Unleashing Seamless Hybrid Cloud Connectivity with VMware Transit Connect

VMware Transit Connect emerges as a pivotal solution for organizations aiming to establish robust and high-speed connections between their VMware Cloud on AWS Software Defined Data Centers (SDDCs) and a multitude of other resources. This powerful capability, now generally available across all VMware Cloud on AWS commercial regions, is underpinned by SDDC Groups, a feature designed to streamline the logical organization and management of SDDCs.

SDDC Groups revolutionize the way users define and manage interconnected environments. By enabling the creation of logical groupings of SDDCs, Virtual Private Clouds (VPCs), and on-premises infrastructure, Transit Connect simplifies the complexities of hybrid cloud networking. At the heart of this simplification lies the VMware Managed AWS Transit Gateway (VTGW), a fully managed service by VMware. The VTGW acts as the invisible backbone, providing the essential connectivity that binds diverse resources together.

The initial release of Transit Connect offers three primary connectivity blueprints:

SDDC to SDDC: Facilitate direct, high-bandwidth communication between multiple SDDCs.
SDDC to Native AWS VPC: Seamlessly extend your SDDC environment to your native AWS VPCs.
SDDC to On-premises over Direct Connect Gateway: Establish secure and reliable connections to your on-premises data centers via Direct Connect Gateway.

Figure 1 showcases a typical VMware Transit Connect topology, illustrating the interconnectedness it enables.

These connectivity models are meticulously designed to address the most prevalent hybrid cloud networking demands voiced by VMware customers. VMware is committed to the continuous evolution of Transit Connect, with future enhancements and features driven by valuable customer feedback and the strong partnership with AWS. Let’s delve deeper into the operational mechanics of each connectivity model.

Before implementing Transit Connect, it’s crucial to acknowledge the prerequisites:

SDDCs must be running on version 1.11 or later.
SDDCs and VPCs within an SDDC group must reside within the same AWS region.
SDDC management CIDR blocks must not overlap to prevent routing conflicts.
While overlapping SDDC networks are not recommended, it’s important to note that overlapping network segments will not be advertised across Transit Connect.

Understanding traffic flow is paramount. Transit Connect operates under a fundamental principle: at least one endpoint in any communication flow must be a resource within an SDDC. This design is essential for VMware to maintain service observability and provide effective support. This rule is enforced by the Member routing domain, allowing SDDCs to communicate with other SDDCs, VPCs, or on-premises networks. Conversely, the External routing domain is restricted to routing traffic solely to member SDDCs. The following table summarizes permitted and prohibited traffic flows:

SDDC to SDDC – Permitted
SDDC to VPC – Permitted
SDDC to on-premises – Permitted
VPC to VPC – Prohibited
On-premises to VPC – Prohibited

With these key considerations in mind, let’s explore the practical network topologies achievable with Transit Connect.

Network Topology 1 – SDDC to SDDC Connectivity

The SDDC to SDDC topology, depicted in Figure 2, is a foundational use case for Transit Connect.

Alt text: Network diagram illustrating SDDC to SDDC connectivity in VMware Transit Connect, showing three SDDCs in the same AWS region connected via a Transit Gateway.

Figure 2 illustrates a scenario with three SDDCs located within the same AWS region. Two of these SDDCs are configured as members of an SDDC group. This grouping enables them to communicate seamlessly via a high-speed VPC attachment established through the VTGW.

Initiating this process is straightforward within the VMware Cloud (VMC) Console. Begin by clicking the “Actions” button, typically located in the upper right corner of the interface, and then select “Create SDDC Group.”

This action triggers a user-friendly three-step wizard. You’ll be prompted to name the Transit Gateway, select the SDDCs you wish to include as members of the group, and acknowledge the terms before clicking “Create Group.”

Once “Create Group” is selected, the system begins the automated backend processes required to instantiate the necessary objects and establish connectivity. During this phase, the SDDCs will display a “Connectivity Status” of “PENDING” on the details page. Upon completion of all tasks, the “Connectivity Status” will transition to “CONNECTED,” signifying successful setup.

For granular visibility into routing, navigate to the “Routing” tab. Here, you can examine the network prefixes learned from each SDDC within the group.

Deeper insights into SDDC routing tables are accessible via the new “Transit Connect” tab located in the left navigation menu within each SDDC.

With the SDDCs now interconnected at the network level, the foundational infrastructure for communication is in place. However, VMware’s security-first approach dictates that default firewall policies will initially block inter-SDDC communication. To enable traffic flow, you must configure appropriate gateway firewall policies. This is where the SDDC Group object further simplifies administration. The SDDC Group dynamically maintains a comprehensive list of networks advertised by each member SDDC, VPC, and on-premises connection. This list automatically populates system-managed groups for firewall rule creation, significantly easing security policy management.

These system-managed groups can be leveraged as source and destination objects when defining firewall rules. While these groups are designed to simplify the user experience, they are optional. You retain the flexibility to configure more granular and explicit firewall policies if needed. The image below illustrates an example of utilizing SDDC Group Firewall Policy objects. Notably, observe the use of the “Applied To” field to specifically select the “Direct Connect interface.” This is crucial because the VPC attachment between the SDDC and the VTGW traverses an NSX Edge router interface designated as “Direct Connect Interface.”

Completing this firewall configuration step finalizes the process, establishing end-to-end communication between the SDDCs within your VMware Transit Connect setup.

Network Topology 2 – SDDC to VPC Connectivity

The next supported connectivity model extends the reach of your SDDCs to native AWS VPCs. This dramatically enhances hybrid cloud integration, diminishing reliance on traditional VPNs for connecting these distinct environments. Upon successful configuration, you’ll achieve a topology similar to that illustrated in Figure 3.

Figure 3 – SDDC to Native AWS VPCs

Alt text: Network diagram illustrating SDDC to Native AWS VPC connectivity in VMware Transit Connect, showing an SDDC connected to multiple AWS VPCs via a Transit Gateway.

Figure 3 expands upon the SDDC to SDDC topology by incorporating native AWS VPCs. Configuring this topology necessitates collaboration and coordinated actions between administrators possessing access to both the native AWS VPC environment and the VMC SDDCs. Specifically, the AWS account requires the following permissions and information:

Read/write permissions for the VPC(s) that will be connected to Transit Connect.
AWS Account ID(s) where the target VPCs reside.
VPC IDs and CIDR blocks of the VPCs intended for Transit Connect integration.

The VMC user performing these operations must hold the Cloud Admin role.

To initiate VPC integration, navigate to the “VPC Connectivity” tab within the VMC Console and click “ADD AWS ACCOUNT,” as shown below.

You will be prompted to enter the AWS account number associated with the VPC(s) you wish to connect.

After entering the account ID, the status in the VMC console will initially display as “ASSOCIATING.” To finalize this association, access the AWS Console. Log in with a user account possessing the access privileges outlined earlier. You will find a notification for a “Resource Share” within the AWS Resource Access Manager.

Click on the “VMC-Group” resource share, accept the share, and confirm your acceptance. The screen will then indicate that the invitation has been accepted.

Alt text: Screenshot of the AWS Resource Access Manager showing a pending resource share invitation from VMware Cloud, with the “Accept resource share” button highlighted.

After a brief period, the “State” in the VMC Console will transition from “ASSOCIATING” to “ASSOCIATED,” signifying successful AWS account association.

With the account association established, the next step is performed within the AWS Console. Navigate to the VPC service and then to the “Transit Gateways” section. Select “Create Transit Gateway Attachment.” In the attachment creation page, choose the VTGW, the VPC(s), and the subnets within those VPCs that will utilize Transit Connect. Finally, click “Create attachment.” The screenshot below illustrates this process.

A confirmation window will appear, and the attachment process will commence. The AWS Console will reflect the attachment “State” as “pending acceptance.” Now, return to the VMC Console. The VPC you just attached to the VTGW will be listed. Highlight the VPC and click “ACCEPT.” The status will transition to “PENDING” before ultimately displaying “AVAILABLE.” This process may take up to 15 minutes, depending on request processing times.

Once the “Status” is “AVAILABLE,” initial network connectivity is established. However, unlike SDDC to SDDC communication, a few additional configuration steps are required. First, update the VPC routing tables to ensure that traffic destined for VMC connected networks is routed via the VTGW. This is configured within the AWS Console for the specific VPC and will resemble the image below.

Remember to also configure the Security Groups associated with your EC2 instances to align with your desired security policies and traffic flows. The same principle applies to the Gateway Firewall within your SDDCs. Transit Connect provides the underlying network connectivity, while AWS Security Groups and NSX Gateway Firewalls serve as the crucial security enforcement points.

Network Topology 3 – SDDC to On-Premises Connectivity

The final connectivity method to explore is on-premises integration. Traditionally, establishing on-premises connectivity to SDDCs involved provisioning Direct Connect circuits between your data centers and the SDDC, typically utilizing a private Virtual Interface (VIF). With Transit Connect, a new type of VIF is required: a Transit VIF. Transit VIFs can only be terminated between an AWS Direct Connect Gateway and a Transit Gateway (TGW). Direct Connect Gateways are global constructs, not region-specific, eliminating regional co-location constraints that apply to SDDCs and VPCs.

To configure a Direct Connect Gateway within Transit Connect, navigate to the “Direct Connect Gateway” tab in the VMC Console and click “ADD ACCOUNT.”

Complete the required fields, paying particular attention to the “Allowed Prefixes.” AWS Direct Connect Gateway supports advertising a maximum of 20 prefixes to on-premises networks. Therefore, consider network summarization to optimize prefix advertisement.

The VTGW will initiate an association request with the Direct Connect Gateway owner. The status in the VMC Console will display as “REQUESTED.”

In the AWS Console, accept the pending Transit Gateway association request as shown in the following screenshot.

After accepting the association, you will be presented with the opportunity to accept the BGP proposal.

Click “Accept proposal,” and the systems will process the requests. Note that this process can take up to 20 minutes to complete.

Similar to SDDC to SDDC and SDDC to VPC connectivity models, establishing a Direct Connect Gateway connection necessitates updating security policies to finalize the connection. A key difference with on-premises environments is the potential need to update physical firewalls with appropriate routing and security policies to enable communication with Transit Connect resources.

This initial release of VMware Transit Connect provides a robust foundation for simplifying and resolving complex hybrid cloud computing challenges for our customers.