Feature Brief: VPC Peering for External Storage
Today, we are excited to announce the VPC Peering support for VMware Cloud on AWS, marking a key milestone for those seeking to unlock the full potential of NFS Datastore support. With VPC Peering, single-AZ customers no longer face the mandatory requirement of deploying the VMware Transit Connect as their connectivity solution, bridging between their VMware Cloud on AWS SDDCs and Amazon FSx for NetApp ONTAP file systems. As a valued customer, you now enjoy both choice and a compelling alternative for network connectivity that maintains performance and reduces overall expenses by removing Amazon Transit Gateway processing fees.
It's important to emphasize that while VPC Peering is the preferred method for connecting Amazon FSx for NetApp ONTAP NFS datastores to the SDDC, there are specific use cases where VMware Transit Connect remains essential. For instance, if you intend to extend storage to the guest OS (NFS/SMB/iSCSI) or require multi-AZ Amazon FSx for NetApp ONTAP filesystems, then the use of VMware Transit Connect becomes necessary.
Prerequisites and Assumptions
To get started with this feature, the following pre-requisites must be met:
- The minimum SDDC version must be 1.20
- VPC Peering only supports NFS Datastore connectivity
- The SDDC is deployed in a single-AZ
- The Amazon FSx for NetApp ONTAP file system is deployed in a single-AZ
- The SDDC and Amazon FSx for NetApp ONTAP file system are deployed in the same region (The same AZ is strongly recommended to improve latency and avoid cross-AZ charges)
- The SDDC must not contain any overlapping CIDR with the peered Amazon VPC
- The peered Amazon VPC must not contain the default 172.31.0.0/16 CIDR
What is VPC Peering?
Amazon VPC (Virtual Private Cloud) peering is a feature that allows secure and direct communication between two VPCs within the AWS cloud infrastructure. This connection creates a private network, enabling seamless data transfer and resource sharing between Amazon VPCs while maintaining network isolation. With no reliance on a network appliance, gateway, or VPN connection, VPC Peering eliminates the risk of a single point of failure for communication or any potential bandwidth bottleneck. Furthermore, and in the context of NFS datastore support, VPC peering offers a cost-efficient advantage, particularly for storage traffic, as it imposes no charges for creating the connection and does not meter data transfers that remain within the same Availability Zone (AZ). Conversely, deploying your SDDC in a different AZ to the Amazon FSx for NetApp ONTAP filesystem will result in Cross-AZ data transfer charges.
How does it work?
This feature works by establishing a peering connection exclusively for NFS storage traffic between two Amazon VPCs: first, the VPC managed by VMware to host your SDDC resources, also referred to as the Shadow VPC and serving as the requester VPC, and secondly, a customer-managed VPC, serving as the accepter VPC. The customer-managed VPC can be in the same AWS Account as the Connected VPC used during the SDDC onboarding process or as part of another AWS account. Nonetheless, the role of this VPC is to provide access to the Amazon FSx for NetApp ONTAP file system.
Create VPC Peering
To enable the VPC Peering feature in your SDDC, customers will need to first contact their VMware Customer Success or Account representatives to request the feature. This request cannot be initiated by contacting VMware Support.
As part of the request, it’s advisable to have the following information ready, to accelerate the processing and completion of your VPC Peering request:
- Organization ID: This is the Organization ID containing the SDDC you intend to designate for VPC Peering. You can retrieve this information through the VMware Cloud Services Console.
- SDDC ID: This is the SDDC ID you intend to designate for VPC Peering. You can retrieve this information through the VMware Cloud Services Console.
- AWS Account ID: This is the AWS Account ID containing the customer-managed VPC you intend to designate for VPC Peering. You can retrieve this information through the AWS Management Console.
- Customer VPC ID: This is the customer VPC intended for VPC Peering. This will be the VPC selected when deploying the Amazon FSx for NetApp ONTAP file system.
After the request has been processed, VMware will proceed to initiate a VPC Peering request from the customer’s SDDC to the customer-provided VPC. As a result, a single VPC peering connection in a “pending-acceptance” state will appear in the customer's Amazon VPC console, under “Peering connections”.
The customer will also receive an email confirmation confirming their selection and the successful creation of the peering connection.
Accept VPC Peering (Customer Account)
Once the VPC Peering connection has been created, it is now required for customers to accept the VPC Peering request initiated by VMware. This step must be accepted on the customer’s AWS Management Console within 7 days. If the request is not accepted, the connection will expire, and the customer will need to delete this request before submitting a new one. It’s important to note that this step may not succeed if any issues are encountered, such as detecting overlapping CIDRs between the customer-provided VPC and the SDDC Logical Segments, HCX, Route Aggregation, and Connected VPC CIDRs.
Crucially, once the connection has been accepted, the customer must promptly notify VMware, confirming the successful acceptance of the VPC Peering and signalling readiness for the finalization step. During this final step, VMware configures the network parameters to route traffic from the SDDC to the peered VPC, with an automatic preference for the VPC Peering connection. Additionally, VMware also configures security groups and Network ACLs within the shadow VPC to only permit NFS traffic; any other traffic is explicitly blocked and not supported.
VPC Configurations (Customer Account)
Once VMware completes the finalization process, an email will be sent to confirm that VPC Peering is completed.
Now it's the customer's responsibility to update the peered VPC Route table, security groups, and NACLs. Firstly, the customer is required to update the peered VPC security group, which involves adding an entry to the inbound rules. This entry should specify the SDDC Management CIDR along with the appropriate NFS port numbers. With security measures in place, it is then recommended to enable routing by adding a new entry to the peered VPC Route table with the SDDC Management CIDR set as the destination and the newly established VPC Peering connection designated as the Target.
Attach NFS Datastore
After successfully establishing the VPC peering connectivity, proceed to the VMC Console to initiate the NFS datastore mounting. This process remains identical to the previous method involving the VMware Transit Connect, ensuring a seamless and consistent experience without any alterations.
The introduction of VPC peering support now enables customers to take full advantage of VMware Cloud on AWS in combination with Amazon FSx for NetApp ONTAP, all while avoiding the added expenses of AWS Transit Gateway data processing fees. This not only helps in reducing the total cost of ownership (TCO) but also extends the capabilities when operating within VMware Cloud on AWS.
Follow the VMware Cloud on AWS integration with Amazon FSx for NetApp ONTAP Deployment Guide for a more detailed walkthrough.