Integration between the VMware SDDC & AWS
Start course
1h 6m

In today's world where cloud computing is a key strategy for many organizations, having the right deployment is essential. Some organizations implement private clouds within their own local data center, others host their entire infrastructure on the public cloud. However, many organizations have a need to implement a hybrid cloud architecture, combining elements of both the public and private clouds. VMware Cloud on AWS provides a simple and effective method of establishing a hybrid cloud environment.

VMware is a leading vendor when it comes to the virtualization of resources such as compute, storage, and network infrastructure. As a result, many organizations have used or currently utilize VMware within their own data center to manage and optimize their environment, often in their own private clouds.

VMware Cloud on AWS allows you to seamlessly transition your VM workloads to the AWS cloud to take advantage of the benefits that a public cloud can provide such as:

  • On-demand resourcing
  • Scalability
  • Flexibility
  • High availability
  • Security
  • Utility-based metering
  • Regional expansion

This integration with AWS also opens up the potential to allow for communication between your VMs and the many services and features that AWS provides. This means your apps and resources in VMware Cloud on AWS can take advantage of AWS object storage such as S3, NoSQL databases such as DynamoDB, EC2 instances, and much more.

The service itself runs on bare-metal architecture allowing the continuation of ESXi hypervisors running the same suite of VMware software and management products as you do on-premises. Both environments can be controlled by VMware vCenter to allow ease of management.

This course takes an introductory look at VMware Cloud on AWS, providing an overview of what it is, how it can benefit your business, its underlying architecture, its integration with AWS and its service, and much more.

Learning Objectives

By the end of this course you will:

  • Be able to explain the components of the Software Defined Data Center provided by VMware
  • Understand what the VMware Cloud on AWS service is
  • Have an understanding on how VMware Cloud on AWS could provide benefits to you and your business
  • Have an awareness of how VMware Cloud on AWS connects to your AWS account and how you could provide communication between that and your SDDC
  • Understand how maintenance and support is provided across the service
  • Be able to explain a range of different use cases that you as a business could utilise the service for
  • Understand how much the service is likely to cost

Intended Audience

This course would be of benefit to:

  • Business managers looking to understand what VMware Cloud on AWS can provide the enterprise
  • VMware and AWS Architects looking to understand how VMware Cloud on AWS works in conjunction with the AWS public cloud and VMware’s private on-premise architecture
  • Anyone who wants to gain an introductory understanding of the VMware Cloud on AWS service


This introductory course does not go into detail about how to configure and implement the VMware Cloud on AWS service, instead it’s designed to provide you with enough information to understand what it is and what it’s used for. However, as a prerequisite to this course, it would be advantageous, but not essential to have a basic understanding of:

This course includes

9 lectures


If you have thoughts or suggestions for this course, please contact Cloud Academy at


Hello and welcome to this lecture where I want to discuss and explain how you can leverage the service and features offered by AWS when running your SDDC with VMware Cloud and AWS.

One of the many benefits to using VMware Cloud and AWS is the fact that you can take advantage of many AWS service and features to enhance and innovate your applications and infrastructure.

Over time, more and more AWS services will be available to work in conjunction with AWS. So let's start at the beginning. The creation of your software define data center.

As a prerequisite, you'll need to ensure that you have an AWS account as you'll be asked to associate this account during the curation of your VMware SDDC. During the initial release of the service, you'll only be allowed to associate a single AWS account. You'll also need to associate and AWS VPC, virtual private cloud and a subnet within that VPC. The subnet should be in the same AWS region as your newly created SDDC, and have at least the mask of /27. It's worth noting that you can only connect one VPC to your SDDC.

As a part of this configuration, AWS should associate an ENI, Elastic Network Interface. So your selected subnet to allow for communication between your SDDC and your AWS VPC. This provides the high bandwidth, low latency private link across the internal AWS network. As such it does not use any AWS internet gateways or any public network to communicate between your VMware and AWS environments. Now before you're able to fully communicate between your VMs and your SDDC and your resources within AWS, you need to configure fiber walls and rating. Configurational changes are required on both sides.

Let's look at the SDDC first. Let's say for example, you want to communicate with EC 2 instances within your VPC from VMs in your SDDC. From the VMware side of things, you need to know the logical network of where your VMs reside. Following this, you can tend set up relevant fiber rules using the VMware Cloud and AWS portal to allow both inbound and outbound connectivity to your logical network taken from your VPC.

Within the rule, you can provide a rule name, an action such as allow or deny. For this example, we'll set it to allow. We'll specify the source and destination. The source would be your logical network space and the destination of the VPC. The service should as HTTP or all traffic. And for this example, we can say all traffic and finally the ports used. You will then need to create another rule for inbound traffic where the source and destination points are reversed.

From the SDDC side of things, you will then be set. Now there are some changes that you need to make within your AWS account. So from within your AWS account, you would need to select the route table associated with the subnet or subnets you want to communicate with where your EC2 instances reside and add a new route.

If you select a different subnet to the one that you associated in the creation of your SDDC then you may incur cross availability zone charges. More on pricing will be discussed in a later lecture. This new route will point to the logical network that you created within your SDDC with a target set to your elastic network interface that would have been automatically created following the VPC association during the SDDC creation.

The final part of the process to allow communication between your VMs and AWS EC2 instances in your VPC requires the security groups of the EC2 instances to be updated with the relevant rules. Security groups access virtual firewalls filtering traffic at an instance level. Within the security group of the associated EC2 instances, you'll need to add a new rule to allow the relevant traffic. For incoming traffic, you will need to set the sources as the CIDR block of the logical network in the SDDC and specific the traffic type of protocols and ports to be used. You will now be able to establish communication from your VMs on your logical network in your SDDC through to EC2 instances running in your AWS account.

From a route perspective, the VMs logical network will use the compute gateway to connect to the ENI within the VPC. From here routing is enabled to all other subnets automatically. Routes back to the logical network having added by updating the route tables as explained previously. From a security perspective, firewalls on both the SDDC side and AWS have also be configured. This will be provided by the VMware Cloud on AWS portal and by the AWS management console. You can communicate with a range of AWS services, not just EC2 as explained here. You just need to ensure that you have your routing and firewalls configured on both sides to allow communication between the SDDC compute gateway and the ENI interface in your VPC.

To access some of the services, you may need to create a VPC endpoint such as to gain access to S3 or DynamoDB. These services are classed as abstract services. Web way don't actually deploy the resources it offers within your VPC as such we can use an endpoint to connect to them. These endpoints allow a secure connection to the service using AWS' own internal network.

If for example, you want to connect and access an S3 bucket from the SDDC. Then you could perform the following steps to allow communication in AWS.

Create an S3 endpoint and associate it to your VPC and the Subnet that was selected during your SDDC creation. Ensure the correct routing is configured in the VPC route table. Edit your AWS VPC security group to ensure it allows the correct protocol import such as HTTPS from the logical network in your SDDC. And then in your SDDC, configure the correct firewalls for your compute gateway to allow the relevant inbound and outbound traffic to your AWS VPC connection. Again such as HTTPS, once this is configured VMs within your logical network can then access objects within S3 using their HTTPS URL.

It's great being able to access other services running in AWS such as EC2 or S3, but what if you wanted to take advantage of the wider range of services. For example, the extensive range of Edge services that AWS has to offer such as CloudFront, WAF, Shield, Route 53 and Application Load Balancers. How could you use these two advantage from within your SDDC.

Well the process would be fairly simple, let's say for example you had a web facing application was hosted on the service running in your SDDC. But you wanted to take advantage of the AWS services available to increase security and reduces latency for the content delivery network such as Amazon CloudFront.

From a high level perspective, you could configure the following architecture. Starting from the Edge network, you could use Amazon CloudFront to securely distribute your web traffic. Helping to provide low latency to your end users whilst also controlling which traffic is directed to your origin. In this scenario, the origin could point to an application load balancer.

In addition to this, the CloudFront distribution could work in conjunction with AWS WAF, web application firewall and Shield. The WAF service would monitor and filter out traffic, blocking common attack patterns such as cross site scripting and SQL injection. And Shield will help to mitigate and protect your environment from a distributed denial of service attack, a DDoS attack.

Also you could leverage Amazon Route 53 which provides the DNS service and here you could point your URL from your web app to the CloudFront distribution. Once traffic is directed to your CloudFront distribution, a number of security checks are performed in conjunction with the web application firewall service.

This strips out a lot of security vulnerabilities before traffic reaches your application load balancer. Once traffic does reach your ALB, which remember is the origin of your CloudFront distribution. The ALB will be associated with a number of web services. These web services are VMs running in your SDDC on a logical network connected to your VPC via the compute gateway and the ENI in your VPC.

Once routing and firewalls have been configured, the web traffic will be distributed among these web applications VMs to process the traffic. So in this scenario, a huge amount of security and processing can be handled by AWS services. Filtering out traffic before it reaches the VMware SDDC and VMs.

There are obviously many, many different scenarios in how you can utilize AWS services from analytics, security to database deployments. All of which can be managed between the compute gateway and the elastic network interface associated with your VPC. That now brings me to the end of this lecture.

Coming up in the following lecture, I shall be discussing how maintenance and support is managed across VMware Cloud on AWS.

About the Author
Learning Paths

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.