“How do I integrate Native AWS with VMware Cloud on AWS?” is one of the most common questions I get when speaking to clients about VMware Cloud on AWS. This is a complex question, but at the end of the day, integrating native AWS services with VMware Cloud on AWS is all about connectivity.

This blog covers the two connectivity categories for integrating Native AWS with VMware Cloud on AWS. Understanding which category your organization falls into will help you make an informed decision on your cloud journey with VMware Cloud on AWS.

CATEGORY ONE: 1 ACCOUNT, 1 VPC, AND THE SAME REGION

This category is by far the most common. I run across clients who have been dabbling in using AWS services for various projects. The client wants to be able to take all these new creations and connect them to their VMware Cloud on AWS environment.

In this case a singular virtual private cloud (VPC) is connected to the VMware Cloud on AWS software-defined data center (SDDC) environment. This is achieved by using VPC peering between the VMware Cloud on AWS SDDC and a client-selected VPC. All of the following conditions apply:

  1. The VPC must be in the same AWS region as the VMware Cloud on AWS deployment
  2. A specific availability zone (AZ) inside the VPC must be selected for the VMware Cloud on AWS SDDC elastic network interfaces to be created on
  3. Cross-AZ charges are incurred for any traffic to another AZ besides the one in which the VMC elastic network interfaces (ENIs) exist

CATEGORY 2: 1+ ACCOUNT(S), 1+ VPC(S), AND THE SAME OR DISPARATE REGIONS

In this category a client has AWS services they wish to integrate in one or more AWS accounts, one or more VPCs, and the same or different regions. In some cases, the AWS accounts where the services live may not even be under the client’s ownership. This scenario is typically seen when the client already has a significant native AWS presence. We have two options when it comes to this particular use case.

Option 1: Direct VPN Tunnels from VMware Cloud on AWS SDDC to Customer VPCs

Route-based VPN tunnels are created from the VMware Cloud on AWS SDDC to the desired VPCs. This option provides the most flexibility, but also requires management of one VPN tunnel for every VPC you wish to communicate with. The following limits and charges apply:

  1. You incur charges for each VPN connection
  2. You are limited to 1.25 Gbps of throughput per VPC, which is bound by VGW throughput limitations
  3. You incur cross-VPC charges for any traffic within the same region
  4. You incur cross-region charges for any traffic outside the region your VMware Cloud on AWS SDDC is deployed

Option 2: Hub and Spoke Model Using the AWS Transit Gateway

The AWS Transit Gateway acts as a routing hub and spoke for communications between the VMware Cloud on AWS SDDC and all the attached VPCs, VPNs, and Direct Connect Gateways. The added benefit is that it provides transitive routing between all the attached VPCs, if you so desire.

The AWS Transit Gateway also allows you to take advantage of multiple route-based VPNs using equal-cost multi-path (ECMP). This removes the performance limitations found in standard site-to-site VPN tunnel configurations. You incur charges for:

  1. Each VPN connection
  2. Each Transit Gateway attachment
  3. All traffic that the Transit Gateway processes

——

Have more questions about VMware Cloud on AWS? Faction has more answers. Visit Faction’s Knowledge Base for resources about VMware Cloud on AWS and more.