Network L2 extension options from on -premises to VMware Cloud on AWS

This is an article by Schneider Larbi, who is Specialist Solution Architect on AWS.

VMware Cloud on AWS allows you to extend your on -premises network seamlessly at the layer two levels.This is important.This is because you can move the virtual machine to VMware Cloud on AWS without changing the IP address from the on -premises layer 2 network.

At the time of writing this article (July 7, 2020), there are two ways to extend the network to VMware Cloud on AWS.

There is no need to have an NSX for on -premises to implement network extensions.If the on-premises have NSX-T, the client side of L2VPN (Layer 2 VPN) to connect NSX-T Edge, which is automatically provided by NSX, to the environment of Software Defined Data Center (SDDC) and VMware Cloud on AWS.Cannot be used as.

This article describes the architectural considerations when extending the on -premises network to VMware Cloud on AWS.This allows you to implement a hybrid cloud or move to the cloud without changing the IP address.

The VMware Cloud on AWS allows you to move the data center to the cloud, break away from the data center, implement disaster countermeasures (DR), and modernize applications.

You can realize these by using the same VMware infrastructure components that are used on -premises, vCenter for management, Hypervisor, ESXI, network NSX, and storage VSAN.Let's take a look at the network extension options implemented in VMware Cloud on AWS.

Establishment of hybrid connection

One way to implement a hybrid network connection to VMware Cloud on AWS is to use Autonomous NSX Edge.This is an appliance of standalone standing on your on -premises VMware cluster.It is downloaded as an OVF format and functions as an L2VPN that extends your layer 2 network domain to VMware Cloud on AWS.

At the time of writing this article (2020/7/7), the type of NSX used in VMware Cloud on AWS will be NSX-T Data Center.It is noteworthy that only Autonomous NSX Edge is compatible with the NSX-T Data Center of VMWRE CLOUD on AWS.Even if you download other NSX-V appliance, you cannot work with the NSX-T Data Center on the cloud.

Prior to the Autonomous NSX Edge appliance setup, you must make sure that you can start vmotion between vCenter of on -premises and vmware Cloud on AWS vCenter.To do so, you need to set a hybrid link mode between the two vCenter servers.This function makes it easier to manage by connecting the vCenter of on -premises to the VMware Cloud on AWS.See the VMware document checklist for details.

Make sure that these prerequisites are satisfied so that you can start VMotion between the on -premises VMware environment and the VMware Cloud on AWS without causing unnecessary network stops or inconvenient errors.

Autonomous NSX Edge uses your layer 2 network to AWS Direct Connect (DX) or Public Internet VMware Cloud on AWS environment, so that you can use a virtual machine Live VMotion that connects to this extended network.You can start between the environment and VMware Cloud on AWS.

From on -premises to the vCenter of the cloud, you need to set the hybrid link mode between two vCenter servers.This feature connects the vCenter of the on -premises to the vCenter of VMware Cloud on AWS.See the VMware document checklist for details.

Make sure that these prerequisites are satisfied so that you can start VMotion between the on -premises VMware environment and the VMware Cloud on AWS without causing unnecessary network stops or inconvenient errors.

The second way to extend the customer network to VMware Cloud on AWS and implement a hybrid network is to use VMware HCX.This is a platform for the simplification of application migration, workload rebalancing, and the continuation of the work that straddles data centers and clouds.

VMware HCX components are deployed on -premises and linked to components in the VMware Cloud on AWS environment, realizing the extension of customer's layer 2 network VMware Cloud on AWS to maintain the migration and hybrid cloud architecture. To do.

In order to achieve a high -blid network connection that can extend the on -premises network to VMware Cloud on AWS, it is necessary to establish a connection between the on -premises environment and the VMware Cloud on AWS.If you want to know more about these two options, please refer to this blog post: Connectivity Options for VMware Cloud on AWS SDDCS

VMC and NSX Edge Appliance architecture

Customers who are already using AWS Direct Connect can set the NSX Autonomous Edge to VMware Cloud on AWS for existing DX connections.

Figure 1: L2VPN via AWS Direct Connect

In this design, the AWS Direct Connect private virtual interface (PRIVATE VIF) is configured on the DX connection and is terminated on a virtual private gateway (VGW).In this configuration, the network route is advertised using the VMware Cloud on AWS from the on -premises environment, and to be precise, the NSX edge router (BGP).

Be careful not to overlap the Autonomous System Numbers (ASN) in the BGP session settings in the on -premises and the VMware Cloud on AWS environment.You must use different values on both sites.

After completing this preliminary setting, it will be possible to set the L2VPN on Direct Connect Private Vif to extend your on -premises network to VMware on AWS environment.

For networks that you want to extend with the NSX Autonomous Edge appliance, do not advertise your route through BGP on Direct Connect Private Vif.

The screenshot below shows how to set the Autonomous Edge on the existing AWS Direct Connect connection.

Figure 2: L2VPN setting via AWS Direct Connect

As shown in Fig. 2, it is necessary to select a private IP as the terminal point of VMware Cloud on AWS in the L2VPN settings.This allows you to set your on -premises device private or internal IP as a remote IP for L2VPN.

This private IP can only be used on AWS Direct Connect.Private IP cannot be used for existing VPN connections.

With this setting, L2VPN traffic allows you to communicate to VMware Cloud on AWS through AWS Direct Connect, which provides stable and reliable low -tension connection.

On the other hand, customers who are not connected between on -premises and VMware Cloud on AWS with AWS Direct Connect can extend any network to VMware Cloud on AWS using NSX Autonomous Standalone Edge.

Figure 3: L2VPN via public Internet

In the configuration of Figure 3, you can extend your layer 2 networks using NSX Autonomous Edge.Similar to the configuration in Fig. 1, set the appliance to the on -premises vSphere cluster and use L2VPN on the public Internet to extend the network to VMware Cloud on AWS.

The important thing in this design is to avoid any network you want to extend to VMware Cloud on AWS.The point that this configuration is clearly different from the other is that the VPN is ended with the NSX Edge router in the VMware Cloud on AWS environment.

This network extension can only be applied to the VMware cluster workload network.If you want to advertise the management network to VMware Cloud on AWS, you must set up a different VPN tunnel as shown in Figure 3.

To enable this configuration, you need to select a public IP option from the layer 2 settings as shown in the figure below.

Figure 4: L2VPN setting via public Internet

VMware Cloud on AWS allows you to create multiple tunnels between on -premises and SDDC, but only one layer 2VPN tunnel is supported.To deploy the NSX Autonomous Edge appliance, follow this VMware documentation.

In addition, L2VPNs using NSX Autonomous Standalone Edge version 2.5.1.0.0 can extend up to 100 on -premises networks to the cloud.If you want to extend a number of networks to the cloud, you need to plan properly.

Since the NSX Autonomous Edge is not a managed service, you have the responsibility of this appliance in the on -premises vSphere cluster.

VSphere functions such as High Availability (HA) and Distributed Resource Scheduler (DRS) can be used to prevent the suspension of this appliance.You can also backup and restore appliance settings using the built -in backup function if necessary.

The NSX Autonomous Edge appliance has a backup/restore function, so you can back up the configuration file and store it outside the cluster.With this feature, you can quickly deploy a new appliance and restore the settings in a few minutes.

Of course, it is also possible to protect the appliance using a third -party backup solution.

If you extend the network from on -premises to VMware Cloud on AWS in this way, it is important to keep in mind that the customer environment will generate latency.Make sure that the gateway IP remains on the on -premises as it is on, so that the latency is acceptable in the customer environment.

Consideration of network extension by HCX

You can extend up to eight networks per HCX network appliance.If you want to extend more networks, you can deploy multiple network appliances.

In order to properly design this network extension solution, we recommend that you constantly check the deployment HCX component settings.

A detailed guidance is provided on how to deploy HCX on -premises and on -premises environment.

Depending on how much HCX is expanded, you must plan to keep the management cluster on the management cluster for various HCX components deployed in on -premises.。

You can also manage and maintain HCX components in both on -premises and VMware Cloud on AWS both environments.If you have a problem, you can ask VMware for support.

Network extension composition by HCX to VMware Cloud on AWS

HCX has two versions, one is limited to on -premises, so it is used to connect the two on -premises environment.The other is a cloud version and can connect on -premises and the cloud.In this article, we focus on this cloud version of HCX.

HCX deploys components to VMware Cloud on AWS and on -premises cluster.These components are set and associated together.

The cloud version HCX is an add -on of VMware Cloud on AWS.Components are managed on the cloud side, and the components deployed for on -premises are managed by customers.Check how HCX is deployed to VMware Cloud on AWS with this user guide.

HCX also supports AWS Direct Connect, so if DX connection with private VIF has been established between on -premises and VMware Cloud on AWS, HCX has a local layer 2 network of on -premises on DX connection VMware Cloud on AWS.You can extend it.

Figure 5: HCX configuration via AWS Direct Connect

In order to form a configuration in Fig. 5, it is necessary to reserve an IP address for the service mesh setting that will be advertised to VMware Cloud on AWS through the underley AWS Direct Connect connection.This setting is implemented by the on -premises HCX Manager, and the IP address must be provided from the on -premises address pool.

In the next step, log on to HCX Manager of VMware Cloud on AWS.In the Network Profile section, VMware provides a network profile named DirectConnectNetwork1.Since this is an empty profile in the initial state, it is necessary to show the network team of the HCX cloud component on the DX deployment of the DX.

The IP range should not overlap with other on -premises IPs or VMware Cloud on AWS.Also, the range is not required/24.You can also make a smaller address range, taking into account how much appliance you want to deploy based on the HCX deployment model.

After receiving a network range from the network team, edit the DirectConnectNetwork1 profile and enter the address range.When the profile is saved, the network range is automatically advertised on the on -premises using BGP on Direct Connect Private Vif.Figure 6 below shows this setting of HCX Manager of VMware Cloud on AWS.

Figure 6: AWS Direct Connect Settings

After setting the AWS Direct Connect network profile from the cloud side HCX Manager, set up an on -premises service mesh from HCX Manager.Select Direct Connect Network Profile from HCX Manager of VMware Cloud on AWS.Next, link it to the on -premises management network.

Figure 7: Service mesh settings

Once the HCX can be operated on AWS Direct Connect, you can finally extend the layer 2 -broad cast domain from on -premises to VMware Cloud on AWS using the HCX network extension function.

Once the L2VPN extension is set, a VPN tunnel to extend the on -premises layer 2 network to VMware Cloud on AWS is created on the DX.

This extension service supports 4 to 6 Gbps bandwidth for layer 2 network extension.As a result, you can maintain the same IP and MAC address while the virtual machine is transferred.

HCX can also set on the public Internet to extend the on -premises layer 2 network to VMware Cloud on AWS using L2VPN.This is the HCX default setting.This configuration does not require AWS Direct Connect.

Figure 8: HCX configuration via public Internet

As shown in Fig. 8 above, VPN is used to replace the route between on -premises and VMware Cloud on AWS and connect.

In order to use HCX without AWS Direct Connect, it is necessary to be able to communicate with the public endpoints of the HCX component of VMware Cloud on AWS with the IP address reserved for on -premises HCX components.

To complete the settings, you need to request a Public IP for VMware Cloud on AWS.These IPs are used in the HCX component on the cloud side.

After requesting a public IP, edit the network profile named HCX ExternalNetwork.Next, enter a public IP on the VMware Cloud on AWS and save the settings.

In the on -premises HCX Manager service mesh setting, instead of DirectConnectNetwork1 shown in Fig. 7, select ExternalNetwork from the list.

The minimum bandwidth required for HCX is 100Mbps.100Mbps may be enough if you use a very small normal virtual machine.However, when moving a virtual machine with large memory or CPU, VMotion can fail in 100Mbps.

If the network is extended using HCX for a layer 2 traffic in addition to the vMotion or migration traffic, make sure that there is enough bandwidth between on -premises and the cloud.You can also use the HCX WAN optimization function.In many cases of customers who carry network extensions and migration, bandwidth over 1Gbps is used.

For the above reasons, it is strongly recommended to use AWS Direct Connect and wide bandwidth internet to achieve the optimal user experience with HCX.

By extending the network, you can transfer all virtual machines from on -premises to VMware Cloud on AWS without changing the IP address.Customers who want to maintain a hybrid network connection can continue to use the HCX L2VPN network extension as they are.

After migrating to VMware Cloud on AWS, you can manually stop all network extensions and convert it to the VMware Cloud on AWS.To do so, be careful not to advertise the network extended from on -premises to VMware Cloud on AWS through individual VPN tunnels and AWS Direct Connect.

summary

In this article, we explained the structure using HCX or NSX Autonomous Standalone Edge, and using AWS Direct Connect or public Internet to extend the on -premises layer 2 network to VMware Cloud on AWS.

Regardless of which configuration is adopted, you can realize a truly hybrid connection between the on -premises environment and the VMware Cloud on AWS.And it is possible to migrate virtual machine workloads without changing the IP address.

GF SA Ota was in charge.The original text is here.