If you’re considering VMware Cloud on AWS, a critical piece of the decision process is determining how you’re going to connect to your VMware Cloud on AWS. Data center location, type of environment, individual application requirements and budget will help determine the right connection for your business needs. Choose the scenario below that most closely resembles your environment to learn more about available network connections.  

Disaster Recovery and Non-Critical Services

If your organization will implement VMware Cloud on AWS primarily for Disaster Recovery-as-a-Service, the easiest and most economical connection is to utilize a Virtual Private Network (VPN). VPNs route traffic to your Software Defined Data Center (SDDC) via an encrypted path over the internet. It’s easy to configure a secure IPSec tunnel between an existing router within your corporate environment and your cloud provider. 

VPNs can use layer 2 or layer 3 connections. Most applications support routed connections (Layer 3) well, and it’s the recommended connection type if your topology supports it. Once a server has moved to the cloud, it has a gateway located within the VMC network, which would allow you to direct traffic directly to the internet in the event the VPN goes down. The primary drawback to the Layer 3 design is that it requires changing the IP for all hosts that are migrated to the VMC environment.

The main drawback of VPNs, their dependency on general internet connectivity that may result in latency or even outages, is not a show stopper for disaster recovery, non-critical business applications, and testing services use cases. At the same time, their low cost (usually only your existing internet charges!) is a compelling reason for organizations to consider this option.  

Production Environments

Production environment requirements often include zero-to-low latency, meeting high availability demands, and greater network traffic control. Private lines provide production environments with the best reliability. 

A Direct Connect from AWS provides a direct path into your SDDC infrastructure, bypassing the internet and ensuring better link availability. You control all data that is traversing this private circuit, and get better guarantees on link availability. A direct connect is the recommended configuration when running production workloads that have strict SLAs on availability.

Private lines can be expensive, especially if you are not located in a facility where Amazon provides the Direct Connect service. In that case, you would need to order a new private line from your location to the colocation facility. To guarantee the highest uptime and avoid accidental outages created by backhoes or digging along the line, organizations need to order two circuits traversing different fiber routes.

Private lines can use layer 2 or layer 3 connections. Layer 3 is the recommended connection type if your topology supports it. Once a server has moved to the cloud, it has a gateway located within the VMC network, which would allow you to direct traffic directly to the internet in the event the private line goes down. One disadvantage of the Layer 3 design is that it requires changing the IP for all hosts that are migrated to the VMC environment.

Migration and Testing Environments

Similar to Disaster Recovery and non-critical business application environments, VPN is the most economical and easiest connection method to set up for testing and migration environments. 

Applications that Require Layer 2 

Some business applications have a requirement for a direct Layer 2 connection between your premises and the VMC. In this case, you can use either VPN or private lines with VMWare’s optional L2 VPN service using a NSX Edge. VMware offers a standalone NSX Edge appliance that can form a SSL VPN between your premises and the VMC SDDC. 

The encrypted traffic can route over either a VPN or direct connect line. This allows for split workloads on the same Layer 2 virtual LAN (VLAN), where some VMs exist in the SDDC and others continue to run on your premises. This is typically only used for testing to validate the compute infrastructure works as expected, or as part of a migration plan to move a handful of VMs at a time, until sufficient capacity has been migrated where the gateway IP should be moved.

The primary drawback to an L2 extension is the standalone Edge appliance is not redundant and does not have the full instrumentation to properly manage and monitor network failures. Any failure is generally fixed by redeploying the appliance. A second disadvantage is that stretching VLANs between multiple locations increases the number of failure points that could cause an application outage.

Next Steps

The Faction team is here to help you decide the best connection type for you based on budget and requirements.  Read more about the VMware Cloud on AWS solution.

LEARN MORE ABOUT VMWARE CLOUD ON AWS