vmmed1
Enthusiast
Enthusiast

Has anyone tried NSX on AWS?

Jump to solution

If yes - how does feature availability look in the AWS cloud version?

Tags (2)
0 Kudos
1 Solution

Accepted Solutions
cnrz
Expert
Expert

NSX on AWS looks similar to NSX-V, the difference between On-Prem version seems the installation, upgrades are done automatically, so the version used is fixed. Since it is automatically provisioned when the SDDC is deployed, there is no need of on-premise NSX (It has its own NSX Manager, Controller-Cluster, Edge and DLRs).

Vcenter features like HA, DRS, Vmotion, Stretched Cluster Vcenter across Availability zones, SRM is also available, so if a VM moves from on premise DC to Aws or between Aws Avalability zones, without changing the IP address it should continue to service similar to Cross-Vcenter NSX

Since it is available as a Service new feautures could be expected to be added to be on par (or some features only on aws cloud version), so updating frequently may be important,

Currently these services or features seems available:

L2 VPN

L3 VPN

Logical Switches

Logical Routers

dFW (Distributed Firewall)

In addition Amazon Services such as Elastic Load Balancing,

https://www.brianjgraf.com/2018/02/07/understanding-vmc-integrations-with-aws-services-part-3-vmware...

https://cloud.vmware.com/vmc-aws/faq#networking-security 

What type of networking features can I configure?Among other things, you can:

  • View a topology diagram showing the status of network connections to and from your SDDC.
  • Create firewall rules for the management and compute gateways.

In the current version dFW rules is not replicated automatically: (Could not find on the roadmap, could be important feauture for Hybrid Cloud with on premise NSX use case)

https://cloud.vmware.com/vmc-aws/roadmap

Will my security policy and services migrate when the VM is live migrated to the VMware Cloud on AWS SDDC using vMotion?

No. You are responsible for moving the security policy and services.

  • Configure VPN settings for IPsec VPN connections between your SDDC and an on-premises data center.
  • Configure DNS settings for the management and compute gateways.
  • Configure inbound NAT and create public IP addresses for your compute gateway.

These links could be helpful:

https://cloud.vmware.com/vmc-aws

https://cloud.vmware.com/vmc-aws/resources

https://aws.amazon.com/vmware/faqs/

https://blogs.vmware.com/networkvirtualization/2017/12/vmware-sddc-nsx-expands-aws.html/

https://blogs.vmware.com/networkvirtualization/2017/12/vmware-cloud-aws-nsx-connecting-sddcs-across-...

https://blogs.vmware.com/networkvirtualization/2018/01/vmware-cloud-aws-nsx-communicating-native-aws...

http://packetpushers.net/podcast/podcasts/datanauts-124-vmware-cloud-aws-sponsored/

http://frankdenneman.nl/2017/08/29/vmware-cloud-aws-technical-overview/

Networking in VMware Cloud on AWS
VMware Cloud on AWS is built around NSX. It’s optimized to provide VM networking in the Cloud SDDC, while abstracting the Amazon Virtual Private Cloud (VPC) networks. It enables ease of management by providing logical networks to VMs and automatically connecting new hosts to logical and VMkernel networks as clusters are scaled out. At initial availability, users connect to VMware Cloud on AWS via a layer 3 VPN connection. Future releases of VMware Cloud on AWS, however, will support AWS Direct Connect and allow cross-cloud vSphere vMotion operations.

An IPsec layer 3 VPN is set up to securely connect the on-premises vCenter Server instance with the management components running on the in-cloud SDDC cluster. A separate IPsec layer 3 VPN is set up to create connectivity between the on-premises workloads and the VMs running inside the in-cloud SDDC cluster. NSX is used for all networking and security and is decoupled from Amazon VPC networking. The compute gateway and DLR are pre-configured as part of the prescriptive network topology and cannot be changed by the customer. Customers provide only their own subnets and IP ranges.

View solution in original post

0 Kudos
1 Reply
cnrz
Expert
Expert

NSX on AWS looks similar to NSX-V, the difference between On-Prem version seems the installation, upgrades are done automatically, so the version used is fixed. Since it is automatically provisioned when the SDDC is deployed, there is no need of on-premise NSX (It has its own NSX Manager, Controller-Cluster, Edge and DLRs).

Vcenter features like HA, DRS, Vmotion, Stretched Cluster Vcenter across Availability zones, SRM is also available, so if a VM moves from on premise DC to Aws or between Aws Avalability zones, without changing the IP address it should continue to service similar to Cross-Vcenter NSX

Since it is available as a Service new feautures could be expected to be added to be on par (or some features only on aws cloud version), so updating frequently may be important,

Currently these services or features seems available:

L2 VPN

L3 VPN

Logical Switches

Logical Routers

dFW (Distributed Firewall)

In addition Amazon Services such as Elastic Load Balancing,

https://www.brianjgraf.com/2018/02/07/understanding-vmc-integrations-with-aws-services-part-3-vmware...

https://cloud.vmware.com/vmc-aws/faq#networking-security 

What type of networking features can I configure?Among other things, you can:

  • View a topology diagram showing the status of network connections to and from your SDDC.
  • Create firewall rules for the management and compute gateways.

In the current version dFW rules is not replicated automatically: (Could not find on the roadmap, could be important feauture for Hybrid Cloud with on premise NSX use case)

https://cloud.vmware.com/vmc-aws/roadmap

Will my security policy and services migrate when the VM is live migrated to the VMware Cloud on AWS SDDC using vMotion?

No. You are responsible for moving the security policy and services.

  • Configure VPN settings for IPsec VPN connections between your SDDC and an on-premises data center.
  • Configure DNS settings for the management and compute gateways.
  • Configure inbound NAT and create public IP addresses for your compute gateway.

These links could be helpful:

https://cloud.vmware.com/vmc-aws

https://cloud.vmware.com/vmc-aws/resources

https://aws.amazon.com/vmware/faqs/

https://blogs.vmware.com/networkvirtualization/2017/12/vmware-sddc-nsx-expands-aws.html/

https://blogs.vmware.com/networkvirtualization/2017/12/vmware-cloud-aws-nsx-connecting-sddcs-across-...

https://blogs.vmware.com/networkvirtualization/2018/01/vmware-cloud-aws-nsx-communicating-native-aws...

http://packetpushers.net/podcast/podcasts/datanauts-124-vmware-cloud-aws-sponsored/

http://frankdenneman.nl/2017/08/29/vmware-cloud-aws-technical-overview/

Networking in VMware Cloud on AWS
VMware Cloud on AWS is built around NSX. It’s optimized to provide VM networking in the Cloud SDDC, while abstracting the Amazon Virtual Private Cloud (VPC) networks. It enables ease of management by providing logical networks to VMs and automatically connecting new hosts to logical and VMkernel networks as clusters are scaled out. At initial availability, users connect to VMware Cloud on AWS via a layer 3 VPN connection. Future releases of VMware Cloud on AWS, however, will support AWS Direct Connect and allow cross-cloud vSphere vMotion operations.

An IPsec layer 3 VPN is set up to securely connect the on-premises vCenter Server instance with the management components running on the in-cloud SDDC cluster. A separate IPsec layer 3 VPN is set up to create connectivity between the on-premises workloads and the VMs running inside the in-cloud SDDC cluster. NSX is used for all networking and security and is decoupled from Amazon VPC networking. The compute gateway and DLR are pre-configured as part of the prescriptive network topology and cannot be changed by the customer. Customers provide only their own subnets and IP ranges.

View solution in original post

0 Kudos