AWS and VMware have verified a limited number of AWS services capable of integration with workloads running on VMware Cloud on AWS. By incorporating these services as part of their migration and modernization approach, organizations can reduce operational overhead, lower the Total Cost of Ownership (TCO), and improve the agility and scalability of their workloads
The following diagram illustrates the VMware Cloud on AWS managed service leveraging native AWS services:
Figure 8.1 – Native AWS services integration with VMware Cloud on AWS
This chapter covers network connectivity between native AWS services and VMware workloads. Once the network connectivity is established, we will explore standard native AWS service integrations, including offloading storage to secondary storage in the AWS cloud, protecting Virtual Machine (VM) workloads using AWS networking services, and leveraging AWS databases and analytics services with workloads running in the Software-Defined Data Center (SDDC).
Networking between SDDC and native AWS services
To effectively integrate AWS services, it is critical to establish resilient network connectivity between VMware Cloud on AWS SDDC workloads and AWS services. This section will outline the connectivity required to connect the organization’s native AWS account with the VMware Cloud on AWS SDDC.
To set up VMware Cloud on AWS, two AWS accounts are required. The first account is the VMware Cloud on AWS SDDC account (also known as the shadow account), which hosts the VMware Cloud on AWS SDDC infrastructure. VMware owns, manages, and operates this AWS account. The second account is an organization’s AWS account often referred to as the customer-owned AWS account, owned, operated, and funded directly by the customer based on the consumption of AWS services within it.
The organization’s AWS account often referred to as the customer-owned AWS account has an Amazon Virtual Private Cloud (VPC) designated as the connected VPC. This connected VPC can run several native AWS services, which can be leveraged by the VM workloads running on the VMware Cloud on AWS SDDC.
Figure 8.2 – Native AWS services integration with VMware Cloud on AWS
The diagram (Figure 8.2) shows an Amazon VPC on the left side, known as the shadow VPC, which operates within the VMware-owned AWS account, referred to as the shadow account. The account and VPC are hidden by the VMware Cloud Services Console, preventing organizations from accessing them. The shadow VPC uses Cross-Account Elastic Network Interfaces (X-ENIs) to communicate with an Amazon VPC, known as the connected VPC, on the right side, which runs in a organization’s AWS account often referred to as the customer-owned AWS account.
The diagram (Figure 8.2) also shows the Amazon Elastic Compute Cloud (EC2) instances running in the connected VPC in the organization’s AWS account often referred to as the customer-owned AWS account. Several X-ENIs (only one active) provide high-bandwidth and low-latency connectivity to services running in the connected VPC. While the diagram shows only Amazon EC2 instances, various AWS services, such as Amazon S3, Amazon Elastic File System (EFS), Amazon FSx, Amazon RDS, and AWS Backup, can integrate with workloads running in VMware Cloud on AWS. Each VMware Cloud SDDC account can only connect to a single AWS account, often referred to as the customer-owned account, and therefore only one AWS connected VPC can be designated for each VMware Cloud on AWS SDDC. The connected VPC can only be specified during or immediately after SDDC deployment and cannot be changed without destroying and recreating the SDDC.
A single Amazon VPC can serve as the connected VPC for multiple VMware Cloud on AWS SDDCs. However, a VMware Cloud SDDC can be integrated with only one connected VPC. Also, some large enterprise organizations may require access to AWS services across multiple Amazon VPCs from their VMware Cloud on AWS SDDCs. In such cases, they can use SDDC groups and VMware Transit Connect to establish connectivity between the Amazon VPCs and SDDCs. VMware-AWS network connectivity using AWS Transit Gateway and VMware Transit Connect architectures was covered in Chapter 2.
Having covered the prerequisites, let us explore some validated and commonly used native AWS service integrations for VMware Cloud on AWS workloads.