Tag Archives: cloud

Native AWS VPC Connecting to VMware Cloud on AWS (Part 1) – Native VPC Connectivity via VPN

With the release of VMware Cloud on AWS 1.12, we delivered additional connectivity options with the addition of transit connect (VMware managed AWS Transit Gateway). Over the past few weeks, I have been working on a project that has specific success criteria as well as challenges that prevent certain connectivity options so I thought what better way to show how we got around the issue than to show how we did it as Transit Connect and AWS Direct Connect were out of scope. The plan is to have this be a multiple part blog series that details how to setup and test a route based VPN, attach to native AWS EC2 workloads via ENI in the VMC VPC as well as leverage a Transit connect that makes connectivity easier to configure, manage and maintain. The diagram below is the overall architecture for those already leveraging AWS native services via a Direct Connect and Transit Gateway but can only connect to VMC via IPSEC VPN for certain reasons (shout out to fellow VMC Architect Will Lin for the assist!). While Direct Connect provides much better speeds and feeds, you may still be able to accomplish what you need depending on your application requirements.

STEP 1: To get things started, we need to either identify or create a VPC that we want to communicate with the VMware Cloud on AWS SDDC. If you already have a VPC configured you can skip to Step 2. To create a new VPC, log into your AWS account go to Services > VPC> Create VPC. Similar to creating your VMC SDDCm it is paramount that plan your CIDR range appropriately so can assign subnetting correctly based on what you are trying to accomplish. ** Make sure you are selecting the correct AWS Region based on your requirements! **

Next, create a subnet that you will assign to the VPC. This is why understanding the CIDR ranges is important as you cannot have any overlap between your VPC CIDR and VPC subnets so keep that in mind as you build things out.

Creating a subnet assigned to the AWS VPC

Step 2: Deploy a AWS Transit Gateway (TGW). For reference, an AWS Transit Gateway connects VPCs and on-premises networks through a central hub. Keep in mind the default ASN number for the AWS TGW is 64512. If you are going to use an existing TGW, get the correct number from your team. For the sake of this blog, I setup the TGW with all the default settings.

Step 3: Create a Customer Gateway (CGW). A CGW is a resource that you create in AWS that represents the customer gateway device in your on-premises network, or VMC in this situation.

In order to configure the CGW, you need to enter the VPN Public IP listed in the Networking & Security section of the SDDC console.

Step 4: With your transit and customer gateways configured, it’s time to create the VPN connection from the AWS side. Go to Services > VPC > Site-to-Site VPN Connections > Create VPN Connection. Name the VPN connection and select “Transit Gateway” as the gateway type and add your CGW. Take note that you can also add a new CGW didn’t as a part of the previous steps. We want to set the routing options to dynamic so we take advantage of BGP. My personal preference is to define the CIDR and per AWS documentation, this needs to be a /30 within a certain range. I also created a basic preshared key rather than have AWS create the key randomly.

Step 5: Download the VPN configuration as a generic file. This is where you can validate the configuration and use it for configuring the VPN from the VMware Cloud SDDC Console.

Step 6: Configure the VPN on the SDDC. Go to the VMC SDDC Console > Networking & Security > VPN > Route Based > Add VPN. Here you want to take the Virtual Private Gateway Outside IP and enter that into the Remote Public IP Field. Take the Customer Gateway Inside IP Address and enter that number as the BGP Local IP. Next, take the Virtual Private Gateway Inside IP and enter that into the BGP Remote IP field. All that’s left is to enter the BGP ASN number that your configured earlier as a part of the TGW creation. It should also be listed in the config file you downloaded. If all numbers are correct, you should see the VPN Tunnel and BGP come up in a matter of minutes! If the VPN comes up and BGP does not, check your IPs and ASN numbers. Additional help can also be found here!!!!

You now have a working VPN from AWS to VMC!!! While the tunnel is up, there is more work to do so you can fully test traffic. In Part 2 I will cover routing tables and SDDC Gateway rules to enable two way communication. Stay tuned!!!!

Embrace the “New Normal”

3 Replies

“The only constant in life is change” -Heraclitus

Being in IT for 15+ years I have seen many things change from 3.5″ floppy discs to 64 GB microSD cards and from the Intel i486 processor to ARM Coretx-A72 processors found in Raspberry Pis. To take it a step further, my foray into IT was more of a trial by fire than a chosen profession. Back in my college days I worked for a small start up as a project manager for a call center that provided customer support and telesales. Due to our size, we all filled many roles and as we on-boarded handfuls of new reps every few weeks, yours truly was responsible for setting up PCs. That means physically setting them up to use….not configuring roaming profiles or any type of OS configuration. I mean plugging in keyboards, mice, and monitors via PS/2 and VGA connectors. I still to this day don’t know why I chose the path that I did but there was something about tearing things down and rebuilding them that peaked my interest. Due to our size and budget, there were several occasions where we cannibalized two mediocre PCs to create one that was one step above mediocre. Fast forward a few years and I’m CompTia A+and Network+ certified working my way towards a Microsoft Certified Systems Engineer (MCSE).

Why do I bring this all up? First, the best way to further your IT career is to be curious. Second, as I have been working with several enterprise and commercial customers over the past six years, I see the need for VI administrators and system administrators to rapidly expand their skill sets to remain relevant and valued within the organization.

Scripting

I will be the first to admit that I am not a developer. With a heavy windows background, I have always preferred a GUI since lines reading lines of code was very foreign to me. That being said, as I grew more comfortable with system administration via Windows, I became more curious around how I could automate more of my daily tasks via scripts…enter the login.bat file for Windows user profiles! While it wasn’t exactly complex, it still gave me an entry point to learn how to automate small processes that saved me a lot of time. Hopefully most of us rely heavily on scripts and are using tools such as PowerShell. If you aren’t, you should!

With my Windows background, CLI based operating systems such as Linux and IOS scared me to death! I had no idea how to start and the closest thing I could compare it to was MS-DOS back in my early gaming days when the original King’s Quest was released. It wasn’t until working with ESX, Cisco, and OpenBSD for customer projects where I started facing my insecurities around CLI and discovered it wasn’t as intimidating as I once thought. While I don’t think I will ever be a developer or coder, I can unequivocally state that getting comfortable with CLIs within ESXi and NSX is a MUST for any VI admin. My first recommendation is to head over to VMware {code} and get started with PowerCLI! Once you become more familiar with PowerCLI, don’t spend all of your time writing your own scripts. PowerCLI guru Alan Renouf has a litany of scripts that may be of benefit. He has created scripts for VMs, Storage, Hosts, reporting and more!

APIs

Application Programming Interface (API) is quickly becoming a necessary skill set for any administrator or engineer. Being able make API calls (requests) to applications and services takes the ability to programmatically administer environments to another level. Over the past several years, VMware has worked hard to create REST (REpresentational State Transfer) APIs to allow developers and VI admins alike to better automate on several levels. In addition, there are some features with VMware services that can only be done via API or are released in the API first and then the GUI follows. A full list of VMware APIs can be found here. If you come from an operations background like me, you may prefer a GUI tool to assist when getting started with APIs. I have found Postman to be beneficial. To get things started, I have included two videos that should help get you started. The first is a vBrownBag session from Kyle Ruddy who walks through vSphere APIs with Postman.

The second is an introduction VMware Cloud on AWS.

Leveraging APIs are the new normal. If you are a VMware Cloud on AWS customer, take time to dig into the Developer Center and start playing with the API explorer and Code Samples! Two more great resources for leveraging VMware APIs are Patrick Kremer and William Lam. Truth be told, if there is an API question that I can’t answer, William always seems to have it!

I am new-ish to this way of life but really enjoy learning new skills! If you are in tech, it’s a lifetime of learning so we all should embrace it with excitement. I hope to post more about my learnings and possibly even share some code samples but until then….click through all the links above and get started!!!