AWS re:Invent 2018 – Day 1

This is where things really get moving. I’m happy to say I didn’t regret gorging myself with wings the night before and was ready to hit the ground running to see re:Invent in full swing. Day 1 step count…15,308 (7.57 mi). I started off the morning by attending everyone’s favorite topic….SECURITY!!! This session was spent debunking 13 Cloud Security Myths. A few things that I already knew were reinforced. One, public clouds are more secure that on-prem data centers. Two, security should be the first thing you think about when deploying everything from applications to infrastructure. Three, if you continue to follow older security models that have been around for years, you are missing the entire point of the cloud!

 

Next up was a two-hour workshop getting some hands-on experience with the AWS Virtual Private Cloud (VPC). VPCs are the backbone to everything AWS including VMware Cloud on AWS. Although I have taken some online classes via AWS and A Cloud Guru, it was great to spend more time setting up VPCs as it is core to understanding how AWS works. We worked in groups of six where we set up VPC peering with each other. My main takeaway….have a concrete plan for the CIDR blocks you choose for your VPCs. If you don’t plan correctly, you will have to start over. A tool given out by the architects running the session was http://subnet-calculator.org/cidr.php . Bookmark it! An added benefit to the workshop was $25 in AWS credits!

Next stop was the Expo Hall and welcome reception. Of course, the hall was massive with hundreds of booths and all the SWAG you can handle. I decided to take a look around beforehand so I knew where to get “the good stuff.” Since I’m a VMware guy, it was awesome to see us well represented we even have our newest members of the family in Heptio (met Joe Beda at the booth) and Cloud Health with booths of their own.

The last session of the day was a VMware Cloud on AWS Deep Dive with Andy Reedy and Jin Zhang. If you ever get a chance to spend time with Andy, I would recommend it. I met him two years ago at some customer meetings and he is a fantastic architect. He got into the weeds with VMWonAWS regarding the host hardware and the interconnectivity between the vSphere hosts and AWS native services. We even went into the i3 and r5 models for EBS backed VSAN. It was a great session. As I have said before, AWS and VMware have a deep partnership to make this service available. The pace of innovation is blinding! Day 2 is next!!

This slideshow requires JavaScript.

Advertisement

VMware Cloud on AWS Connection Options

Happy New Year!!! This is going to be an exciting year for VMware Cloud on AWS and I wanted to kick off 2018 by highlighting the way in which you are going to connect into and out of VMware Cloud on AWS.

First of all, VMware Cloud on AWS is optimized (VMware Cloud Foundation) to run on dedicated, elastic bare metal infrastructure at a very high level inside Amazon’s data centers. For security purposes, the VMware Cloud on AWS SDCC is bifurcated to the components that manage the SDDC itself such as ESXi, VSAN, NSX, and vCenter.

Here’s a simple explanation of how you can setup the connectivity framework.

The first thing you need to setup is a connection to the management components of the SDDC.  You will first need to create a Management VPN and choose a set range of IP addresses that will be used by management components such as the ESXi hosts and vCenter. This range will be in the form of a simple CIDR block. We recommend using a /20 CIDR block for management purposes. After you connect the management portion of the SDDC, you will then need to setup an IPSec VPN between your on-prem data center and management components. This VPN can be setup over the Internet or AWS Direct Connect (DirectX). After this connection is established, you can then build firewall rules on the VMware Cloud on AWS Console. With these rules you can control access to the  vCenter from your on-prem data center.

There is an optional connection you can setup if you need access to your vCenter Server directly from the Internet. A public IP is automatically provided during the provisioning process. It is important to note that all access to this IP is restricted. To provide access, you will need to configure firewall rules in the VMware Cloud on AWS console to allow this direct type of Internet access.

The second VPN you will need to setup is between your compute workloads and your on-premise data center. Several logical networks are required to provide the IP addresses for the workloads you plan on migrating or build in VMware Cloud on AWS. This VPN secures these workloads and allows them to connect back to your on-prem data center. This can be an IPSec VPN or L2VPN. The L2VPN advantage is that you can stretch a single L3 IP space from on-prem to the cloud and is also required for live migrations. This VPN can go over the Internet or AWS DirectX. You can again create firewall rules as needed to access on-prem workloads.

The next connection is between your SDDC workloads and your Amazon VPC. This is automatically configured and built during the SDDC provisioning process. Once you select the Amazon VPC subnet that will be associated with your VMware Cloud on AWS SDDC an elastic network interface (ENI) will be created allowing traffic to flow between both environments.  In order to control security, you will need to configure AWS IAM policies as well as firewall rules on the VMware Cloud on AWS side to allow access between both. Lastly, you will likely need to give direct public internet access to some of your SDDC workloads. To make these accessible to the Internet, you will need to leverage AWS elastic IPs along with NAT and firewall configurations to allow this type of access.

That’s it! Now you are ready to leverage your SDDC on VMware Cloud on AWS!

Also, here’s a video that covers the content discussed above.

-SL