Feature Brief: VPC Peering for External Storage


The VPC Peering support for VMware Cloud on AWS marks a key milestone for those seeking to unlock the full potential of NFS Datastore support. With VPC Peering, single-AZ customers no longer face the mandatory requirement of deploying the VMware Transit Connect as their connectivity solution, bridging between their VMware Cloud on AWS SDDCs and Amazon FSx for NetApp ONTAP file systems. As a valued customer, you now enjoy both choice and a compelling alternative for network connectivity that maintains performance and reduces overall expenses by removing Amazon Transit Gateway processing fees.

It's important to emphasize that while VPC Peering is the preferred method for connecting Amazon FSx for NetApp ONTAP NFS datastores to the SDDC, there are specific use cases where VMware Transit Connect remains essential. For instance, if you intend to extend storage to the guest OS (NFS/SMB/iSCSI) or require multi-AZ Amazon FSx for NetApp ONTAP filesystems, then the use of VMware Transit Connect becomes necessary.


Prerequisites and Assumptions

To get started with this feature, the following pre-requisites must be met:

  • The minimum SDDC version must be 1.20
  • VPC Peering only supports NFS Datastore connectivity
  • The SDDC is deployed in a single-AZ
  • The Amazon FSx for NetApp ONTAP file system is deployed in a single-AZ
  • The SDDC and Amazon FSx for NetApp ONTAP file system are deployed in the same region (The same AZ is strongly recommended to improve latency and avoid cross-AZ charges)
  • The SDDC must not contain any overlapping CIDR with the peered Amazon VPC
  • The peered Amazon VPC must not contain the default CIDR

What is VPC Peering?

Amazon VPC (Virtual Private Cloud) peering is a feature that allows secure and direct communication between two VPCs within the AWS cloud infrastructure. This connection creates a private network, enabling seamless data transfer and resource sharing between Amazon VPCs while maintaining network isolation. With no reliance on a network appliance, gateway, or VPN connection, VPC Peering eliminates the risk of a single point of failure for communication or any potential bandwidth bottleneck. Furthermore, and in the context of NFS datastore support, VPC peering offers a cost-efficient advantage, particularly for storage traffic, as it imposes no charges for creating the connection and does not meter data transfers that remain within the same Availability Zone (AZ).  Conversely, deploying your SDDC in a different AZ to the Amazon FSx for NetApp ONTAP filesystem will result in Cross-AZ data transfer charges.

How does it work?

This feature works by establishing a peering connection exclusively for NFS storage traffic between two Amazon VPCs: first, the VPC managed by VMware to host your SDDC resources, also referred to as the Shadow VPC and serving as the requester VPC, and secondly, a customer-managed VPC, serving as the accepter VPC. The customer-managed VPC can be in the same AWS Account as the Connected VPC used during the SDDC onboarding process or as part of another AWS account. Nonetheless, the role of this VPC is to provide access to the Amazon FSx for NetApp ONTAP file system.

vpc peering

Create VPC Peering (VMware Cloud on AWS Console)

Establishing this connectivity method involves a series of actions coordinated between the VMware Cloud Console and the AWS console. Firstly, you will initiate the request to create a VPC Peering connection via the VMware Cloud Console. Following this, you will need to switch to the AWS console to accept the VPC Peering request and finalize the network and security configurations before you can attach the NFS datastore.

Begin the procedure by identifying the specific SDDC you wish to peer. Next, proceed to the Storage tab where you'll discover the newly added self-service feature to commence the VPC Peering request. Click on the 'Create Peering Connection' button to input all necessary details and then select 'CREATE PEERING CONNECTION' to proceed.

As part of the request, it’s advisable to have the following information ready:

  • AWS Account ID: This is the AWS Account ID containing the customer-managed VPC you intend to designate for VPC Peering. You can retrieve this information through the AWS Management Console.
  • Customer VPC ID: This is the customer VPC intended for VPC Peering. This will be the VPC selected when deploying the Amazon FSx for NetApp ONTAP file system. 



VMware will proceed to initiate a VPC Peering request from the customer’s SDDC to the customer-provided VPC. As a result, a single VPC peering connection in a “pending-acceptance” state will become visible in the Amazon VPC console, under “Peering connections”. 

Accept VPC Peering (AWS Console)

Once the VPC Peering connection has been created, it is now required for customers to accept the VPC Peering request initiated by VMware. This step must be accepted on the customer’s AWS Management Console within 7 days. If the request is not accepted, the connection will expire, and the customer will need to delete this request before submitting a new one. It’s important to note that this step may not succeed if any issues are encountered, such as detecting overlapping CIDRs between the customer-provided VPC and the SDDC Logical Segments, HCX, Route Aggregation, and Connected VPC CIDRs.

Once the connection has been accepted, VMware behind the scenes will configure the network parameters to route traffic from the SDDC to the peered VPC, with an automatic preference for the VPC Peering connection. Additionally, VMware also configures security groups and Network ACLs, ensuring that only NFS traffic is permitted across this private connectivity, therefore enhancing the network security. 



VPC Configurations (AWS Console)

Before proceeding with this step, you must ensure that the state of the VPC Peering connection is reported as Active in the VMware Cloud on AWS Console 

Now it's the customer's responsibility to update the peered VPC security groups, NACLs, and associated route table.  Firstly, the customer must configure the Network ACL and security groups before modifying any routes. This can be achieved by adding an entry to the inbound rules. This entry should specify the SDDC Management CIDR along with the appropriate NFS port numbers. With security measures in place, it is then recommended to enable routing by adding a new entry to the peered VPC Route table with the SDDC Management CIDR set as the destination and the newly established VPC Peering connection designated as the Target.


Security Group

The security group associated with the Amazon FSx for NetApp ONTAP Elastic Network Interfaces (ENIs)  will need to be edited to allow for inbound NFS mount requests incoming from the SDDC Management CIDR Prefix. 


VPC Route Table

The route table associated with the Amazon FSx for NetApp ONTAP ENI subnets will need to be edited to allow for traffic to reach the SDDC Management CIDR over the newly created VPC Peeriing connection.  

Attach NFS Datastore (VMware Cloud on AWS Console)

After successfully establishing the VPC peering connectivity, proceed to the VMC Console to initiate the NFS datastore mounting. This process remains identical to the previous method involving the VMware Transit Connect, ensuring a seamless and consistent experience without any alterations.


Switching from vTGW to VPC Peering

Switching from vTGW to VPC Peering is a straightforward and, most importantly, non-disruptive process for our customers. This seamless migration consists of two key phases. Initially, it begins with a request to create and configure a VPC peering connection, which extends network connectivity between your Amazon FSx for NetApp ONTAP file system and the VMware Cloud on AWS SDDC. The steps for establishing this network connectivity align with those previously outlined in this guide. Customers should initiate a request and then accept the VPC Peering connection before applying the final security and network configurations. Once your VPC peering connection is Active, you can proceed to the switchover phase, which involves a simple update to the route table used by the Amazon VPC through which the file system is accessible. In this update, set the VPC Peering connection as the new target for the SDDC Management CIDR prefix, replacing the vTGW attachment. The switchover is seamless and non-disruptive to the workloads hosted on the NFS datastore.

Please review the following steps to summarize the necessary actions:

Phase 1: VPC Peering Preparation

  1. Identify the target SDDC and Amazon FSx for NetApp ONTAP file system
  2. Note the Amazon VPC associated with the file system
  3. Note the VPC route table currently utilizing the TGW attachment

Phase 2: VPC Peering Configuration

  1. Create VPC Peering  (VMware Cloud on AWS Console)
  2. Accept VPC Peering  (AWS Console)

Phase 3: Switchover

  1. Locate the Amazon VPC associated with the file system (AWS Console)
  2. Edit the route table of this Amazon VPC. Update the existing route entry of the SDDC Management CIDR, replacing the vTGW attachment with the VPC peering connection as the target (AWS Console)


The introduction of VPC peering support now enables customers to take full advantage of VMware Cloud on AWS in combination with Amazon FSx for NetApp ONTAP, all while avoiding the added expenses of AWS Transit Gateway data processing fees. This not only helps in reducing the total cost of ownership (TCO) but also extends the capabilities when operating within VMware Cloud on AWS.

Follow the VMware Cloud on AWS integration with Amazon FSx for NetApp ONTAP Deployment Guide for a more detailed walkthrough. 


Filter Tags

General Amazon FSx for NetApp ONTAP VMware Cloud on AWS Document Feature Brief Overview