This chapter focuses on the practical basics of SDDC networking and security functionality, starting from basic networking and security features, including NSX Micro-Segmentation, and Day 2 operations.

You will learn the networking and security configuration essentials required for day-to-day work.

The following topics are covered in this chapter:

• VMware Cloud on AWS NSX configuration overview
• Managing SDDC networking
• Virtual private network
• Connected VPC
• Direct Connect
• Transit Connect
• NSX security basic configuration
• NSX day two operations
• IPFIX
• Port mirroring
• NSX Micro-Segmentation

Before moving forward to the configurations, let’s summarize the NSX environment concept. You can find a detailed overview of VMware Cloud on AWS networking in Chapter 2.

VMWare Cloud for AWS leverages VMware NSX functionality for network communication and security.

VMware Cloud on AWS utilizes NSX capabilities to create a logical network overlay on top of AWS VPC and SDDC constructs. It provides all switching, routing, and security services (including a firewall service with Micro-segmentation for ingress/egress traffic) required for the customer environment.

NSX has two layers of routing. One layer is the Tier-0 Edge Router, which serves as a North/South gateway to the traffic flowing in and out of the SDDC.

The second layer consists of the Tier-1 Gateways: the Management Gateway (MGW) and the Compute Gateway (CGW), which serve as North/South gateways to the SDDC networks. The management networks served by the MGW are used exclusively for the SDDC infrastructure management components. The default CGW acts as a default router for all networks used by the customer workloads.

A recently released...

VMware Cloud on AWS is a constantly evolving service that influences the way customers access, manage, and troubleshoot SDDC networking and security configurations. On the initial launch of the service, all networking configuration elements were exposed directly through the VMware Cloud Console on the Networking & Security tab. However, as the number of networking features grows, a decision has been made to transfer the configuration portion of the SDDC network to the NSX Manager web interface. The Networking & Security tab remains but now contains a set of view-only dashboards that help SDDC admin to quickly identify vital parts of the networking configuration.

Note

At the time of writing, it is still possible to revert to the legacy Networking & Security view by toggling a Legacy view radio button. However, this is temporary, and the Networking & Security view will be removed in a future release (as indicated in the following screenshot...

You can use a Virtual Private Network (VPN) to establish connections between on-premises vSphere environments and other SDDCs, or between other cloud environments and VMware Cloud on AWS SDDCs. You can choose between policy-based and route-based VPN connectivity.

When using default Tier-1 routers, your VPN connection is terminated on the Tier-0 Gateway. For custom gateways, the VPN terminates directly on the custom gateway.

Route-based VPNs

Route-based VPNs support dynamic routing and simplify routing configuration in complex network environments. Route-based VPNs utilize BGP over a VPN tunnel. Customers can establish the tunnel using a private connection such as a Direct Connect private virtual interface (VIF) or public internet.

To configure the VPN connection, navigate to the Networking tab and click on the VPN section. Select SDDC and choose Route Based.

Provide the VPN connection name and specify the route-based VPN public IP endpoint in...

Each VMware Cloud on AWS SDDC must be linked to an organization's customer-managed AWS account. Inside the AWS account, organizations must create a VPC with subnets and connect it to the SDDC. This is referred to as the connected VPC.

The connected VPC setup is done during the SDDC provisioning process. You can review the configuration using the Connected VPC section in the Networking tab – the connection details of the AWS account will appear, including AWS Account ID, VPC ID, and VPC Subnet.

Figure 6.43 – Reviewing connected Amazon VPC information

Aggregation Prefixes Lists enables Route aggregation are used to create aggregate prefixes behind customer-configured Tier-1 gateways. The routes part of the Aggregated Prefix Lists will be advertised either on the INTRANET endpoint or the SERVICES endpoint. As shown in Figure 6.44, an Aggregation Prefix List named Connected - VPC with aggregated prefixes that include the...

The VMware NSX version available with VMware Cloud on AWS has a number of features that were specifically developed for the service and are not available on any other NSX deployment. One of the most important is the ability to attach a DX Virtual Interface (VIF) directly from the NSX web interface.

While a thoughtful discussion about different DX design and deployment configurations is outside of the scope of this book, we still would like to mention a few important things to consider when using DX connectivity with a VMware Cloud on AWS SDDC:

• Both public and private VIFs are supported. However, only a private VIF can be used for hybrid cloud connectivity
• Attachment to a DX gateway through Transit Connect is supported
• You can use AWS-provided DX connectivity or opt for a cloud connectivity provider
• DX information is located on the Networking tab in the Direct Connect menu item:

Figure 6.46 – Direct Connect...

VMware Transit Connect is a VMware Managed Transit Gateway (vTGW), which enables complex network topology, including inter- and intra-Region SDDC connectivity, AWS VPC connection, and much more.

You deploy vTGW from the SDDC console through the SDDC groups feature, which lets customers manage multiple SDDCs and external AWS connectivity from one logical entity. SDDC groups are required to enable VMware Transit Connect. You can add just a single SDDC to a group – this action will trigger the creation of a vTGW.

To configure SDDC groups in the SDDC console, click on CREATE GROUP, as seen in the following screenshot:

Figure 6.47 – Creating a new SDDC group

Customers can select the SDDCs that need to be a part of the SDDC group in the wizard. In our example, we’ll provide the group with a descriptive name, add Enterprise-Customer-A and Enterprise-Customer-B SDDCs into the group, acknowledge the additional attachment...

The NSX Edge firewall, also known as the Gateway Firewall in VMware Cloud on AWS, provides security for North/South traffic. There are two default Edge firewalls: the MGW firewall, and the CGW firewall. In addition, as we have seen in this chapter, each Tier-1 gateway manages its own firewall rules.

Management Gateway firewall

The Management Gateway firewall protects access to management components such vCenter and NSX.

There are two types of management groups: predefined management groups and user-defined management groups. When choosing a source or destination for a management firewall rule, there are three choices: Any, System-Defined, and User-Defined.

System-defined groups simplify the creation of common Management Gateway firewall rules. User-defined groups allow the creation of custom groups based only on an IP address. Such groups are commonly used to provide remote administrators access to management components.

You manage the...

Network administrators and security personnel often need to review network and security logs. This is often required for auditing or troubleshooting as well as security analysis.

VMware Cloud on AWS integrates all its logs in VMware Aria Operations for Logs.

This capability allows customers to analyze and troubleshoot their application flows using the visibility of packets corresponding to specific NSX firewall rules and have visibility of the connectivity establishment of VPNs. Once a firewall rule has been created on one of the gateways or the DFW firewall, logging can then be turned on directly from the rule by clicking on the right-hand side of the cogwheel and enabling Logging, as seen in the following screenshot:

Figure 6.56 – NSX-T firewall rule logging enabled

The rule ID can be seen in the ID field. In this example it is 1017, as seen in the following screenshot:

Figure 6.57 –...

Security and network administrators use Internet Protocol Flow Information Export (IPFIX) and its predecessor, NetFlow, for troubleshooting and auditing. IPFIX, a modern IETF standard protocol for exporting traffic flow information, is based on NetFlow.

A flow is a sequence of packets sent in a given time slot and sharing the same 5-tuple values of source IP address, source port, destination IP address, destination port, and protocol. The flow information can include properties such as timestamps, packet/byte counts, input/output protocols, TCP flags, and encrypted flow information.

An IPFIX specification requires the identification of exporters and network entities that monitor traffic and export it in the IPFIX model. Collectors are systems that collect the traffic.

If there is IP connectivity from VMware Cloud On AWS, an IPFIX collector can be placed anywhere on the network. It could reside on-premises, within a VMware Cloud on AWS SDDC, or in AWS.

The configuration...

Port mirroring allows us to copy and redirect packets to a destination monitoring device. This is useful for monitoring and analyzing specific traffic in use cases such as the following:

• Copy it to an advanced firewall (IPS/IDS) to inspect traffic
• For troubleshooting purposes, a copy of a traffic flow can be used
• Mirror traffic to a Wireshark packet capture program to analyze application or packet loss issues

Port mirroring configuration includes specifying the traffic to be monitored (referred to as the source) and determining the direction in which the traffic should be monitored–whether it’s the source, destination, or both.

Additionally, the configuration includes identifying the location to which the monitored traffic should be sent, which is typically a monitoring system. This system can be either remote or local.

There are different types of port mirroring sessions, which include Local Switch Port Analyzer (SPAN), Remote...

The Distributed Firewall (DFW) feature is an integral part of NSX in VMware Cloud. It allows East/West firewalling, also known as micro-segmentation. Micro-segmentation enables customers to segment the network and apply security policies at the vNIC level, allowing the creation of security logic beyond the boundaries of Layer 3 segments.

The NSX DFW provides a contextual view of the virtual data center. Workloads can be secured using meaningful metadata instead of just destination and source IP addresses. For example, a VM instance, name, or security tag can be used for security rules, which allows security policies to be built based on business logic. It helps to reduce the impact of security breaches and meet compliance targets. The NSX DFW has powerful capabilities that allow advanced security use cases such as isolation, multi-tenancy, and DMZ Anywhere.

The DFW configuration is located in the Distributed Firewall section on the Security tab, as seen...

In this chapter, you gained relevant knowledge to be able to design, configure, and operate VMware Cloud on AWS networking based on VMware NSX capabilities. With the recent change in the Networking & Security tab in the SDDC console to the new VMware NSX web interface, it’s vital for administrators to examine the relevant UI elements and update runbooks and documentation. Cloud and networking architects may practically design recommendations, especially around hybrid cloud connectivity.

You are now prepared to use the full potential of VMware Cloud on AWS networking in your organization.

In the next chapter, we will learn about the new integrated services available with VMware Cloud on AWS.