VMware Cloud on AWS – Hybrid Linked Mode

I recently posted about how my company is now a MSP reseller of VMware Cloud on AWS (VMC).  I showed how easy it is to quickly spin up a VMware SDDC in the public cloud.  Since I finally had a SDDC at my disposal, I went through and configured hybrid linked mode with our vSphere 6.5 lab environment.  The first step for enabling hybrid linked mode is to get some kind of connectivity between your management cluster in VMC and your on-prem environment.  For this I utilized NSX in our lab and created an IPSec VPN tunnel between the two sites.  I went into our NSX Edge and began the IPSec VPN configuration:

1

To start, the IPSec service was stopped and the global configuration needed to be set.  I also clicked the ‘+’ sign to create a new IPSec VPN.  For the configuration, I put in the Local ID and Endpoint as the IP address of the NSX Edge interface being used for the VPN.  The public IP address of the VMC management cluster was entered for the Peer ID and Endpoint.  Both the local and peer subnets that need to be able to communicate via the VPN tunnel were also configured.  I created a pre-shared key to use on each side of the VPN and entered that as well:

2

Once the VPN was created on the NSX side, I started up the IPsec service, made sure the new VPN was enabled and then moved over to the VMC console to configure the public end of the VPN:

3

The great part about the VMC on AWS service is that if you click the Getting Started link on top right-hand side of the console, you can select to configure hybrid linked mode and it will point you in the right direction for how to configure the VMC side of things.  The first step is to create the VMC management cluster end of the IPSec VPN tunnel.  The remote IPs now refer to the on-prem data center, and the encryption, diffie hellman, ike version and pre-shared keys need to match what was configured on the other end:

4

NOTE: in this configuration we are using NAT due to the fact that we have a Cisco ASA as the actual edge device in our lab.  To be able to utilize NSX for the IPSec VPN, we had to NAT a public IP from the firewall down to the NSX Edge.  Above, you can see the Remote Gateway Private IP configured, which is necessary if NAT is being used, and points to the internal IP of the NAT for the NSX Edge. 

Once the IPSec VPN is created, it will say Connected and show a green dot next to the status.  If it is disconnected it could be that some kind of configuration for the VPN is wrong or something with the firewall is not allowing it to connect properly.  In my case, the VPN did not come up initially due to NAT.  We have a Cisco switch between the ASA and our on-prem data center running NSX, and because of NAT, I needed to add a route statement telling this traffic to utilize the NSX Edge VPN directly, rather than the physical ASA edge device: 

ip route [peer-network] [peer-subnetmask] [local-vpn-endpoint]

9

Once that route was added, the VPN came up as I expected:

6

The VMC console comes with a Firewall Rule Accelerator, which basically takes the info from your VPN connection and plugs it into all of the firewall rules you will need to allow for hybrid linked mode to work properly.  Simply click the Add firewall rules button and watch as the automation does it’s magic:

5

Now that the VPN connectivity is up and the necessary firewall rules have been enabled, linking the two vCenters can begin.  VMware has a great post that takes you through that part of the process.  I simply followed the steps in that link, which at a high level are:

– In the VMC console, edit DNS to point to your on-prem DNS servers
– Add the on-prem identity source to the VMC vCenter
– Create a cloud administrators group and add on-prem users
– Link VMC to your on-prem vSphere SSO domain

Once complete, you will get a message that the domain has been linked.

10

Log out of the VMC vCenter web client and log back in as one of your on-prem users that was added to the cloud administrator group earlier in the process.  Once logged in, you should now see both your on-prem AND your VMC vCenter in the web client, proving that hybrid linked mode is good to go!

11

So now you have a VMware SDDC running in AWS, which is linked to your on-prem data center.  What to do from here?  Stay tuned for the next VMC on AWS post…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.