Organizations can deploy monitoring and troubleshooting applications from VMware (including Aria Operations, Operations for Logs, and Operations for Networks) or other third-party vendors. The prerequisite gateway firewall rules should be configured for these tools to perform efficiently.
Additionally, organizations can leverage NSX IPFIX and port mirroring functionality for monitoring and troubleshooting the VMware Cloud on AWS SDDC networking and security. IPFIX, a standard for network flow information export and analysis, can be configured to capture all the flows from VMs connected to a logical segment and then send them to the IPFIX collector. Organizations can specify the collector names as a parameter for each IPFIX switch profile.
Organizations can use port mirroring to redirect all traffic from a particular source to a collector, where the mirrored traffic is sent through a Generic Routing Encapsulation (GRE) tunnel to preserve all the original packet information as it traverses the network to a remote destination. Port mirroring has various applications, including troubleshooting, where it can be utilized to detect intrusion, debug, and diagnose network errors. Additionally, it can be used for compliance and monitoring purposes, where all the monitored traffic can be forwarded to a network appliance for analysis and remediation.
Port mirroring requires two groups, a source group for monitoring data and a destination group for copying the collected data. The membership criteria for the source group involve grouping VMs based on the workload, such as a web group or an application group. On the other hand, the membership criteria for the destination group require VMs to be grouped based on their IP addresses. Port mirroring has one enforcement point, where policy rules can be applied to the SDDC environment. Port mirroring can be configured for ingress, egress, or bidirectional traffic.
The VMware Cloud on AWS SDDC console features a Troubleshooting tab with a connectivity validator that enables organizations to conduct network connectivity tests to ensure that they have all the necessary network connectivity and firewall rules in place. Currently, the console supports two tests: HLM and Site Recovery.
With HLM, organizations can manage their on-premises vCenter and VMware Cloud on AWS SDDC vCenter inventories using a unified vSphere Client interface, resulting in a single-pane-of-glass management view. Furthermore, HLM allows organizations to seamlessly migrate workloads between their on-premises data center and cloud SDDC. HLM is based on the Enhanced Linked Mode (ELM) feature, a component of vSphere when deployed in the on-premises environment. Figure 8.14 shows the Troubleshooting tab of the VMware Cloud on AWS SDDC console that is used for HLM connectivity use cases:
Figure 8.14 – Troubleshooting HLM
The connectivity validator requires certain inputs, including the on-premises DNS server, vCenter Server, and AD services. Depending on the test results, VMware will provide recommendations to correct the problem which could include allowing traffic on on-premises firewalls, AWS Security Groups or NACLs, or VMware Cloud Gateway Firewall.
VMware Site Recovery is a DR as a service add-on to VMware Cloud on AWS SDDCs enabling organizations to protect and recover applications without requiring a dedicated secondary site. The service is provided on demand and is delivered, sold, and supported by VMware. Organizations can use VMware Site Recovery to manage DR, disaster avoidance, and non-disruptive testing capabilities. This solution extends VMware Cloud on AWS and integrates with VMware Site Recovery Manager (SRM) and VMware vSphere Replication (VSR) to automate recovering, testing, re-protecting, and failing-back VM workloads. VMware Site Recovery can be implemented between a organization’s data center and a VMware Cloud on AWS SDDC or between two VMware Cloud on AWS SDDCs deployed in different AWS Regions. Figure 8.15 shows the Troubleshooting tab of the VMware Cloud on AWS SDDC console that is used for Site Recovery connectivity use cases.
Figure 8.15 – Troubleshooting VMware Site Recovery
To use the connectivity validator for Site Recovery, the FQDN/IP addresses for the on-premises vCenter Server and the Platform Services Controller, as well as the on-premises SRM and VSR server, would be required. Figure 8.16 shows the Support tab of the VMware Cloud on AWS SDDC console.
Figure 8.16 – Support Information
VMware Cloud on AWS organizations who require assistance can contact VMware for support by accessing the VMware Cloud Services Console. To assist organizations, VMware support personnel may request information such as the organization ID and SDDC ID, which can be found on the Support tab.