- Published on
VMware Cloud on AWS
- Authors
- Name
- Jackson Chen
VMware cloud on AWS
VMware Cloud on AWS code center
https://code.vmware.com/vmc-aws
VMware Cloud on AWS Documentation
https://docs.vmware.com/en/VMware-Cloud-on-AWS/index.html
Getting start with VMC on AWS
Amazon Virtual Private Cloud - Amazon VPC
Management and Operational Responsibilities
VMware cloud on AWS is a managed service from VMware.
Amazon - Hardware, VPC (virtual private cloud)
VMware - ESXi, vCenter, NSX, vSAN
Customers - VM, VM Tools, guest OS, applications, Network connectivity
Note:
1. No root access to ESXi
2. No VIB installation
3. No vSphere distributed switch (vds) configuration access
4. No direct access (web console) to VMs
VMware provides backup and restore services for the management infrastructure, which includes vCenter server, NSX Manager instances, NSX Edge appliances. Customers manage the backup and restore of content and configuration in the SDDC, including virtual machines.
SLA requirements
To meet SLA, there are following requirements
1. VM storage policy
FTT = 1 when the cluster has 3 to 5 hosts
FTT = 2 where the cluster has 6 to 16 hosts
2. The storage capacity for the cluster retains slack space of 30% available
3. Sufficient capacity (CPU, memory and storage) must be on the cluster to support the VMs
Customer access SDDC console to view capacity data for CPU, memory and storage.
AWS
AWS Regions
AWS region is a physical location, and each group of logical data centers is an availability zone (AZ). Each AZ has ultra low latency networks. Each AWS region consists of multiple, isolated, and physically separated AZs within a georgraphic area.
Amazon Virtual Private Cloud
A AWS VPC is a virtual network dedicateed to the customer's AWS account.
Within a VPC, customer creates a logically isolated virtual network.
When creating a VPC, you must specify a range of IPv4 address in form of CIDR block
Classless Inter-Domain Routing - CIDR
You control your virtual networking environment, including the selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. With Amazon VPC, you can customize your VPC network configuration. You can create a public-facing subnet for web servers that access the Internet. VPCs include the following options:
a. DHCP and DNS
b. Elastic IP addresses (EIPs)
c. Security groups operating at the AWS resource level (stateful firewall)
d. Network access control lists (ACLs) operating at the subnet level (stateless firewalls)
e. Network address translation (NAT)
VPC subnets can reside in only one availability zone
Subnets in VPC
A VPC spans all the availability zones in a region. In a VPC, you can add one or more subnets in each AZ:
a. Each subnet resides entirely within one AZ and cannot span zones.
b. When you create a subnet using the AWS management console, you specify the CIDR block for the subnet, which is a subset of the VPC CIDR block
If a subnet traffic is routed to an Internet gateway, the subnet is known as a public subnet. If a subnet does not have a route to the Internet gateway, the subnet is known as a private subnet.
1. A VPC is a set of contained subnets with a common CIDR block (up to a /16 netmask),
running in a single geographic area (region) across multiple data centers (availability zones).
2. A VPC is like a virtual data center, but it is physically spread out across availability zones.
3. VPCs have network connectivity within the region in which they are created.
You can use Internet connectivity, virtual private network (VPN) connectivity, and VPC peering to connect VPCs to other networks.
Deploying SDDC on VMware Cloud on AWS
When you deploy your SDDC on VMware Cloud on AWS, it is created in an AWS account and in a VPC that is dedicated to your organization and managed by VMware. You must also connect the SDDC to an AWS account belonging to you, called the customer AWS account. This connection allows your SDDC to access AWS services belonging to your customer account.
You can deploy one, two, or multiple hosts on VMware Cloud on AWS. If you deploy a single-host SDDC, you can delay linking your customer AWS account for up to two weeks. You cannot scale up a single-host SDDC to a multiple-host SDDC until you link an AWS account. If you want to deploy a multiple-host SDDC, you must link your customer AWS account when you deploy the SDDC.
Deploying SDDC on VMware Cloud on AWS
During the SDDC deployment process, you connect your AWS account with the VMware Cloud on AWS SDDC:
1. The CloudFormation template creates roles that allow VMware to manage SDDC cross-linking.
2. The hosts within the SDDC are connected to the customer-owned VPC through cross-account Amazon Elastic Network Interfaces (ENIs).
3. The AWS services are managed through a customer-owned AWS account
During the onboarding process, you can choose a VPC and the subnets that your SDDC cluster connects to. Customers can run an AWS CloudFormation template, which grants VMware Cloud management services across account roles with a managed policy. With this managed policy, VMware can perform operations such as creating Amazon Elastic Network Interfaces (ENIs) and route tables. After the role is created and assigned, VMware Cloud management services assumes a role in the customer account and creates ENIs in the subnet that the customer chooses. These ENIs are directly attached to the ESXi hosts in the VMware SDDC account
The VPC, subnet, and AWS account that you use must meet several requirements:
1. The subnet must be in an AWS AZ where VMware Cloud on AWS is available.
2. The subnet must exist in the connected AWS account and cannot be one owned by and shared from another account.
3. The customer's AWS account must have available capacity to create a minimum of 17 ENIs per SDDC in the AWS region where an SDDC is deployed
Note: Dedicating a /26 CIDR block to each SDDC is recommended.
4. Any VPC subnets on which AWS services or instances communicate with the SDDC must be associated with the main route table of the connected VPC.
Note: Use of a custom route table or replacement of the main route table is not supported
IP Addresses for AWS VPCs and VMware SDDCs
Before deploying your VMware Cloud on AWS SDDC, you need to plan two separate blocks of IP address spaces:
a. SDDC management CIDR block
The management CIDR must be one of three available sizes: /16, /20, or /23
It must be an RFC1918 network (within 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16)
The management CIDR cannot overlap any of these ranges, and
should also be unique within the entirety of the enterprise network
b. VPC CIDR block
The management CIDR is used for the management components in the SDDC, including the ESXi hosts (management, vSphere vMotion, and other interfaces), vCenter Server, NSX Manager, and other fully managed add-on components that are deployed into the SDDC. The primary factor in selecting the size is the anticipated scalability of the SDDC. In a single-AZ deployment, a /23 CIDR can support 27 ESXi hosts, whereas a /20 can support up to 251, and a /16 can support up to 4091. But the SDDC maximum is 300 host, and only a /16 CIDR can be used.
How to create a VPC on Amazon Management Console
To create a VPC using the management console:
1. Open the Amazon VPC console at
https://console.aws.amazon.com/vpc/
2. In the navigation pane, select Your VPCs > Create VPC.
3. Specify the following VPC details.
Name tag
IPv4 CIDR block
Tenancy
(Optional) Addition or removal of a tag
4. Select Create VP
VMware Cloud Organizations
In VMware Cloud on AWS, an organization corresponds to a group or line of business that subscribes to the VMware Cloud on AWS services:
1. VMware Cloud uses organizations to provide controlled access to one or more services.
2. You must belong to an organization before you can access a cloud service.
3. Each organization includes one or more organization owners
who can access all the resources and services of the organization and can invite additional users to the account.
4. The VMware Cloud organizations that you create, or are a member, have no relationship to the AWS organizations.
Credentials in VMware Cloud on AWS
Each set of credentials is independently stored, managed, and is not interchangeable:
1. Amazon Web Services (AWS) accounts are used to access AWS services and link the VMware Cloud on AWS SDDC to an AWS account.
2. VMware Cloud services (including VMware Cloud on AWS) give you access to the VMware Cloud services console.
3. vCenter Single Sign-On in the VMware Cloud on AWS SDDC is used in these ways:
a. The cloudadmin@vmc.local user is created for customer use.
b. A password is generated randomly and provided to every VMware Cloud services user until changed.
4. With vCenter Single Sign-On from an on-premises SDDC, users can be granted VMware Cloud on AWS permissions after Hybrid Linked Mode is configu
VMware Cloud Organization Roles
Organization roles determine the privileges that a user has over organization assets.
Organization owners:
a. Each organization can have one or more organization owners.
b. Organization owners can invite additional owners and users to the account, manage access, or remove users.
c. Organization owners control access to VMware Cloud services, such as VMware Cloud on AWS.
Organization members:
a. Organization members can be delegated access to VMware Cloud services, such as VMware Cloud on AWS, by an organization owner.
b. Organization members cannot invite new users, change user access, or remove users.
VMware Cloud on AWS Service Roles
Service roles define the privileges of organization members when they access the VMware Cloud services that the organization uses.
The following VMware Cloud on AWS service roles can be assigned:
a. Administrator:
Has full cloud administrator rights to all service features in VMware Cloud on AWS.
b. Administrator (Delete Restricted):
Has full cloud administrator rights to all service features in the VMware Cloud on AWS console.
However, this role cannot delete SDDCs or clusters.
c. NSX Cloud Auditor:
Views NSX service settings and events but cannot change the service.
d. NSX Cloud Admin:
Can do all the tasks related to the NSX service.
When any organization user is assigned more than one service role, their effective permissions are those of the most permissive role. A user with organization owner privileges can assign or change all the service roles. Restrictive roles, such as Administrator (Delete Restricted) or NSX Cloud Auditor, are assigned the role of organization member to prevent modification.
Note:
You must be an organization owner to invite additional users to your organization
How to login to VMC on AWS
log in at https://vmc.vmware.co
How to add or invite additional users
1. Log in to the SDDC console at https://vmc.vmware.com
2. Click the Services icon in the upper-right corner
3. Click Identity & Access Management
4. Click Add Users
5. On the Add New Users page
a. Enter the email addresses of the users that you want to add
b. Assign organization or service roles to the new users
. Organization Owner
. Organization Member
c. If a user is required to submit and manage support ticket, select the "Support User" check box
6. Click Add
Note:
The user login supports multi-factor authentication (MFA)
Microsoft Products Licensing
For Microsoft licensing, the following conditions apply:
a. To bring your own license (BYOL) to VMware Cloud on AWS,
active Software Assurance is required for all Microsoft products
b. Microsoft identifies certain products as not eligible for BYOL.
For these products, the hosting service must use a Services Provider License Agreement (SPLA) with Microsoft.
c. VMware has a SPLA with Microsoft.
so the customer must purchase new licenses through VMware for Microsoft products (not eligible for BYOL) that are hosted on VMware Cloud on AWS
Microsoft License Mobility
Eligible Microsoft server applications, such as Microsoft SQL Server, can be deployed on VMware Cloud on AWS using existing licenses. To be eligible for license mobility, the following conditions must be met:
a. All Microsoft server products migrated to VMware Cloud on AWS,
must be eligible through the Microsoft License Mobility through Software Assurance program according to Microsoft terms.
b. The server applications must be on the list of eligible products published by Microsoft
Cloud SDDC
Each organization supports two SDDCs. Each SDDC can support up to 20 clusters with 2 to 16 hosts, for a maximum of 160 hosts per SDDC or 320 hosts for the entire organization. The initial cluster contains the management VMs, whereas all other clusters are fully available for customer workloads.
SDDC clusters deployment
1. Physical vSAN cluster storage is separated into two datastores:
a. Separate management and customer workload
b. Storage of infrastructure VMs on the management datastore under restricted controls to protect customers from making a breaking change
c. Storage of workload VMs in the customer datastore with full control and acces
2. Each cluster has one vCenter Server system.
3. Cluster size is 2 to 16 nodes, and you can dynamically add and remove nodes.
4. On-premises vSAN can use any KMIP-compliant key management server (KMS), whereas VMware Cloud on AWS uses only the Amazon KMS:
a. Customers who require enhanced key management can trigger a shallow rekey operation through the vSphere Client or vCenter Server API.
b. Deep rekey is available on request through site reliability engineering (SRE).
Cluster:
Restricted to a single AZ in an AWS region
Stretched Cluster:
Restricted to a single AWS region in two different AZ
Networking Resources
Using Amazon services, you can create secure, scalable, and highly available connections between the SDDC and other networks:
- Amazon Elastic Network Adapter (ENA) connects each host to the LAN with a total available bandwidth of 25, 75, or 100 Gbps.
- A management gateway in the SDDC handles management traffic. A compute gateway handles workload VM network traffic.
- Amazon Virtual Private Cloud (VPC) enables optimized connectivity of the SDDC to other AWS services, regions, and availability zones.
- Amazon Elastic Network Interfaces (ENIs) connect the VMware Cloud on AWS SDDC to your Amazon VPC and represent virtual network cards.
- Amazon Direct Connect enables low-latency connectivity of the SDDC to your on-premises data center.
Amazon Elastic Network Interface (ENI) is a logical networking component in a virtual private cloud that represents a virtual network card.