For those of you who are ready to deploy your first Software Defined Data Center (SDDC) on VMware Cloud on AWS, there is a little bit more than meets the eye when it comes to the initial deployment. As a part of the VMware TAM Lab series, I demonstrate how to deploy an SDDC from start to finish, including the configuration of the VPC in AWS.
**SHAMELESS PLUG** – Subscribe to the TAM Lab YouTube channel. We are covering all VMware Technologies and use cases….including how to go about building your own home lab. Check it out!!!
Lately, I’ve been asked by peers and customers alike “How can I learn more about VMware Cloud on AWS?!” Many of us are finding ourselves in front of screens much more than normal these days so what better way to fill in some time gaps than by learning more about VMware Cloud on AWS and HCX?! While search engines are helpful, I hope my “definitive list” helps!!! If you need more, feel free to reach out!!! Happy Learning!!!
I have been using this feature of NSX heavily as of late so I wanted to highlight the power and flexibility of inventory groups that allow you to configure firewall rules that best fit your organization. The grouping of VMs and network services within VMware Cloud on AWS allows you put VMs that have common characteristics such as databases, web servers, operating systems, IP addresses and tags together to more easily publish firewall rules. By default, VMware Cloud on AWS creates two primary management groups and a service inventory when the SDDC is created. The two “parent groups” as I will call them are the Management Group and Workload Group respectively. The Management groups are system defined groups of infrastructure components such as ESX hosts, vCenter, NSX Manager or any other management appliances such as HCX. Workload groups are user defined groups of Virtual Machines or IP addresses.
As you can see above, I added sub groups to the Workload Group based on function (Web, SQL, etc.). Recently, I have been testing the Membership Criteria option as this feature leverages tags and can also group based on Virtual Machine names that contain or start with a defined string. To add a new group, select Add Group, name your group, and then choose one of three membership types, Virtual Machine, IP Address or Membership Criteria. For this example, I used Membership Criteria. Once Membership Criteria is selected, pick the member VMs based on one of the two criteria (VM Name or Tag). For VM name you can choose contains or equals to categorize your VM grouping. The tag criteria can only be leveraged by having the tag name be equal to the VM(s) that is defined. In order to leverage the tag membership criteria, the the VM must be already tagged.
**Public Service Announcement** vCenter Tags and Attributes are NOT manifest in Networking & Security in the SDDC. These tags can only be added via Virtual Machines under Networking & Security > Inventory > Groups > Virtual Machines. Right click on the VM, select Edit and add your tag.
For the sake of this blog, I have created several VMs with different names but the same tag to show how tagging is leveraged.
Once VMs are tagged correctly, verify tagging is working by going to the Workload Groups by selecting the group > View Members.
Now that VMs are properly grouped and tagged, Compute Gateway rules can now be configured and published. Go to Networking & Security > Compute Gateway > Add New Rule > Name the rule and select your source and destination. You should see your newly created group in the selection.
To verify that the rule is applied correctly, go to Networking & Security > Inventory > Groups > Workload Groups > Select the group that was added to the edge firewall rule > Select View Reference.
Below is a demo showing how VMs (tagged “Web”) on different Network segments can all access the internet with one rule.