LHC3375BUS VMware Cloud on AWS Hybrid Cloud ......Quick Refresher on AWS Account Structure •VMware Cloud on AWS SDDC account –Dedicated, single-tenant AWS account created for each

Wen Yu, Partner Solutions Architect (AWS)Aarthi Raju, Partner Solutions Architect (AWS)

LHC3375BUS

#VMworld #LHC3375BUS

VMware Cloud on AWS Hybrid Cloud Architectural Deep Dive: Networking and Storage Best Practices

VMworld 2017 Content: Not fo

r publication or distri

bution

• This presentation may contain product features that are currently under development.

• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new technologies or features discussed or presented have not been determined.

Disclaimer

#LHC3375BUS CONFIDENTIAL 2



bution

Let’s Get On-boarded toVMware Cloud on AWS



bution

Quick Refresher on AWS Account Structure

• VMware Cloud on AWS SDDC account

– Dedicated, single-tenant AWS account created for each customer on sign-up

– Owned, operated and paid by VMware

– Contains all of the ESXi hosts for a given deployment

• Customer AWS account

– Is owned, operated, and paid directly by the customer

– Can be an existing AWS account, or a new account created for just for this purpose

– Private Connectivity to VMware cloud SDDC is established using Elastic Network Interface(ENI)

– Has full access to the entire catalog of native AWS services




bution

Creating Your SDDC

5#LHC3375BUS CONFIDENTIAL



bution

4 Step Onboarding Process

1. Connect Customer AWS Account to the VMware Cloud on AWS SDDC Account

2. Define SDDC properties

3. Select VPC and Subnet to use in the Customer AWS account

4. Configure management network




bution

Connection Workflow to Customer AWS Account




bution





bution



user

template

role

AWS Managed Policy

A ‘cross-account’ role

is created and VMW

is granted access to

assume this role

using STSAWS

CloudFormation

Customer AWS Account



bution





bution

Defining SDDC Properties




bution

Selecting VPC and Subnet




bution

Configuring Management Network




bution

Details on Linked VPC




bution

Key Things to Remember

• The cross-account role allows VMware to perform operations required to connect to your AWS VPC

• You have full control over this role

• You maintain access control of the transit path using standard AWS security practices (Security Groups, NACL, Flow Logs, etc.)

• You have the ability to audit cross-account role using AWS CloudTrail




bution

Connecting to Your SDDC



bution

Internet Connectivity to Management (MGW) andCompute Gateway (CGW)




bution

L3VPN Connectivity to MGW and CGW




bution

Architectural Deep Dive



bution

Provision VMware Cloud VPC


Customer Data Center

vSphere Environment

Non-vSphere Environment

ESXi

ESXi

Amazon EC2

VMware Cloud on AWS

MGW & CGW



bution

Establish Your L3VPN



vSphere Environment


ESXi

L3 IPSEC VPN

ESXi

Amazon EC2

VMware Cloud on AWS

MGW & CGW



bution

Connect to Your AWS VPC from On-prem

22


vSphere Environment


ESXi

L3 IPSEC VPN

ESXi

VMware Cloud on AWS

AWS

Direct

Connect

Private

VIF

MGW & CGW

Customer AWS

Account

VPC subnet

VPC subnet VPC subnet

Amazon EC2



bution

Establish Connectivity to Your VPC

2323


vSphere Environment


ESXi

L3 IPSEC VPN

ESXi

VMware Cloud on AWS

AWS

Direct

Connect

elastic network

interface

Customer AWS

Account

VPC subnet

VPC subnet VPC subnetPrivate

VIF

Amazon EC2

MGW & CGW



bution

Network Path: VM to EC2

2424


vSphere Environment


ESXi

L3 IPSEC VPN

ESXi

VMware Cloud on AWS

AWS

Direct

Connect

Private

VIF

Customer AWS

Account

VPC subnet


elastic network

interface

Amazon EC2

CGW



bution

Network Path:VM – Internet Connectivity

25

Internet


vSphere Environment


ESXi

L3 IPSEC VPN

ESXi

VMware Cloud on AWS

AWS

Direct

Connect

Private

VIF

Internet

IGW

elastic network

interface

Customer AWS

Account

VPC subnet


Amazon EC2

CGW



bution

Network Path:VM – Amazon S3

26


vSphere Environment


ESXi

L3 IPSEC VPN

ESXi

VMware Cloud on AWS

AWS

Direct

Connect

Private

VIF

IGW

elastic network

interface

Customer AWS

Account

VPC subnet


Amazon EC2

CGW

Amazon S3



bution

Network Path:VM to Amazon S3 Endpoints

2727


vSphere Environment


ESXi

L3 IPSEC VPN

ESXi

VMware Cloud on AWS

AWS

Direct

Connect

Private

VIF

Customer AWS

Account

VPC subnet


elastic network

interface

Amazon EC2

CGW

Amazon S3VMworld 2017 Content: N

ot for publicatio

n or distribution

Key Considerations

• Route tables for EC2 are updated by VMW to allow access to your logical networks

• Do not modify any interfaces that have a description ‘VMWare Cloud on AWS'

• You have an option to use VPC Endpoints or Internet Gateway for S3 Connectivity

• S3 VPC Endpoint requires configuration of both IAM and bucket policy

• Make sure you have the right Security Group rules configured




bution

Integrated Storage Services

Amazon

Instance Store &

Elastic Block Store

Amazon

Storage Gateway

(File Gateway)

Amazon S3

Block FileObject



bution

Block Storage Services

• Locally attached

• NVMe Flash

• Data Encryption at Rest

Amazon Instance Store Amazon Elastic Block Store

• Block storage as a service

• Create, attach volumes through an API

• Service accessed over the network



bution

Block Storage Integration: EBS and Instance Store

Disk Group 1 Disk Group 2

Write buffer

Capacity

Tier

esxi-01 VSAN

vSAN Configuration:• VMware Ready for vSAN certified• All-Flash, pre-configured

Key Considerations

• Default vSAN Datastore policy• Flexibility of RAID-1 or Erasure Coding• IOPS limits per vdisk

EBS Volume for boot



bution

Object Storage: Amazon S3

32

Amazon S3

What is Amazon S3?

• Designed for 11 9’s durability

• Highly scalable, reliable, low

latency, infinite capacity

• Standard, IA and Glacier



bution

33

Object Storage Integration: Amazon S3

Amazon

S3

ESXi

Amazon EC2

VMware Cloud on AWS

Customer AWS

Account

VPC endpointelastic

network

interface

CGW

Customer use cases:

• File Services

• Data Protection

• Big Data Analytics



bution

Customer Amazon S3 Use Case: File Services

343434

ESXi

Amazon EC2

VMware Cloud VPC

AWS Storage Gateway

AWS Storage Gateway:• Unlimited storage• File storage durability (11 9’s)• Built-in data protection

vSAN:• Primary storage for storage gateway• Performance acceleration• Storage gateway resilience

NFS file share

OS

Read/Write Cache(local reads/writes)

vSAN Datastore

Writes &Cache misses

Amazon

S3



bution

Backup to the Cloud

35

Customer Amazon S3 Use Case: Data Protection

Backup in the Cloud

ESXi

Amazon EC2

VMware Cloud VPC

Backup Server

Customer

S3 Bucket

Partner

Solution

EC2

Instance

Customer VPC

Amazon

Glacier

Amazon

S3

Backup Server

Corporate Datacenter



bution

36

Backup to the Cloud (Gateway Appliances)

Amazon

S3


vSphere Environment

ESXi

AWS

Direct

Connect

Public

VIF

Backup Server

Backup Proxy

Gateway Appliance

Dell/EMC

Cloudboost

AWS Storage Gateway

NetApp Altavault



bution

37

Backup to the Cloud (Cloud Connectors)

Amazon

S3


vSphere Environment

ESXi

AWS

Direct

Connect

Public

VIF

Backup Server

Backup Proxy

Partner solutions



bution

38

VM Restore in the Cloud

Amazon

S3

VM Proxy (cloud connector)

Backup Repository

/bucket/VM1backup/bucket/VM2backup…

Dell/EMC

Cloudboost

AWS Storage Gateway

NetApp Altavault



bution

39Customer VPC

VPC subnet

VMware Cloud VPC

ESXi

Amazon EC2

Amazon

S3

NetApp AltaVault

elastic network

interface

vSphere Environment

ESXi

Veeam Backup ServerL3 IPSEC VPN

1

2


3

S3 VPC endpoint

VeeamProxy

CGW

4

VM Restore in the Cloud: Partner Storage Appliance



bution

40Customer VPC

VMware Cloud VPC

ESXi

Amazon EC2

Amazon

S3

elastic network

interface

vSphere Environment

ESXi

L3 IPSEC VPN

2


3

S3 VPC endpoint

CGW

4

VM Restore in the Cloud: Partner Cloud Connector

CommServe Media Agent

1



bution

41Customer VPC

VMware Cloud VPC

ESXi

Amazon EC2

elastic network

interface

Avamar/Networker

CGW

Backup in the Cloud

Dell/EMC DDVE



bution

42Customer VPC

VMware Cloud VPC

ESXi

Amazon EC2

elastic network

interface

Veeam Backup Server

CGW

Backup in the Cloud

NetApp AltaVault

Amazon

S3



bution

43

Customer VPC

VMware Cloud VPC

ESXi

Amazon EC2

elastic network

interface

CGW

Backup in the Cloud

Amazon

S3

Media Agent



bution

Customer Amazon S3 Use Case: VM Data Analytics

Amazon Kinesis–

enabled app

Amazon Kinesis

Firehose

Amazon

Athena

Amazon

QuickSight

Amazon

Redshift

SQL Client

Amazon

S3



bution

Key Considerations

• vSAN: Focus on storage policies

• vCenter Server: Enable external access for backup software

• AWS Storage Gateway:

– Use ACL

– Enable versioning

– Enable Cross Region Replication

• S3:

– Control access to bucket

– Enable access logging and Cloudtrail

– Leverage STS and lifecycle policy (if available from partner solutions)

45



bution

In Summary….

46

AWS IAMAWS STS

permissionsrole

AWS

CloudTrail

Amazon

S3

AWS Storage

Gateway

Amazon

VPC

OnboardingWorkload Migration

Data Protection

Workload analysis

Amazon

S3

AWS

CloudFormation

Amazon

Glacier

Amazon

Kinesis

Amazon

Athena

Amazon

QuickSightAWS Storage

Gateway

Amazon

Redshift

AWS

Direct

Connect



bution

Don’t Forget to Attend These Sessions

• AWS Native Services Integration with VMware Cloud on AWS: Technical Deep Dive [LHC3376BUS]

• VMware Cloud on AWS: An Architectural and Operational Deep Dive [LHC3174BU]

• Creating Your VMware Cloud on AWS Data Center: VMware Cloud on AWS Fundamentals [LHC1547BU]

• NSX and VMware Cloud on AWS: The Path to Hybrid Cloud [LHC2105BU]

• And a lot more …..

Don’t Forget to Stop by Our Booth

• Microsoft Application

• Mission Critical Applications

• Data Analytics

• Native Service Integrations




bution



bution



bution

Documents

LHC3375BUS VMware Cloud on AWS Hybrid Cloud ......Quick Refresher on AWS Account Structure •VMware Cloud on AWS SDDC account –Dedicated, single-tenant AWS account created for each