A private virtual interface (VIF) establishes

VMware Cloud on AWS – Networking Reference Architecture – 1 1 connectivity to the VMware Software-defined
Data Center (SDDC) A in AWS Region A.
On-premises connectivity using AWS Direct Connect to a virtual private gateway and AWS Site-to-Site Virtual Private Network (VPNs).
The AWS Site-to-Site VPN (over internet)
Customer Data Center AWS Cloud 2 provides backup connectivity to the private
Region A VIF to provide resilient connectivity to the
Backup path VMware SDDC A.
8 AWS Site-to-Site VPN
(over Internet)
ESXi A public VIF enables access to all AWS public
7 VGW association
Customer Virtual 3 services and endpoints using the public IP
Private Cloud (VPC) A1
VGW addresses.

VMware Cloud on AWS Organizations The lack of a Direct Connect connection in

4 Region B creates a design constraint;
VMware Cloud on AWS – SDDC A
Customer router Connected VPC A therefore, a site-to-site VPN is established to
Backup path CGW
2 AWS Site-to-Site VPN the VMware SDDC B. This VPN leverages the
Internet (over Internet) public VIF from the Direct Connect
VGW
Availability Zone 1 Availability Zone 2 connection in Region A. Also, Site-to-Site
Public Public
1 Private VIF
subnet subnet VPNs over a public VIF can be used to
NSX
vCSA NSX HCX SRM establish a more consistent network
Edge
MGW
Private
subnet
Private
subnet
experience compared to internet-based VPNs.
ENI Alternatively, redundant Site-to-Site VPNs
Direct
AWS Direct Connect Connect
(not shown) can be established for resiliency.
(Region A) Gateway
(DXGW)
Region B A private VIF to the AWS Direct Connect
VMware Cloud on AWS – SDDC B Connected VPC B 5 gateway (DXGW) enables the DXGW to
5 Private VIF
CGW
establish on-premises communication to
NSX Amazon VPCs in different Regions by
VGW Edge Availability Zone 1
Public
Availability Zone 2
Public
associating the DXGW to the virtual private
6 Gateway association subnet subnet gateways (VGW).
Not supported
on SDDC vCSA NSX HCX SRM
AMAZON Private Private
MGW subnet subnet The private VIF to DXGW cannot be used for
3 Public VIF NETWORK
EDGE
4 AWS Site-to-Site VPN
(over Public VIF) ENI 6 gateway associations to a VMware SDDC. This
feature is not supported on VMware Cloud on
VGW
VGW AWS.
Customer VPC B1
7 VGW association
Gateway associations are established
8
Backup path
AWS Site-to-Site VPN
7 between the DXGW and the VGW to enable
(over Internet) on-premises communication with Amazon
VPCs in multiple Regions.

Site-to-Site VPNs are configured as a backup

Reviewed for technical accuracy March 10, 2022 AWS Reference Architecture 8 to the DXGW-VGW associations for more
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
resilient connectivity to Amazon VPCs.
VMware Cloud on AWS – Networking Reference Architecture – 2 1 The AWS Direct Connect Private VIF in
Region A establishes connectivity from the
On-premises connectivity using AWS Direct Connect with Direct Connect Gateway and AWS Transit Gateway. on-premises network to the SDDC in Region A.
Similarly, the AWS Direct Connect Private VIF
from Region B establishes connectivity from
Customer Data Center AWS Cloud AWS Transit
on-premises network to the SDDC in Region B.
Gateways
Region A ENI
(TGW) A
5 VPC Attachment(s) Customer VPC A1 Dual Transit VIFs establish redundant, resilient
ESXi
3 Gateway Association 2 connectivity from on-premises to the Direct
5 VPC Attachment
4 Connect gateway (DXGW).

7 The DXGW is associated with AWS Transit

3 Gateway in both Regions to provide on-
Customer
VMware Cloud on AWS Organizations ENI
Customer
router 1 router 2 premises connectivity to Amazon VPCs.
VMware Cloud on AWS – SDDC A Connected VPC A
VPN
Attachment CGW The Transit Gateway is a regional virtual
4 router that is capable of transitive routing
VGW Availability Zone 1 Availability Zone 2 between networks connected to it using the
Public Public
1 Private VIF subnet subnet following attachments:
2 Transit VIF NSX • VPC attachments
vCSA NSX HCX SRM
6 Edge Private
subnet
Private
subnet
• VPN attachments
MGW SDDC • DXGW attachments
AWS Direct Connect ENI
Direct • Peering attachments
(Region A)
Connect
Gateway VPC attachments enable VPCs to establish
(DXGW) Region B VMware Cloud on AWS – SDDC B 5
Connected VPC B communication with other VPCs and networks
Peering Attachment CGW connected to the Transit Gateway.
NSX
2 Transit VIF VGW Edge The Transit Gateway peering attachment
Availability Zone 1
Public
Availability Zone 2
Public 6 enables cross-Region communication between
1 Private VIF subnet subnet
networks connected to Transit Gateway A and
vCSA NSX HCX SRM
7 Private Private Transit Gateway B.
AWS Direct Connect MGW subnet subnet
SDDC
(Region B) VPN ENI
Transit Gateway VPN attachments enable
Attachment
ENI
7 communication between the SDDC and
networks connected to the Transit Gateway in
the respective Regions. However, the
5 VPC attachment VMkernel traffic (including ESXi Management,
3 Gateway association vMotion, and vSphere Replication traffic) is
5 VPC attachment(s) Customer VPC B1
4 prioritized over the Private VIF, making the
TGW B ENI
VPN attachments unusable for this traffic.
Ensure the VPN does not learn the on-
Reviewed for technical accuracy March 10, 2022 AWS Reference Architecture premises routes which are used along with a
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Private VIF.
 Transit Virtual Interfaces (VIF)s from two
VMware Cloud on AWS – Networking Reference Architecture – 3 1 separate AWS Direct Connect instances in
different Regions are used to establish
Highly resilient on-premises connectivity using AWS Direct Connect, Direct Connect Gateway, AWS Transit Gateway, and VMware Transit Connect.
resilient and fault-tolerant connectivity to
AWS Regions A and B.
Customer Data Center AWS Cloud
Region A Customer VPC A1
6 VPC attachment(s) The DXGW is associated with AWS Transit
TGW A VPC to VPC traffic flow ENI 2 Gateway (TGW) instances in each Region to
3 NOT ALLOWED via vTGW ENI
ESXi 5 VPC attachment(s) provide on-premises connectivity.
5 VPC attachment
The AWS Transit Gateway is a Regional
3 virtual router that is capable of transitive
Gateway Association VMware Cloud on AWS Organizations
routing between networks connected to VPC,
SDDC Group 4
VPN, peering attachments, and DXGW
Peering VMware Cloud on AWS – SDDC A associations.
Customer Attachment Connected VPC A
routers CGW
The SDDC group uses a VMware Transit
vTGW A 4 Connect (vTGW) to provide high-bandwidth,
7 ENI Availability Zone 1 Availability Zone 2
2 Public Public
subnet
low-latency connectivity between:
subnet
AWS Direct Connect
NSX
• SDDCs in an SDDC Group
(Region A) Edge
vCSA NSX HCX SRM
• SDDCs and attached VPCs
Private Private
subnet
Peering MGW subnet
SDDC • SDDCs and on-premises via DXGW
Peering
Attachment ENI
1 Transit VIF Attachment
VPC attachments enable VPCs to establish
Direct 5 communication with other VPCs and
Connect VMware Cloud on AWS – SDDC B
1 Transit VIF
Gateway Connected VPC B networks connected to the Transit Gateway.
(DXGW) CGW
9 8
NSX Alternatively, VPC attachments to VMware
ENI Edge Availability Zone 1 Availability Zone 2
6 Transit Connect (vTGW) enable VPCs to
Public Public
7 subnet subnet establish communication with ONLY SDDC
1 Transit VIF
networks connected to the same vTGW.
vTGW B vCSA NSX HCX SRM
Private Private
Peering MGW subnet subnet
Attachment SDDC External TGW peering attachments enable
1 Transit VIF ENI 7 communication between the SDDC networks
Gateway Association ENI
and networks connected to the TGW.
AWS Direct Connect
3
(Region B) 2 The cross-Region VMware Transit Connect
5 VPC attachment(s) 8 peering enables communication ONLY
5 VPC attachment
VPC to VPC traffic flow
ENI
between SDDC networks connected to vTGW
NOT ALLOWED via vTGW
TGW B A and vTGW B.
6 VPC attachment(s) Customer VPC B1
Region B ENI
The cross-Region AWS Transit Gateway
9 peering attachment enables communication
Reviewed for technical accuracy March 10, 2022 AWS Reference Architecture between networks connected to TGW A and
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. TGW B.
VMware Cloud on AWS – Networking Reference Architecture – 4 1 A Transit VIF over an AWS Direct Connect
instance is used to connect to an AWS Direct
Using a security VPC for inspecting north-south Internet-to-SDDC traffic, VPC-to-SDDC traffic, and on-premises-to-SDDC traffic. Connect Gateway (DXGW) which is
associated with AWS Transit Gateway (TGW)
Customer Data Center AWS Cloud instances to complete the on-premises
connectivity to the AWS Region.
Region A
The Transit Gateway (TGW) is a Regional
ESXi 2 virtual router that is capable of transitive
VMware Cloud on AWS Organizations
routing between networks. The TGW is
SDDC Group
capable of redirecting all the incoming traffic
VMware Cloud on AWS – SDDC A Connected VPC A
from the on-premises towards the security
CGW VPC.
vTGW Availability Zone 1 Availability Zone 2
Customer ENI The Internet Gateway (IGW) is a VPC
routers
Public
subnet
Public
subnet 3 component that provides centralized internet
6 NSX vCSA NSX HCX SRM
Private
access for the AWS workloads.
Edge Private
subnet subnet
MGW SDDC
The security VPC can be configured with an
ENI
4 AWS Network Firewall or third-party firewalls
ENI
for:
7 • SDDC egress/ingress traffic inspection
AWS Direct Connect
Peering Attachment • Perimeter security
(Region A) VPC attachment
5
VPC attachments are used to connect to one
5 or more spoke VPCs. Traffic between the
Customer VPC A1
ENI spoke VPCs and SDDCs always traverses
TGW
5 VPC attachment through the security VPC.
1 Transit VIF Gateway association 5 VPC attachment Customer VPC A2
ENI The SDDC group uses a VMware Transit
2 5 VPC attachment
6 Connect (vTGW) to provide high-bandwidth,
AWS Direct Connect
5 Customer VPC A3
low-latency connectivity between:
VPC attachment ENI • SDDCs in an SDDC Group
• SDDCs and attached VPCs
• SDDCs and on-premises via DXGW

3 ENI
The external TGW peering attachment
Security VPC 4
7 ensures that all SDDC ingress/egress traffic
Internet traverses through the Security VPC. This
Internet
Gateway
(IGW)
includes:
• AWS VPCs traffic
• On premises traffic
Reviewed for technical accuracy March 10, 2022 AWS Reference Architecture • Internet traffic
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.