only per-VM DRS rules, such as VM-VM anti-affinity and VM-Host affinity rules, by using compute policies.
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 8
By default, each cluster contains two vSphere DRS resource pools as follows:
n The resource pool named Mgmt-ResourcePool contains the management virtual machines and isconfigured with a CPU and memory resource reservation. Your cloud administrator has a read-onlyview of the virtual machine and resource pool settings of the management resource pool.
n Tenant workloads are placed in the resource pool named Compute-ResourcePool. By default, thisworkload resource pool is not configured with CPU and memory resource reservations. Cloudadministrators have full control access rights over this resource pool.
By default, the SDDC on VMware Cloud on AWS contains a single cluster. If you create a new cluster ofhosts in the SDDC on VMware Cloud on AWS, the additional cluster is created in the same AWSavailability zone. Additional clusters can use R5.metal hosts instead of i3.metal hosts. R5.metal hosts useAmazon EBS storage instead of local NVMe flash drives. EBS storage can scale form 15 TB to 35 TB by5 TB increments. R5.metal hosts can be used only for additional clusters of an existing SDDC on VMwareCloud on AWS, and cannot be the first cluster that is provisioned in the environment.
You can configure an SDDC on VMware Cloud on AWS as an extension to an existing on-premisesSDDC by using Hybrid Linked Mode and VPN connections.
Figure 2-2. VMware Cloud on AWS Region-C Cluster
APP
OSAPP
OS
APP
OSAPP
OS
APP
OSAPP
OS
APP
OSAPP
OS
Virtual InfrastructureManagement
(Mgmt-ResourcePool)
NSX-TControllers
NSX-TEdges
NSX-TManager
ESXi ESXi ESXi
Workloads(Compute-
ResourcePool)
N-VDS
NSX-T Transport Zone
VMware Cloud Cluster
Managed by: VMware Cloud vCenter Server
Network: External(AWS VPC)
Network: Internal SDDC
vCenterServer
ESXi
Transport Nodes
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 9
VMC ConsoleVMC Console is a self-service, Web-based application that is available from the VMware Cloud servicesportal where you can manage and view your SDDCs on VMware Cloud on AWS. VMC Console showseach SDDC as a card, with information including name, region, status, and hardware allocation. Also,there are links for more details and operations that you can perform on the SDDC.
In addition, VMC Console shows subscriptions, activity logs, tools, and developer center to facilitate theuse of the VMware Cloud on AWS service. A subscription is used to pre-pay for hardware at a reducedcost compared to using VMware Cloud on AWS in an on-demand manner. The available tools includeContent Onboarding Assistant, the DCLI bundle, and the vCenter Cloud Gateway. The developer centerprovides code samples, an API Explorer, and other tools to help you learn the available automation andintegration development options.
Linking Between the On-premises SDDC and the SDDC onVMware Cloud AWS
You use the vCenter Cloud Gateway appliance to link from your on-premises data center to your SDDCon VMware Cloud on AWS. The vCenter Cloud Gateway appliance provides the following benefits:
n Active Directory groups are mapped from your on-premises environment to the environment onVMware Cloud on AWS. You do not need to add Active Directory as an identity source in yourVMware Cloud vCenter Server.
n You can restrict the access to important infrastructure services, such as Active Directory, according tothe security policy of your organization. Latency when performing operations on the on-premisesSDDC is lower.
n Because vCenter Cloud Gateway includes the vSphere UI, you benefit from automatically gettingaccess to the latest version of the vSphere HTML5 Client on VMware Cloud on AWS that is fullyinteroperable with your on-premises environment.
Operations Management Architecture for Extending theSDDC to VMware Cloud on AWSTo manage and monitor your SDDC on VMware Cloud on AWS that is implemented as Region C in thisdesign, you can configure the on-premises vRealize Operations Manager and vRealize Log Insightinstances. With this configuration, you avoid using multiple tools for the different parts of your hybridenvironment.
VMware Cloud on AWS Operations ManagementVMware Cloud on AWS offloads the majority of operations and management tasks to VMware directly. Alimited number of relevant events and alerts are available through the hosted VMware Cloud vCenterServer. In this design, the on-premises analytics cluster vRealize Operations Manager is used to collectand monitor these events and alerts, similarly to how the on-premises vCenter Server instances aremonitored.
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 10
VMware Cloud on AWS LoggingVMware Log Intelligence is a VMware Cloud service with which you can collect logs from the VMwareCloud on AWS service and associated VMware Cloud services. In this design, you use the on-premisesvRealize Log Insight system to collect and aggregate logging data from both VMware Cloud on AWS andon-premises sources.
For forwarding log data that is collected from the SDDC on VMware Cloud on AWS to vRealize LogInsight, you deploy a VMware Cloud Proxy appliance in the on-premises environment.
Figure 2-3. VMware Cloud Proxy Docker Containers
Cloud Proxy
Cloud Assembly SDDC AgentContainer: cloudassembly-sddc-agent
Docker Containers
Cloud Assembly CMX AgentContainer: cloudassembly-cmx-agent
vRealize Orchestrator AgentContainer: tango-vro-agent
Code Stream AgentContainer: codestream-lemans-agent
Log Intelligence AgentContainer: log-forwarder
Cloud Assembly Blueprint AgentContainer: cloudassembly-blueprint-agent
Cloud Management Architecture for Extending the SDDCto VMware Cloud on AWSTo configure the consumption portal for your SDDC on VMware Cloud on AWS implementation as RegionC in this design, you can configure the on-premises vRealize Automation system.
You can use your on-premises vRealize Automation system with your SDDC on VMware Cloud on AWSas a deployment target end point. With this configuration, you can reuse the templates and blueprints thatyou developed for the on-premises environment, reducing the time required to stand up an additionalenvironment.
Note Some blueprints might require a reconfiguration.
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 11
Detailed Design 3The detailed design for extending VMware Validated Design to VMware Cloud on AWS considers bothphysical and virtual infrastructure design for the hybrid SDDC. It includes numbered design decisions andthe justification and implications of each decision.
n Physical Infrastructure Design for Extending the SDDC to VMware Cloud on AWS
The physical design includes design decision details for the physical properties of the SDDC onVMware Cloud on AWS implementation as Region C in this design.
n Virtual Infrastructure Design for Extending the SDDC to VMware Cloud on AWS
This virtual design includes design decision details for the physical properties of the SDDC onVMware Cloud on AWS implementation as Region C in this design.
n Operations Management Design for Extending the SDDC to VMware Cloud on AWS
Operating a hybrid SDDC that consists of on-premises and VMware Cloud on AWS SDDCcomponents can be performed by using the same management components as a standalone on-premises SDDC. You extend and integrate vRealize Operations Manager and vRealize Log Insightfor seamless Day-2 operations of both environments.
n Cloud Management Design for Extending the SDDC to VMware Cloud on AWS
vRealize Automation is the management component in the on-premises SDDC infrastructure fordeploying blueprints and applications. You can use your on-premises vRealize Automationdeployment with your SDDC on VMware Cloud on AWS.
Physical Infrastructure Design for Extending the SDDC toVMware Cloud on AWSThe physical design includes design decision details for the physical properties of the SDDC on VMwareCloud on AWS implementation as Region C in this design.
n Physical Design Fundamentals of the SDDC Infrastructure on VMware Cloud on AWS
When deploying an SDDC on VMware Cloud on AWS, you must select the deployment location andthe number of hosts for the initial cluster for your use case.
n Physical Networking Design of the SDDC Infrastructure on VMware Cloud on AWS
To begin using VMware Cloud on AWS to run workloads as Region C in your SDDC, you must setup network connections between your on-premises data centers and the SDDC on VMware Cloudon AWS. This network can include a dedicated connection over AWS Direct Connect, an IPSecVPN, or both.
VMware, Inc. 12
Physical Design Fundamentals of the SDDC Infrastructure onVMware Cloud on AWSWhen deploying an SDDC on VMware Cloud on AWS, you must select the deployment location and thenumber of hosts for the initial cluster for your use case.
Selecting an AWS Region and Sizing the Initial Host ConfigurationWhen deploying the SDDC on VMware Cloud on AWS as Region C of your validated SDDC, select theAWS Region location according to these criteria:
n Location latency
n Data sovereignty
n Co-location with existing services
n Cost
You can use any VMware Cloud enabled AWS region. This design uses US West (Oregon) as anexample.
Figure 3-1. Cluster Configuration of the Hybrid SDDC
APPOS
APPOS
APPOS
APPOS
APPOS
APPOS
APPOS
APPOS
APPOS
APPOS
APPOS
APPOS
APPOS
APPOS
APPOS
APPOS
MgmtVC
Region AManagement Cluster
ESXi ESXi ESXi ESXi ESXi ESXi
Region ACompute /
Edge ClusterRegion B
Management ClusterRegion BCompute /
Edge Cluster
PSC
NSX Edge Load Balancer
NSX Edge Load Balancer
ComputeVC
PSC
MgmtVC
ESXi ESXi ESXi ESXi ESXi ESXi
PSC
ComputeVC
PSC
Region CCluster
on VMwareCloud on AWS
ESXi ESXi
VMware CloudVC
You can initially deploy an SDDC on VMware Cloud on AWS with a minimum of three hosts and you canlater expand it to 16 hosts. Each additional host adds a significant amount of resources to the cluster. Theinitial hosts run both the management and tenant virtual machines, similarly to VMware Validated Designfor Consolidated SDDC. The SDDC on VMware Cloud on AWS must always have enough resources forthe operation of the management virtual machines. For information on resource pool configuration andresource reservation in the initial cluster, see Resource Reservation Design.
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 13
Table 3-1. Resources Consumed by the Management Components on the Initial Three-HostCluster
Resource Used Free
CPU 9 GHz 240 GHz
Memory 212 GB 1.3 TB
Storage 5.5 TB 25.5 TB
The on-premises and cloud units of the hybrid SDDC support maintenance operations in different ways.
n VMware Validated Design for Software-Defined Data Center defines a minimum of four ESXi hosts inthe on-premises management cluster. Allocating four ESXi hosts provides full redundancy in thecluster.
n During maintenance operations in VMware Cloud on AWS environments, to provide enough capacityand redundancy for the update, VMware Cloud on AWS adds temporarily another host to the SDDC.VMware vSphere® vMotion™ and DRS activities occur to facilitate the update. During this time, yourworkloads and other resources function as usual. Adding permanently hosts to the initial cluster is notrequired.
Table 3-2. Design Decisions on the Initial Configuration of the SDDC on VMware Cloud onAWS
Decision ID Design Decision Design Justification Design Implication
SDDC-VMC-PHY-001 Deploy the SDDC on VMwarevCloud on AWS in an AWSRegion that has the lowestlatency to your on-premisesinfrastructure while meetingall other businessrequirements.
Having all infrastructureclosely or centrally locatedprovides an optimal userexperience. However, makesure that this setup is not atthe expense of laws orinfrastructure features.
While most AWS locationshave the same pricing model,slight variations exist. Thesevariations might change theoverall service cost if theclosest AWS region does notmeet the requirements of yourorganization.
SDDC-VMC-PHY-002 Deploy the SDDC on VMwareCloud on AWS with threehosts.
Using the initial minimumcluster size still provides asignificant amount ofresources to tenantworkloads. You can easilyextend clusters on demand.
You can use single-hostclusters for evaluationpurposes, but they are notsuitable for use in production.
The resources provided bythree hosts might not beinitially needed and thereforepotentially wasted. Smallerclusters are not supported forproduction workloads.
Scaling Out an SDDC on VMware Cloud on AWSWhile you can scale out the initial cluster, you can also add clusters to the SDDC. According to theoperational and business requirements of your organization, you can use these additional clusters forother categories of service or environments, such as development or staging environments.
Before adding hosts to the initial cluster, size correctly the cluster by considering the number, size, anduse of the tenant workloads you plan to provision.
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 14
Physical Networking Design of the SDDC Infrastructure onVMware Cloud on AWSTo begin using VMware Cloud on AWS to run workloads as Region C in your SDDC, you must set upnetwork connections between your on-premises data centers and the SDDC on VMware Cloud on AWS.This network can include a dedicated connection over AWS Direct Connect, an IPSec VPN, or both.
Network Design FundamentalsVMware Cloud on AWS uses VMware NSX-T™ Data Center to create and manage internal SDDCnetworks and provide endpoints for VPN connections from your on-premises network infrastructure.
SDDC Network Topology
When fully configured, an SDDC on VMware Cloud on AWS includes two internal networks: amanagement network for hosts and management appliances, and a compute network for workload VMs.A Tier 0 NSX Edge appliance sits between your on-premises networks and your VMware Cloud on AWSSDDC networks, and routes traffic to either the management network or the compute network asappropriate.
Tier 0 Edge Appliance All traffic between your on-premises networks and the SDDC on VMwareCloud on AWS passes through this appliance. Compute gateway firewallrules, which control access to workload VMs, are applied on its uplinkinterfaces.
Management Gateway(MGW)
The MGW is an NSX Edge Security gateway that provides a north-southnetwork connectivity for the vCenter Server and other management VMsrunning in the VMware Cloud on AWS SDDC. During the SDDC creation,the Internet-facing IP address (Public IP #1) is automatically assigned fromthe pool of AWS public IP addresses. When you create the SDDC onVMware Cloud on AWS, configure the management subnet with a range ofIP addresses (CIDR block) that can support the number of ESXi hosts inthe SDDC. If you do not configure a range during the SDDC creation, thesystem uses a default of 10.2.0.0/16.
Compute Gateway(CGW)
The CGW provides north-south network connectivity for virtual machinesrunning in the SDDC on VMware Cloud on AWS. In a single-node SDDC,VMware Cloud on AWS creates a default logical network segment (CIDRblock 192.168.1.0/24) to provide networking for these VMs. You can createadditional logical networks on the Networking & Security tab.
AWS Direct Connect
The AWS Direct Connect (DX) service provides a dedicated high-speed, low latency connection betweenyour on-premises data center and your AWS VPC. You can use DX alone or with a VPN.
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 15
DX is used over a private virtual interface (VIF) to carry workload and management traffic, including VPNand vSphere vMotion traffic, between your on-premises data center and your connected VPC. Use DXover a public VIF to connect to AWS public endpoints, such as EC2 and S3.
You can use a DX connection over a private VIF for all traffic between your on-premises data center andyour SDDC on VMware Cloud on AWS. The connection terminates in your connected Amazon VPC,provides a private IP address space, and uses BGP to advertise routes in your SDDC and learn routes inyour on-premise data center.
A DX connection over a public VIF is typically used only for traffic between your on-premises data centerand public AWS services, which you cannot access over a private VIF. The connection terminates at theAWS region level in the region occupied by your connected Amazon VPC and uses BGP to advertiseAWS global routes.
The use of Direct Connect is beneficial, but not required for the Hybrid Cloud functionality, thereforeoptional for this VMware Validated Design. Even if a Direct Connect is established, a VPN is stillnecessary to complete the traffic flow between the VMware Cloud on AWS and on-premises SDDCinfrastructure.
VPN DesignTo route management traffic between your VMware Cloud on AWS and on-premises SDDC infrastructure,you must establish a VPN connection to each on-premises region.
VMware Cloud on AWS offers two different types of VPNs for management traffic, route-based or policy-based.
n A route-based VPN creates an IPsec tunnel interface and routes traffic through it as dictated by therouting table on the VMware Cloud on AWS SDDC. A route-based VPN provides resilient and secureaccess to multiple subnets. When you use a route-based VPN, new routes are added automaticallywhen new networks are created.
Route-based VPNs in a VMware Cloud on AWS SDDC use the IPsec protocol to secure traffic andthe Border Gateway Protocol (BGP) to discover and propagate routes when networks are created. Tocreate a route-based VPN, you configure BGP information for the VMware Cloud on AWS SDDC andon-premises endpoints, and specify tunnel security parameters for the VMware Cloud on AWS SDDCend of the tunnel.
n A policy-based VPN creates an IPsec tunnel and a policy that specifies how traffic uses it. When youuse a policy-based VPN, you must update the routing tables on both ends of the network when newroutes are added.
Policy-based VPNs in a VMware Cloud on AWS SDDC use the IPsec protocol to secure traffic. Tocreate a policy-based VPN, you first configure the VMware Cloud on AWS SDDC endpoint, then youconfigure a matching remote on-premises endpoint. Because each policy-based VPN must create anIPsec security association for each network, a network administrator must update the routinginformation on-premises and in the VMware Cloud on AWS SDDC whenever a new policy-basedVPN is created. A policy-based VPN can be an appropriate choice when you have only a fewnetworks on either end of the VPN, or if your on-premises network hardware does not support BGP,which is required for route-based VPNs.
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 16
Figure 3-2. VPN Overview
SDDC on VMwareCloud on AWS
Region C
Management Cluster
SharedEdge andComputeCluster
ESXi ESXi ESXi ESXiESXi
Management Cluster
SharedEdge andComputeCluster
ESXi ESXi ESXi ESXiESXi
ManagementvCenterServer
ComputevCenterServer
10.2.0.0/16Infrastructuresubnet
Region A Region B
ManagementvCenterServer
ComputevCenterServer
vCenterCloud
Gateway
Externalconnection
VMware CloudvCenter Server
ESXi ESXi ESXi
In this design, a VPN is required between the management cluster in each on-premises region (Region Aand Region B) and the SDDC on VMware Cloud on AWS (Region C), however the on-premisestermination locations are not enforced. Use NSX ESGs as the on-premises terminating devices, becauseyou can place them in the on-premises SDDC infrastructure. This configuration provides a simple andsecure location without complicating other parts of the enterprise network.
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 17
Table 3-3. Design Decisions on VPN Configuration
Decision ID Design Decision Design Justification Design Implication
SDDC-VMC-NET-001 Create a policy-basedmanagement VPN betweenthe Management Gateway onthe VMware Cloud on AWSSDDC and the Region-A andRegion-B managementenvironments.
BGP is not supported overNSX-IPsec VPN tunnels.
In some environments, it mightbe preferable to terminate theVPNs outside the on-premisesSDDC environments whereBGP is available.
SDDC-VMC-NET-002 If using NSX for managementVPN termination, configure ahighly available pair of NSXEdge service gateways(ESGs) in each of the edgeclusters.
VPNs between the VMwareCloud on AWS and on-premises SDDC infrastructuremust be able to exchangerouting information.
Adds resource overhead.
SDDC-VMC-NET-003 If using NSX for managementVPN termination, configurethe ESG HA heartbeattimeout to 5 seconds.
Using a longer heartbeattimeout might result in alonger than desired outage ofcommunication between on-premises and VMware Cloudon AWS workloads.
Configuring a heartbeattimeout that is too short mightresult in a premature failoverthat can increase or extend anoutage.
Consider the difference in the property names in the VPN configuration of the VPN-enabled NSX ESGsand of the SDDC on VMware Cloud on AWS.
Table 3-4. Mapping VPN Parameters Between the User Interface of NSX for vSphere andVMC Console
NSX Property Name VMC Console Property Name
Name VPN Name
Peer ID On-prem Gateway IP
Peer Endpoint On-prem Gateway IP
Peer Subnets On-prem Network
Local ID Uplink SNAT (not a user-entered value)
Local Endpoint Uplink IP (not a user-entered value)
Local Subnets Local Network
Encryption Algorithm Encryption
Perfect Forward Secrecy Perfect Forward Secrecy
Authentication PSK (not configurable)
Diffie Hellman Group Diffie Hellman
Pre-Shared Key Pre-Shared Key
Enabled True (not configurable)
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 18
Figure 3-3. VPN Design for a Region in the On-Premises SDDC
VC
OSPSC
OSSRM
OS
ECMPESGs
ToRSwitches
Internet/EnterpriseNetwork
Mgmt-Management
Compute-Management
Legend:
SharedEdge and
Compute Cluster
192.168.11/24
Transit Networks
Management Application
vRealize AutomationvRealize Operations Manager
Universal Distributed Logical Router
ESGLoadBalancer
Mgmt-xRegion01-VXLAN
192.168.31/24
Mgmt-xRegionA01-VXLAN
Mgmt-VPN
vRealize Business for CloudvCenter Cloud Gateway
vRealize Log InsightvRealize Suite Lifecycle ManagervRealize Operations CollectorvRealize Automation Proxy
VMware Update ManagerDownload Service
vRealize Business Collector
MGMTVPN
ESGs
Edge-Management
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 19
Figure 3-4. VPN Design for Both Regions in the On-Premises SDDC
VC
OSPSC
OSSRM
OSVC
OSPSC
OSSRM
OS
ECMPESGs
ToRSwitches
Internet/EnterpriseNetwork
Mgmt-Management
Compute-Management
Legend:
SharedEdge and
Compute Cluster
192.168.11.0/24
Transit Networks
Management Application
vRealize AutomationvRealize Business for Cloud
vRealize Operations Manager
Universal Distributed Logical Router
ESGLoadBalancer
Mgmt-xRegion01-VXLAN
192.168.31.0/24
Mgmt-RegionA01-VXLAN
Mgmt-VPN
vCenter Cloud Gateway
vRealize Log InsightvRealize Suite Lifecycle ManagervRealize Operations CollectorvRealize Automation Proxy
VMware Update ManagerDownload Service
vRealize Business Collector
MGMTVPN
ESGsECMPESGs
ToRSwitches
Internet/EnterpriseNetwork
SharedEdge and
Compute Cluster
192.168.11.0/24
vRealize AutomationvRealize Business for Cloud
vRealize Operations Manager
ESGLoad
Balancer
Mgmt-xRegion01-VXLAN
192.168.32.0/24
Mgmt-RegionB01-VXLAN
vCenter Cloud Gateway
vRealize Log Insight vRealize Suite Lifecycle ManagervRealize Operations CollectorvRealize Automation Proxy
VMware Update ManagerDownload Service
vRealize Business Collector
MGMTVPN
ESGs
Failover Components
Region A Region B
To have traffic flowing between the VMware Cloud on AWS SDDC management networks and your on-premises management networks, you must populate the management VPN connections with theinfrastructure subnet on the VMware Cloud on AWS SDDC, any custom network segments on theVMware Cloud on AWS SDDC, and the management on-premises networks. These networks arepopulated within the configuration of each side of the VPN tunnel as either local or remote networks. Also,adding the vSphere vMotion networks allows cold vSphere vMotions operations.
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 20
Table 3-5. Management Network Configuration for VPN Connection
VPN Source VPN Destination Remote Networks Local Networks
VMware Cloud on AWS SDDC Region A n 172.16.11.0/24
n 172.16.12.0/24
n 172.16.31.0/24
n 172.16.32.0/24
n 192.168.11.0/24
n 192.168.31.0/24
n Infrastructure Subnet(10.2.0.0/16)
n StandaloneSubnets
n RoutedSubnets
VMware Cloud on AWS SDDC Region B n 172.17.11.0/24
n 172.17.12.0/24
n 172.17.31.0/24
n 172.17.32.0/24
n 192.168.11.0/24
n 192.168.32.0/24
n Infrastructure Subnet(10.2.0.0/16)
n StandaloneSubnets
n RoutedSubnets
Region A VMware Cloud on AWSSDDC
n Infrastructure Subnet(10.2.0.0/16)
n StandaloneSubnets
n RoutedSubnets
n 172.16.11.0/24
n 172.16.12.0/24
n 172.16.31.0/24
n 172.16.32.0/24
n 192.168.11.0/24
n 192.168.31.0/24
Region B VMware Cloud on AWSSDDC
n Infrastructure Subnet(10.2.0.0/16)
n StandaloneSubnets
n RoutedSubnets
n 172.17.11.0/24
n 172.17.12.0/24
n 172.17.31.0/24
n 172.17.32.0/24
n 192.168.11.0/24
n 192.168.32.0/24
Table 3-6. Design Decisions on VPN Endpoint Configuration
Decision ID Design Decision Design Justification Design Implication
SDDC-VMC-NET-004 Add all networks formanagement and vSpherevMotion in the on-premisesand VMware Cloud on AWSSDDCs to each VPN endpointconfiguration.
To have operations running inboth on-premises andVMware Cloud on AWSSDDC infrastructure, trafficbetween all managementsubnets must be routed.
Having management networksroutable over a VPN mightbring in security considerationsin some organizations.
Firewall Rules DesignThe management gateway on the VMware Cloud on AWS SDDC is configured with a firewall that blocksall inbound connections to the management network on the VMware Cloud on AWS SDDC. Thisconfiguration ensures the security and integrity of the management interfaces on VMware Cloud on AWS,such as vCenter Server and ESXi. The firewall has limited configuration options for existing managementinterfaces, but some connections can be allowed.
When you create an SDDC on VMware Cloud on AWS, the management gateway firewall has thefollowing rules.
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 21
Table 3-7. Default Management Gateway Firewall Rules
Rule Name Source Destination Services Action
vCenter Outbound Rule vCenter Any Any Allow
ESXi Outbound Rule ESXi Any Any Allow
Default Deny All Any Any Any Block
To allow the SDDC on VMware Cloud on AWS to connect to your on-premises management domain, youmust change the default firewall policy. To simplify the firewall rule management, you can create groups ofIP addresses and subnets.
Table 3-8. Design Decisions on Management Gateway Firewall Configurations
Decision ID Design Decision Design Justification Design Implication
SDDC-VMC-NET-005 Configure the managementgateway firewall to allowaccess from the on-premisesmanagement subnet to thevCenter Server, ESXi, andNSX Manager instances onthe VMware Cloud on AWSSDDC.
The hybrid functionalityrequires changes on thefirewall.
Changing the default firewallrules increases the securityboundary from which theSDDC on VMware Cloud onAWS can be accessed.
SDDC-VMC-NET-006 Configure the local on-premises SDDC managementsubnets as groups.
Using groups simplifies thefirewall rule management.
None.
To simplify the firewall rule management, you add the following groups.
Table 3-9. Inventory Groups
Name Member Type Members
SFO01Nets IP Address 172.16.11.0/24, 172.16.12.0/24,172.16.31.0/24, 172.16.32.0/24,192.168.11.0/24, 192.168.31.0/24
LAX01Nets IP Address 172.17.11.0/24, 172.17.12.0/24,172.17.31.0/24, 172.17.32.0/24,192.168.11.0/24, 192.168.32.0/24
To allow the hybrid functionality, you must add the following management gateway firewall rules to thedefault outbound rules that are configured when the SDDC infrastructure is created on VMware Cloud onAWS.
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 22
Table 3-10. Additional Management Gateway Firewall Rules
Name Source Destination Services Action
SFO01M01 ESXi Rule SFO01Nets ESXi Provisioning & RemoteConsole (TCP 902),vSphere vMotion (TCP8000), ICMP (ALLICMP), HTTPS (TCP443)
Allow
SFO01M01 vCenterRule
SFO01Nets vCenter ICMP (ALL ICMP),SSO (TCP 7444),HTTPS (TCP 443)
Allow
SFO01 NSX Rule SFO01Nets NSX HTTPS (TCP 443) Allow
Name Resolution DesignSpecifying a DNS server allows the gateway to resolve fully-qualified domain names (FQDNs) to IPaddresses on the network.
The management gateway on the VMware Cloud on AWS SDDC must be configured to resolve the on-premises FQDNs.
Table 3-11. Design Decisions on the Management Gateway DNS Configuration
Decision ID Design Decision Design Justification Design Implication
SDDC-VMC-NET-007 Configure the managementgateway DNS server IPaddress to forward nameresolution to the on-premisesDNS servers.
Without the on-premises DNSresolution, vCenter CloudGateway is unable to link thetwo environments. See Table3-13. Design Decisions on thevCenter Cloud GatewayDeployment.
None.
The compute gateway on the VMware Cloud on AWS SDDC can be configured to resolve up to fivespecific domains by configuring a domain name server for each.
Network Segment DesignNetwork segments are logical networks for use by workload VMs in the Compute-ResourcePool of theSDDC on VMware Cloud on AWS.
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 23
VMware Cloud on AWS supports three types of logical network segments: routed, extended, anddisconnected.
n A routed network segment (the default type) has connectivity to other logical networks in the SDDCon VMware Cloud on AWS, and to external networks through the SDDC firewall.
n An extended network segment extends an existing L2VPN tunnel, providing a single IP addressspace that spans the VMware Cloud on AWS SDDC and an on-premises network.
n A disconnected network segment has no uplink and provides an isolated network accessible only toVMs connected to it. Disconnected segments are created when needed by HCX. You can also createdisconnected network segments and can convert them to other segment types.
SDDCs on VMware Cloud on AWS does not contain a default network segment, so you must create atleast one for your workload VMs. You can use the VMC Console to create network segments or deletenetwork segments that are no longer in use.
When you create a network segment, ensure that it does not overlap your management network or any ofthe subnets in your connected Amazon VPC.
Virtual Infrastructure Design for Extending the SDDC toVMware Cloud on AWSThis virtual design includes design decision details for the physical properties of the SDDC on VMwareCloud on AWS implementation as Region C in this design.
n Hybrid Linked Mode Design
You configure Hybrid Linked Mode to link the vCenter Server instance on your VMware Cloud onAWS SDDC with your on-premises vCenter Single Sign-On domain.
n Resource Reservation Design
When you deploy an SDDC on VMware Cloud AWS, the configuration of the initial cluster includesreserving resources for the management workloads so that capacity for SDDC infrastructuremanagement is always available.
Hybrid Linked Mode DesignYou configure Hybrid Linked Mode to link the vCenter Server instance on your VMware Cloud on AWSSDDC with your on-premises vCenter Single Sign-On domain.
Shared vCenter Single Sign-On DomainWhen you link a vCenter Server instance on VMware Cloud on AWS to a workload domain where multiplevCenter Server instances are connected in Enhanced Linked Mode, all those instances are linked to theSDDC on VMware Cloud on AWS.
By using Hybrid Linked Mode, you can:
n View and manage the inventories of both your on-premises and VMware Cloud on AWS data centersfrom a single vSphere Client interface by using your on-premises credentials.
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 24
n Migrate workloads between your on-premises and VMware Cloud on AWS data centers.
n Share tags and tag categories from your on-premises to your VMware Cloud on AWS vCenter Serverinstance.
Figure 3-5. Design of a Shared vCenter Single Sign-On Domain
Region A: SFO Region B: LAX
Platform Services ControllerAppliance
SFO
Management vCenter Server
Appliance
Shared vCenter Single Sign-On Domain
Platform ServicesControllerAppliance
SFO
NSX Edge Load Balancer NSX Edge Load Balancer
ComputevCenter Server
Appliance
Platform ServicesControllerAppliance
LAX
ComputevCenter Server
Appliance
Platform ServicesControllerAppliance
LAX
Management vCenter Server
Appliance LAX LAXSFO SFO
Region C: VMC
vCenterCloud Gateway
SFO
VMware CloudvCenter Server
vCenter Cloud GatewayTo enable Hybrid Linked Mode, the vCenter Server instance on VMware Cloud on AWS must be able tocommunicate with all the on-premises vCenter Server instances in Region A and Region B. To exchangeauthentication and management functions between the VMware Cloud on AWS and the on-premisesvCenter Server instances, you deploy a vCenter Cloud Gateway (VCG) appliance. For seamlessauthentication, you join the VCG appliance to the existing on-premises vCenter Single Sign-On domain.This configuration spans the vCenter Single Sign-On domain between both on-premises and VMwareCloud on AWS vCenter Server instances.
Provide the compute and storage resources for the operation of the vCenter Cloud Gateway appliance.
Table 3-12. Minimum Hardware Requirements for the vCenter Cloud Gateway Appliance
Hardware Minimum required
CPUs 8
Memory 24 GB
Storage 190 GB
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 25
Table 3-13. Design Decisions on the vCenter Cloud Gateway Deployment
Decision ID Design Decision Design Justification Design Implication
SDDC-VMC-VI-001 Deploy the vCenter CloudGateway appliance in themanagement cluster inRegion A.
Managing separate vCenterSingle Sign-On domains limitsthe capabilities of the hybridcloud.
Additional on-premisesresources are required for theappliance.
SDDC-VMC-VI-002 Deploy the vCenter CloudGateway on the managementVLAN.
The vCenter Cloud Gatewaydoes not support VXLAN.
If an outage occurs, you mustdeploy the appliance again.You cannot fail it over to therecovery region of the on-premises SDDC.
Resource Reservation DesignWhen you deploy an SDDC on VMware Cloud AWS, the configuration of the initial cluster includesreserving resources for the management workloads so that capacity for SDDC infrastructure managementis always available.
The initial cluster of the VMware Cloud on AWS SDDC runs both the management applications andprovisioned tenant workloads.
Because the SDDC must remain operational even if a resource contention occurs, when VMware Cloudon AWS deploys the SDDC, it reserves resources in the cluster for the management components bycreating resource pools. The initial cluster contains two resource pools, Mgmt-ResourcePool and Compute-ResourcePool, and the reservations are set on the management resource pool.
VMware Cloud on AWS assigns the Management Storage Policy to all management virtual machines. Toguarantee that management virtual machine always receive all required storage resources, the objectspace reservation property of the Management Storage Policy is set to thick provisioning.
Table 3-14. Reservations for the Management Components in the Initial Cluster
ResourceReservation for the ManagementResource Pool
Reservation for the Compute ResourcePool
CPU 73.5 GHz (Expandable) 0 GHz
Memory 117 GB (Expandable) 0 GB
Storage 11.12 TB 0 TB
Operations Management Design for Extending the SDDCto VMware Cloud on AWSOperating a hybrid SDDC that consists of on-premises and VMware Cloud on AWS SDDC componentscan be performed by using the same management components as a standalone on-premises SDDC. You
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 26
extend and integrate vRealize Operations Manager and vRealize Log Insight for seamless Day-2operations of both environments.
n vRealize Operations Manager Design for the SDDC Infrastructure on VMware Cloud on AWS
vRealize Operations Manager is the monitoring management component that exists in the on-premises SDDC infrastructure, and can also be extended across the management VPN to monitorthe SSDC infrastructure on VMware Cloud on AWS. Because VMware Cloud on AWS is a hostedand managed by VMware solution, not all the metrics, events, and alerts are made available.
n vRealize Log Insight and Log Intelligence Design for the SDDC Infrastructure on VMware Cloud onAWS
vRealize Log Insight is the logging management component that exists in the on-premises SDDCinfrastructure. VMware Log Intelligence™ is the service that you can use to collect selected logsfrom your SDDC on VMware Cloud on AWS. To enable forwarding the logs from VMware LogIntelligence to the on-premises vRealize Log Insight instances, you must deploy a Cloud Proxy ineach on-premises region.
vRealize Operations Manager Design for the SDDC Infrastructureon VMware Cloud on AWSvRealize Operations Manager is the monitoring management component that exists in the on-premisesSDDC infrastructure, and can also be extended across the management VPN to monitor the SSDCinfrastructure on VMware Cloud on AWS. Because VMware Cloud on AWS is a hosted and managed byVMware solution, not all the metrics, events, and alerts are made available.
To configure monitoring of your SDDC on VMware Cloud on AWS by using vRealize Operations Manager,you connect to the vCenter Server instance on the VMware Cloud on AWS SDDC by using an adapterinstance. The new adapter instance uses the existing default remote collector group in vRealizeOperations Manager.
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 27
Figure 3-6. Logical Design for Extending Operations Management to VMware Cloud on AWS
Metric AdaptersRegion A
Region B
vRealize Operations Manager
Analytics Cluster
Integration
ExternalLoad Balancer
vCenter Server
Access
User Interface
API
vRealizeLog Insight
vRealizeAutomation
Metric Adapters
vCenter Server
NSX
vRealizeLog Insight
AdditionalSolutions
vRealizeBusiness
vRealizeAutomation
ManagementPacks
Suite API
Shared Storage
vRealize Operations ManagerRemote Collectors
CollectorGroup
ManagementPacks
Suite API
Remote Collector 2
Remote Collector 1
Shared Storage
Metric Adapters
vCenter Server
NSX
vRealizeLog Insight
vRealize Operations ManagerRemote Collectors
CollectorGroup
ManagementPacks
Suite API
Remote Collector 2
Remote Collector 1
Shared Storage
StorageDevices
vSAN
StorageDevices
vSAN
Master Replica
Data 1 Data n
SiteRecoveryManager
AdditionalSolutions
SiteRecoveryManager
Region C
Integration
vCenter Server
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 28
Figure 3-7. Network Design for Extending Operations Management to VMware Cloud onAWS
APP
OSAPP
OSAPP
OSAPP
OSAPP
OSAPP
OS
vrops01svr01a vrops01svr01b vrops01svr01c
Mgmt-xRegion01-VXLAN
VIP: vrops01svr01.rainpole.local
Analytics Cluster Region A
vrops01svr01a vrops01svr01b vrops01svr01c
VIP: vrops01svr01.rainpole.local
Placeholder Disaster RecoveryAnalytics Cluster
Region B
sfo01m01lb01 lax01m01lb01
Mgmt-xRegion01-VXLAN
SDDC on VMwareCloud on AWS
Region C
Infrastructuresubnet
Externalconnection
VMware CloudvCenter Server
ESXi ESXi ESXi
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 29
Table 3-15. Design Decisions on Monitoring Configuration
Decision ID Design Decision Design Justification Design Implication
SDDC-VMC-OPS-001 Add an adapter instance forthe vCenter Server instanceon the VMware Cloud onAWS SDDC.
For each monitored vCenterServer instance, you createan adapter instance forcollection of analytics data.
None.
SDDC-VMC-OPS-002 Use the default remotecollector group when addingthe adapter instance for thevCenter Server instance onthe VMware Cloud on AWSSDDC.
The region-specific collectorsare not failed over if adisaster recovery occurs. Byusing the default collectorgroup, the analytics clustercollects metrics for thisadapter instance. Becausethe analytics cluster is failedover if a disaster recoveryevent occurs, connection tothe vCenter Server instanceon the VMware Cloud onAWS SDDC remains open.
Small additional load on theanalytics cluster.
vRealize Log Insight and Log Intelligence Design for the SDDCInfrastructure on VMware Cloud on AWSvRealize Log Insight is the logging management component that exists in the on-premises SDDCinfrastructure. VMware Log Intelligence™ is the service that you can use to collect selected logs from yourSDDC on VMware Cloud on AWS. To enable forwarding the logs from VMware Log Intelligence to the on-premises vRealize Log Insight instances, you must deploy a Cloud Proxy in each on-premises region.
When forwarding logs to another location, the logs must be tagged with a site code to ensure the logorigin is traceable. This tagging also allows filters to be created to stop duplicate or circular logging tooccur.
Provide the compute and storage resources for the operation of the Cloud Proxy appliance.
Table 3-16. Resource Specification of the Cloud Proxy Appliance
Attribute Specification
Number of CPUs 4 vCPUs
Memory 12 GB
Disk size n 1.4 GB Thin Provisioned
n 80 GB Thick Provisioned
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 30
Table 3-17. Design Decisions on Logging Configuration
Decision ID Design Decision Design Justification Design Implication
SDDC-VMC-LOG-001 Enable the VMware LogIntelligence service for yourSDDC on VMware Cloud onAWS.
Log collection from VMwareCloud on AWS is not possiblewithout VMware LogIntelligence.
None.
SDDC-VMC-LOG-002 Deploy a Cloud Proxyappliance in each on-premises managementcluster.
A Cloud Proxy is required toforward logs from LogIntelligence to the on-premises SDDC.
You must allocate additionalresources to run the CloudProxy appliance.
SDDC-VMC-LOG-003 Tag the logs from the VMwareCloud on AWS SDDC withsite=VMC.
Tagging logs allows for siteidentification and log filtering.
None.
SDDC-VMC-LOG-004 Filter the vRealize Log Insightforwarding rules to excludesite=VMC.
Each region must receive itsown copy of the logs from theVMware Cloud on AWSSDDC by using a region-specific Cloud Proxyappliance. If a disasteroccurs, logs are stillforwarded to the running partof the on-premises SDDC.
Duplication of logs exists ineach vRealize Log Insightinstance.
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 31
Figure 3-8. Log Forwarding Design
VMwareCloud on AWS
Region C
10.2.0.0/16Infrastructuresubnet
Region A Region B
VMwareCloudProxy
vRealizeLog Insight
Externalconnection
VMware CloudvCenter Server
ESXi ESXi ESXi
LogForwarding
Management Cluster
VMwareCloudProxy
vRealizeLog Insight
LogForwarding
Management Cluster
LogForwarding
VMware Log Intelligence
VMware Cloud Services
Cloud Management Design for Extending the SDDC toVMware Cloud on AWSvRealize Automation is the management component in the on-premises SDDC infrastructure fordeploying blueprints and applications. You can use your on-premises vRealize Automation deploymentwith your SDDC on VMware Cloud on AWS.
You can configure the SDDC on VMware Cloud on AWS as a deployment endpoint for vRealizeAutomation, so that all deployment actions take place over the management VPN. The configurationincludes creating an infrastructure endpoint and a fabric group with the following details:
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 32
Table 3-18. Design Decisions on vRealize Automation Endpoints
Decision ID Design Decision Design Justification Design Implication
SDDC-VMC-CMP-001 Create a vSphere endpoint tothe SDDC on VMware Cloudon AWS.
vSphere endpoints andvCenter Server instances ineach region have one-to-onerelationship. You use anendpoint for each region.
As you add more SDDCs onVMware Cloud on AWS asregions, you must add morevSphere endpoints.
Table 3-19. Configuration of the Infrastructure Endpoint for VMware Cloud on AWS
Setting Value
vCenter Server URL https://vcenter.sddc-xxx-xxx-xxx-xxx.vmwarevmc.com/sdk
Resource Pool Compute-ResourcePool
Datastore WorkloadDatastore
VM & Template Folder Workloads
Network Any isolated or routed network segment
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 33
Recommended