VMware Cloud on AWS Frequently Asked Questions

General

What is VMware Cloud on AWS?

VMware Cloud™ on AWS brings VMware’s enterprise-class Software-Defined Data Center products to the AWS Cloud with optimized access to AWS services. VMware Cloud on AWS integrates our compute, storage, and network virtualization products (VMware vSphere, vSAN™ and VMware NSX) along with VMware VMware vCenter Server management, optimized to run on dedicated, elastic, bare-metal AWS infrastructure.

Where is VMware Cloud on AWS available today?

VMware Cloud on AWS is available in a variety of regions, listed in the documentation. Please note that some regions require customers to explicitly opt-in to link their own AWS account to SDDCs.

Where is VMware Cloud on AWS GovCloud (US) available?

VMware Cloud on AWS GovCloud (US) is available in the AWS GovCloud (US West) and AWS GovCloud (US East) regions.

What are the features included in VMware Cloud on AWS?

Please visit the VMware Cloud on AWS Roadmap page for the latest information on features.

What do you mean by “SDDC?”

SDDC stands for Software-Defined Data Center. A deployment of vSphere, vSAN, NSX, and more inside VMware Cloud on AWS is encapsulated into a unit we refer to as an SDDC, which is roughly equivalent to a vSphere cluster in the on-premises world.

Can workloads running in a VMware Cloud on AWS SDDC integrate with AWS services?

Yes. VMware Cloud on AWS SDDC is running directly on AWS elastic bare metal infrastructure, which provides high bandwidth and low latency connectivity to AWS services. Virtual machine workloads can access public API endpoints for AWS services such as AWS Lambda, Amazon Simple Queue Service (SQS), Amazon S3 and Elastic Load Balancing, as well as private resources in the customer's Amazon VPC, such as Amazon EC2, and data and analytics services such as Amazon RDS, Amazon DynamoDB, Amazon Kinesis and Amazon Redshift. You can also now enjoy Amazon Elastic File System (EFS) for fully managed file service to scale the file-based storage automatically to petabyte scale with high availability and durability across multiple availability zones and the newest generation of VPC Endpoints designed to access AWS services while keeping all the traffic within the AWS network.

How do I sign up for VMware Cloud on AWS?

Please contact your VMware account team, VMware Partner Network, AWS account team or AWS partner network. You can learn more about the onboarding process with our Quick Start.

How does VMware protect customer data in VMware Cloud on AWS?

VMware Cloud on AWS is designed with multiple layers of protection. The service inherits all the physical and network protections of the AWS infrastructure and adds dedicated compute and storage along with the security capabilities built into vSphere, vSAN and VMware NSX. All data transmitted between your customer site and the service can be encrypted via VPN. All management communications between the VMware Cloud on AWS service and your SDDCs is encrypted. Data at rest inside the SDDC is encrypted. The VMware Cloud on AWS infrastructure is monitored and regularly tested for security vulnerabilities and hardened to enhance security.

What VMware SDDC products do I need to have on-premises for VMware Cloud on AWS?

Supported versions of VMware vSphere are supported for hybrid cloud connectivity and migrations. Please refer to the VMware Compatibility Guide for more information.

Is there localized language support for the international regions?

VMware Cloud on AWS supports language and regional format settings in French, Spanish, Korean, Simplified Chinese, Traditional Chinese, German, Japanese, and English. These languages are supported in the VMware Cloud on AWS Console and in Cloud Service Platform features such as Identity & Access Management, Billing & Subscriptions, and some areas of the Support Center. You can change your display language before you login to the VMware Cloud on AWS console or in your account settings. See How Do I Change My Language and Regional Format for more information.

How is VMware Cloud on AWS deployed?

VMware Cloud on AWS infrastructure runs on dedicated, single tenant hosts provided by AWS in a single account, provisioned through the VMware Cloud Console. There are different host instance types, such as I3.metal, I3en.metal, and I4i.metal, to choose from based on your sizing requirements. Sizing and differences between the instance types can be found in our brief on SDDC host types.

Each host can run many virtual machines (tens to hundreds depending on their compute, memory, and storage requirements). Clusters can range from a minimum of two (2) hosts up to a maximum of sixteen (16) hosts per cluster. A single VMware vCenter Server is deployed per SDDC.

While VMware Cloud on AWS customers need to have an AWS account associated with their deployments, customers do not need to provision hardware directly with AWS. Provisioning and configuration is done automatically through the VMware Cloud Console.

Pricing, TCO, and Subscriptions

How can I purchase VMware Cloud on AWS services?

Please contact your VMware account team. You can purchase either Subscription Purchasing Program (SPP) credits or Hybrid Purchasing Program (HPP) credits and redeem those credits on the service. Please refer to the SPP Program Guide and/or HPP Program Guide. You can also use your credit card or pay by invoice for the service.

What currencies are supported for purchasing VMware Cloud on AWS?

USD, GBP, EURO, JPY, AUD, and CNY are supported by VMware Cloud on AWS.

How will I be charged for VMware Cloud on AWS services?

This service is delivered, sold, and supported through VMware, VMware Partners, AWS, and VMware Managed Service Providers. You will get a single bill that includes the total charges for using this service, including the VMware SDDC software and the underlying AWS resources that were provisioned for VMware Cloud on AWS SDDCs.

One of the strengths of VMware Cloud on AWS is the proximity to native AWS services. However, any additional services that are provisioned by customers using the AWS Console, AWS APIs, or other orchestration tools outside of VMware Cloud on AWS will be billed by AWS directly.

How is VMware Cloud on AWS priced?

VMware Cloud on AWS is available on-demand or in 1- and 3-year subscriptions. Please visit the pricing page for the latest information.

When do charges for VMware Cloud on AWS service start?

Charges begin when you provision an SDDC.

When do charges for VMware Cloud on AWS service stop?

Charges end when all SDDCs have been deleted.

How is the Single Host SDDC starter configuration priced?

Please refer to the Single Host SDDC FAQ section of this document, as well as the pricing page, for more details.

Can I change the region or host type for a subscription?

Flexible Subscriptions can be changed (see below). Other types of subscriptions are limited to the configuration set when the purchase was made. Please ensure that the host types, counts, and regions covered by the purchase agreements are what you intend.

What is Flexible Subscription?

The “Flexible Subscription” for VMware Cloud on AWS allows customers to exchange their VMware Cloud on AWS Flexible Subscription for any new VMware Cloud on AWS term subscription. Customers can terminate an existing flexible term subscription (1- or 3-year commitment) early and transfer the remaining value to a new 1- or 3-year subscription.

How can I purchase a Flexible Subscription?

Flexible Subscription can be purchased through the VMware Cloud console. Please work with your account team to determine if Flexible Subscription is right for you. Flexible Subscriptions are available via all purchasing paths except Managed Service Providers.

Which instance types are available as Flexible Subscriptions?

All instance types are available as Flexible Subscriptions where they are available.

How do I request an exchange for Flexible Subscription?

You start the exchange via the VMware Cloud Console and a support team member will follow up.

Can I exchange partial hosts in my Flexible Subscription?

You must exchange all the hosts on your Flexible Subscription.

Can I exchange my standard Subscription for a Flexible Subscription?

Only Flexible Subscriptions can be exchanged.

Can I receive a refund for an exchange of my Flexible Subscription?

The credit you receive can only be used toward purchasing a new VMware Cloud on AWS subscription.

What will happen to my workloads when I exchange a Flexible Subscription?

The exchange only impacts your financial commitments, there will be no direct impact on workload. However, you may be charged an on-demand rate if you have workloads running that are not covered by your new subscription.

What will happen to my Flexible Subscription when I exchange it?

Your original Flexible Subscription will end.

The leftover value on my Flexible Subscription is higher than the value of the new VMware Cloud on AWS subscription that I am planning to purchase. Will I get credits back?

No, all leftover value will be applied towards your new subscription purchase. We cannot refund credits.

Can I change the host count or type for a purchased subscription?

You cannot change any parameters in a standard subscription after purchase. Before purchasing, please confirm that you select the correct host instance type, count, and regions. You can always purchase additional subscriptions to increase host count.

What are the payment options for 1- and 3-year subscriptions?

You must pay up front in full for 1- or 3-year subscriptions or through monthly installments for 1- and 3-year term commitments.

How do I create a subscription for 1- and 3-year subscription options?

After you land on the VMware Cloud on AWS Console, you can click on the “subscription” tab in the navigation bar to create a subscription. Once the subscription is created, you can start enjoying the discounted rate for the number of hosts that you purchase. Please note that the subscription is charged upfront or monthly to your payment method.

How long does it take for a 1- or 3-year subscription to activate? How will I know the subscription is active?

It takes up to 30 minutes for a subscription to activate, and the activation will be reflected in the Subscription Status.

Do 1- and 3-year subscriptions auto-renew at the end of the term?

No, subscriptions do not auto-renew. Customers can purchase additional subscriptions at any time.

Can customers cancel a 1- or 3-year subscription?

Subscriptions cannot be cancelled before the subscription term expires.

Do any resources get provisioned once I purchase a 1- and 3-year subscription?

Provisioning is independent of purchasing a subscription. A subscription is simply a financial commitment.

Do I get a refund for unused capacity under my 1- or 3-year subscription?

No, we cannot refund unused credits.

Can I purchase additional 1- and 3-year subscriptions? Will additional subscriptions align their start and end dates (co-term)?

You may always purchase additional subscriptions. Each subscription will have its own start and end date (no co-termination).

Can I provision an SDDC with more hosts than the number of hosts in my 1- or 3-year subscription?

Yes. This is considered overage usage and all hosts over the subscription limit will be billed with an on-demand rate.

How is overage calculated? What is the overage rate? When will I be billed for overages?

VMware takes the number of hosts used in your organization per hour in each region and subtracts the total committed hosts in all your subscriptions for each specific region. The remainder is the overage. Overage usage is billed at on-demand rates per VMware Cloud on AWS pricing. Overages are billed in arrears and will be reflected in your invoice, which you receive after your billing date.

What are my financing options for subscriptions?

You can either pay upfront and in full or monthly. In both financing options, the commitment is for either 1- or 3-year terms.

Can I cancel a monthly billed subscription?

Subscriptions are not cancellable; you are liable for either 1- or 3-year full term payments.

I bought a 3-year monthly billed subscription, but my CPP credit fund will expire after 1 year, what should I do?

Please reach out to your VMware Account Team or Customer Success representative to ensure you have enough credits for the appropriate 1 or 3-year commitment duration.

How is the $2000 Prepaid Credit determined and how will I know if I am exempt from the charge?

The implementation of the upfront $2000 Prepaid Credit is part of our fraud-prevention policy. Any charge incurred by the user is then applied to the hourly on-demand rate for the service or an annual subscription. This Prepaid Credit is waived at VMware's discretion based on the user's current level of engagement with VMware. Users will be notified of any waiver affecting their requirement to have a Prepaid Credit when they are about to deploy their first SDDC.

I have a Flexible Subscription with I3.metal/I3en.metal instance types. Can I use my leftover term to replace those hosts with the new I4i.metal type?

You can exchange an existing Flexible Subscription for a new standard subscription with I4i hosts.

I have a standard subscription with I3.metal/I3en.metal instance types, but I'd like to use the new I4i instance types? What are my options?

The terms of a standard subscription cannot be changed, so you cannot exchange the host types. However, you can purchase new subscriptions with the instance types and regions you desire.

Credit Card Payment

I used a credit card to sign up for the service. What is the $2000 USD charge used for?

$2000 USD is used as credit for your future use.

I used a credit card to sign up for the service. When will I be charged $2000 USD?

You will be charged $2000 USD once you deploy your first SDDC. You will not be charged for any subsequent SDDC deployment.

I used a credit card to sign up for the service. What currency will I be charged in?

You will be charged in the currency that corresponds to your billing address in your My VMware account profile.

I used a credit card to sign up for the service and was charged $2000 USD. What can I use this credit for?

You can use this credit only towards VMware Cloud on AWS usage, the credit will expire after 60 days and is only redeemable through VMware Cloud on AWS.

I used my credit card to sign up for the service and was charged $2000 USD, can I get a refund?

The charge is non-refundable, and the credit is valid for 60 days.

I’m a credit card customer and I transitioned to Subscription Purchase Program (SPP) credits, what do I need to do?

You can change your payment method in the CSP portal as described here. Please note that you will be charged on the payment method that was defaulted when the bill was generated.

I signed up last year using a credit card. Will I be charged when I deploy an SDDC?

Yes, you will be charged when you deploy your first SDDC.

I want to change my payment method to credit card from SPP funds. Will I be charged?

You will only be charged if your payment type is credit card and this is your first SDDC deployment.

Can the 60-day timeframe be extended since I was unable to utilize the $2000 USD charge?

VMware cannot extend the 60 day period.

I have not received the invoice for the $2000 USD charge, whom do I engage to get the invoice?

Please reach out to our support team via the VMware Cloud on AWS console.

Which credit/debit cards can I use to purchase Single Host?

You can use your personal or corporate Mastercard, Visa, American Express, Discover, JCB or Diners Club credit cards. Please note, however, that Discover, JCB and Diners Club are only supported in certain countries. You may also use a debit card if it is Mastercard, Visa, or American Express.

How do I add a credit card as a payment method?

You can add a credit card during the initial onboarding or add it via the Cloud Console.

Will my card be charged any amount when adding the card as a payment method?

No. We verify to ensure your credit card is valid, but the validation is done with a zero-dollar value authorization.

Can I use a credit card with non-U.S. billing address?

Yes, you can.

What is the largest amount I can pay by credit card?

Your credit card limit and your payment processor determine the size of your transactions. The maximum amount you can spend in a single transaction is $25,000. Please contact your issuing bank for more information about your credit limit. More information is available here.

Can I purchase 1- or 3-year subscriptions using my credit card?

1- or 3-year subscriptions cannot be purchased with credit cards. For exceptions please contact your VMware Account Team or VMware Support.

Commerce

What is a Seller?

Seller is a Billing Account for an org. In simpler words, the company that would send the bill to the customer. It indicates which legal entity or person is identified as the Seller of Record for a specific product to the end consumer. The Seller of Record also often assumes the responsibility for accounting for a transaction tax on that particular transaction. Sellers have their own set of commerce attributes that may or may not be unique to that seller such as Payment Method, Terms of Service, Offer catalog, Pricing, Regions, Currencies accepted, and Billing engines with different invoice templates and billing business rules.

What aspects does the seller concept apply to?

An organization can have two sellers today: AWS and/or VMware. They can choose the seller while creating new subscriptions and SDDCs.

Would customers need a multi-org setup after enabling two sellers?

More than one org is not needed to support multiple Sellers of Record and it is not encouraged to have more than one org with VMware Cloud on AWS SDDCs.

How do I know a product offering is supported by a seller?

A list of VMware product offerings supported by AWS and VMware within the VMware Cloud Console or elsewhere on a VMware property is available here.

Is the 'Multiple Sellers in one org' feature available for all customers?

It is available for any VMware Cloud on AWS commercial customer that has two sellers established. Please consult with your account team prior to setting up and using multiple sellers and have them contact product management resources as necessary.

Can the customers move their subscriptions from one seller to another?

No. This is not possible.

Can a customer convert VMware SPP Funds to EDP Credits and vice versa?

No. This is not possible.

Is creating a fund equivalent to creating a subscription?

No, adding a fund and creating a subscription are two separate disjoint activities. Customers shouldn't be in the notion that adding new funds would get translated to subscriptions. They would need to create subscriptions in VMware Cloud Console.

Can one seller's subscription cover other sellers too?

No, a subscription can only cover hosts within that seller. Example: If you have 2 SDDCs with 4 hosts each, 1 with VMware, 1 with AWS, and a three-year term subscription for four hosts with VMware as the seller. In that case, the 4 host SDDC with AWS as the seller would be charged on demand.

Can a single SDDC have 2 Sellers?

No, An org can have 2 sellers, but the SDDC’s under the orgs can have only 1 seller for 1 SDDC.

How do distributors purchase VMware Cloud on AWS hosts by SKU?

Please engage with your VMware account account team, select the appropriate VMware Cloud on AWS subscription from the Partner Pricebook and then initiate your order through the account team once your reseller agrees to the terms you define. Your end customer decides when they are ready to consume the service and ready to create a Software-Defined Data Center (SDDC).

As a distributor, do I need SPP Credits or a contract to purchase these SKUs?

No. You can pay for the SKUs directly for a designated reseller and end Customer[AP1] . The end customer’s email address will be used to provision the service, and an email invitation will be sent to onboard and start the service.

Why would a distributor buy VMware Cloud on AWS hosts through this SKU-based transactional motion?

If you want to start your cloud journey but are not ready to sign a contract, purchase a large volume, or make a significant commitment of time and funds upfront. In that case, you can start small (with a 2-Host 1-year subscription) purchased by SKU and scale as needed later.

Like purchasing vSphere+, you can now buy VMware Cloud on AWS by SKU without signing a contract.

When does the subscription start if I purchase VMware Cloud on AWS hosts through SKU?

The subscription starts once the onboarding email invitation is sent to the distributor’s designated end customer’s email address.

As an end customer, what if I start my service two months after the distributor purchases a 1-year subscription for me?

In that case, as an end customer, you start the service with only ten months left on your 1-year subscription. The subscription always starts on the day the onboarding email invitation is sent.

How does the billing work for SKU-based transactional motion?

Subscriptions entitle the end-user to a certain number of host hours. They are billed within the first 30 days of the purchase.  Host hour usage over the purchased subscription and non-host charges such as data transfer, elastic IP, EBS, vSAN, or custom networking configuration charges are billed using a 30-day billing cycle in arrears.

Who gets billed when VMware Cloud on AWS hosts are purchased through SKU-based transactional motion?

The distributor is the one who will be billed for the subscription they purchased for the designated reseller and end-user pair. The distributor receives the data to bill the reseller, who uses the report to enable billing to the end customer.

How do distributors purchase VMware Cloud or VMware Cloud Universal through this new commerce motion?

The distributor would need to engage with the VMware account team to sign a Commitment Based Contract (CBC) with VMware. The distributor would need to provide the following details: Type of CBC (VMware Cloud Standalone or VMware Cloud Universal), Reseller & customer details, required product offerings, and CBC term. All the discounts are negotiated upfront between VMware and the distributor and are applicable during the Commitment Based Contract (CBC) tenure. For this new commerce motion, the distributor would need to mention the payment type as “PurchasePay” to the account team.

Does the distributor need to purchase SPP Credits to leverage this new commerce motion?

No, SPP credits are not required to be purchased to take part in this new commerce motion

How much does the distributor need to pay VMware on the day the Commitment Based Contract (CBC) is signed?

No amount is due on the day the CBC is signed.

Why would a distributor buy VMware Cloud or VMware Cloud Universal this way?

Distributors will receive the opportunity to enable a significant volume discount for a specific reseller/end customer combination. The distributor would commit to a budget while allowing the customer the flexibility in consuming what they need when they need it without any renegotiation.

With this new Commerce motion, the distributor is not required to park the money upfront and the distributor needs to pay monthly only for the VMware Cloud offerings purchased by the end customer.

Can the distributor sign multiple Commitment Based Contracts (CBC) with VMware?

A commitment Based Contract (CBC) has a 1:1:1 relationship between the distributor, reseller, and the end customer. VMware does not support a wholesale model i.e. Distributor cannot sign a single Commitment Based Contract (CBC) and use it across the pool of resellers and end customers. For each new end customer, the distributor shall need to sign a new CBC with VMware for the associated reseller. For “n” distinct end customers, the distributor shall need to sign “n” CBCs with VMware.

A distributor had onboarded the customer using the VMware on AWS SKU-based transactional commerce motion. Can the distributor transition the customer to Commitment Based Contracts (CBC)? Will there be any impact on the customer's workloads?

We support seamless migration from SKU-based transactional commerce motion to Commitment Based Contracts (CBC). There would neither be any system downtime nor any impact on the customer’s workloads during the migration.

How does the customer purchase the VMware Cloud offerings via this new commerce motion?

The customer self-serves all the purchases directly from the console. The customer is the owner of the environment/org and can create SDDC, add/remove hosts as well as oversees the Identity & Access Management (IAM)

How does billing work?

The customer receives an onboarding email when the Commitment Based Contract (CBC) is signed. The billing starts only when the customer purchases subscriptions or deploys SDDC. The distributor will be charged monthly by VMware based on the associated customer's consumption of VMware Cloud offerings.

What happens when the distributor signs the Commitment Based Contract (CBC) with VMware but the customer does not onboard use the onboarding link for three months? Will the distributor get any bill from VMware for these three months?

No, since the customer has not onboarded, the distributor will not be billed. However, the Commitment Based Contract (CBC) would still be active and the tenure of the CBC would be reduced by 3 months.

Who gets billed?

The distributor will be billed on the 10th of every month using the proforma process by VMware based on the associated customer's consumption of VMware Cloud offerings. The distributor receives data to then bill the reseller who in turn uses the report to enable billing of the end customer. Distributors and reseller can set up their own prices downstream to get the desired margins. VMware has no visibility into the margins of the distributor or reseller.

Sizing Tool

What is the VMware Cloud on AWS Sizing and Assessment Tool?

You can use the Sizing and Assessment Tool to size your workloads for VMware Cloud on AWS. The tool enables you to size for factors including storage, compute, memory and IOPS in the logic to provide you with the most optimized server and SDDC recommendation for VMware Cloud on AWS. Once you have completed sizing your workloads, you can calculate your total cost of ownership (TCO) for these workloads and compare it with an on-premises virtual environment. The tool will calculate the number of hosts and clusters required to support your workload to run on a VMware Cloud on AWS SDDC.

How do I access the VMware Cloud on AWS Sizing and Assessment Tool?

You can access the Sizing and Assessment Tool without any credentials. However, to complete the TCO calculations, you must register with an email address and use those credentials to log into the tool.

How many workload profiles can I create and customize in the Sizing and Assessment Tool?

You can create between 1-10 workload profiles to simulate a mixed workload environment. We have included workflows for some common workloads such as VDI, databases and general-purpose workloads to simplify this process.

What factors do you consider for sizing VMware Cloud on AWS?

In addition to the inputs available in the tool, the factors that we consider are:

  • CPU – CPU headroom in steady state and in failure
  • IOPS – IOPS per disk group, IO profile, IO amplification
  • Capacity – Slack space, swap space, deduplication, compression, disk formatting, base 10 to 2
  • Others – FTT, N+ = 1, RAID1, RAID5, RAID6

What server profiles does the Sizing and Assessment Tool recommend?

Currently, the tool recommends "Fixed Server" profile based on the I3, I3en and I4i instance types. In the future, as VMware Cloud on AWS supports more instance and profile types, the recommendation will account for this and recommend the most optimized profile and instance type for your environment.

How does the resource utilization plan impact my sizing exercise?

In a real-world deployment, not all VMs run at the same utilization. The resource utilization plan takes this into consideration by ensuring that you allocate different percentages of utilization to groups of VMs running your applications. By using the resource utilization plan (RUP), you can modify the overcommit in the advanced settings tab, located in the additional information section of the workload profile. Modify the values to meet your desired consolidated state more closely, (e.g., changing % VMs value to 100% and run at 80% would mean that you are anticipating a net utilization cluster wide of 80%.

How do I select I/O profiles which are not listed on the Sizing and Assessment Tool?

The IO profiles are tied to underlying VMware Cloud on AWS performance data. To get the most optimized performance, select the ratio closest to the ratio that you require.

What are the different settings available in the Sizing and Assessment Tool?

Cluster settings:

  • CPU headroom reserved cores in the event of a spike in workload activity to avoid latency. This option allows you to reserve cores in the event of steady state as well as failures.
  • Host failure scenario is the equivalent of a N+1 scenario where the logic accounts for an additional host for redundancy. Advanced Settings:
  • Resource utilization plan (RUP): Refer to above question on "resource utilization plan" and how it impacts your sizing exercise.

Industry & Regulatory Compliance

What compliance certifications has VMware Cloud on AWS achieved?

VMware Cloud on AWS has been independently verified to comply with many leading compliance programs, including but not limited to ISO 27001, ISO 27017, ISO 27018, SOC 2, HIPAA, PCI-DSS, OSPAR, IRAP. Check the VMware Cloud Trust Center for more information (Please filter for ‘VMware Cloud on AWS’ and ‘VMware Cloud on AWS GovCloud’ in Services).

Are VMware Cloud on AWS SDDCs compliant with PCI-DSS (PCI)?

The VMware Cloud on AWS cloud platform has successfully been assessed to meet PCI compliance as a level 1 service provider.

What regions are available to run PCI-compliant workloads on VMware Cloud on AWS?

Regions that can host PCI-compliant SDDCs can be found in the documentation.

If a customer migrates their VMs into a PCI-compliant SDDC, does that mean that their VMs, applications, and workloads are automatically also PCI-compliant?

No. The whitepaper “Migrating PCI Workloads to VMware Cloud on AWS” illustrates how the Shared Responsibility Model relates to PCI compliance. The responsibilities are shared between VMware and Customers. VMware handles PCI compliance of the VMware Cloud on AWS cloud service and cloud platform. Similarly, customer workloads running in VMware Cloud on AWS must pass an entirely separate PCI assessment solely managed by the customer. Customers must hire a Qualified Security Assessor (QSA) to assess and verify their PCI SDDC configuration and must verify that the workloads are PCI-compliant.

Can a standard SDDC be upgraded to a PCI SDDC?

Yes, a standard SDDC can be retrofitted with PCI compliance hardening through the SDDC settings.

What is the difference between a standard SDDC and a PCI SDDC?

PCI SDDCs will have the following major differences from a standard SDDC to prevent non-compliant services from impacting their PCI compliance status:

  • SDDC components (VMware vCenter Server, vSAN, VMware ESXi) are “hardened" based on VMware security standards incorporated from GovCloud. VMware NSX appliances are security hardened using VMware NSX Hardening guidelines.
  • PCI Customers must use the local VMware NSX Manager to manage SDDC networking and security. This is accomplished by disabling the Networking & Security Tab in the VMware Cloud Console.
  • Although customers can use non-compliant VMware Cloud on AWS Add-ons during the setup of their SDDC, our PCI auditors determined that customers must disable VMware HCX and Site Recovery Add-ons (These Add-ons are not currently PCI-compliant and must be disabled by the customer administrator in the VMware Cloud Console).
  • The vRealize Automation Cloud Add-on service is also not PCI-compliant and will not work on PCI SDDCs.

Can I use VMware HCX and/or vRealize Automation Cloud in a PCI-compliant SDDC?

VMware Cloud implementations of VMware HCX and vRealize Automation Cloud are not PCI-compliant.

Can I use VMware Site Recovery (VSR) in a PCI-compliant SDDC?

Yes. Information about the VMware Site Recovery PCI compliance is available in the VMware Cloud Trust Center.

Can a PCI-compliant SDDC be deployed on any host type?

Yes. All PCI configurations are done at the SDDC layer and are independent of the underlying physical hosts.

Which auditor is VMware using for the PCI Audit?

Crowe is the VMware Cloud on AWS PCI QSA.

Will customers need to buy additional VMware Cloud on AWS licenses to deploy a PCI-compliant SDDC?

No, the published pricing for bare metal VMware Cloud on AWS hosts is all that is required from a cost perspective. There are no additional charges for PCI-DSS SDDCs.

How many SDDCs will customers need for Development, Production, and PCI workloads?

System sizing and design is ultimately a customer-driven activity, though VMware can help. Many organizations choose to limit the scope of compliance and compliance audits by deploying separate SDDCs for PCI-DSS workloads.

Will PCI-compliant SDDCs be upgraded like standard SDDCs?

Yes, patching and upgrading will be automatically handled by the VMware Operations team via standard lifecycle processes.

Can APIs and/or automation like PowerCLI or Terraform be used to configure a PCI SDDC?

Yes. Terraform and APIs can be used to configure a PCI SDDC.

If business requirements change can an SDDC be reverted to the non-compliant configuration?

Yes, but not through the VMware Cloud console. Please contact VMware Support.

How does a customer log into the local VMware NSX Manager to create network segments, manage DFW micro-segmentation rules, etc.?

Customers can use the VMware NSX Manager URL and local VMware NSX account credentials. That information is found in the SDDC Settings tab.

What connectivity differences are there in a PCI-compliant SDDC?

All the same connectivity options are available to a PCI-compliant SDDC as with a standard SDDC.

What are the steps to provision a PCI-compliant SDDC from the VMware Cloud console for a customer:

A customer needs to perform the following steps:

  • Identify the Organization where a PCI SDDC will be created.
  • Create a ticket with VMware Support to request enabling PCI for the Organization.
  • Confirm that the change has been implemented by VMware.
  • Deploy a new SDDC.
  • Prepare SDDC to host PCI workloads. Configure a network connection to on-premises.
  • Create firewall rules on the Management Gateway Firewall to enable access to the local VMware NSX Manager and validate access was setup correctly.
  • Disable Networking & Security Tab using the Components Control section of the VMware Cloud console.
  • Deactivate HCX components and add-ons if they were configured.
  • Deactivate vRealize Automation Cloud components if they were configured.
  • Complete successful customer PCI audit with a QSA.
  • The customer QSA will confirm when customers can start running PCI-compliant VMs, applications and production cardholder data.

How can I request approval for penetration testing applications and systems in my SDDC?

VMware has a comprehensive vulnerability management program that includes third-party vulnerability scanning and penetration testing. VMware conducts regular security assessments to maintain VMware Cloud on AWS compliance programs and continuously improve cloud platform security controls and processes. While the requirements to conduct penetration testing vary by industry compliance regulations, customer environments benefit greatly with penetration testing to measure the security effectiveness within their virtual infrastructure (SDDCs) and applications. To notify VMware that you plan to conduct penetration testing, please use this Request Form to provide us relevant information about your test plans. VMware will respond with an approval by email. Penetration testing must be conducted in accordance with our Penetration Testing Rules of Engagement

Support

Where can I take advantage of the chat support feature?

In-service chat support is available for all features of VMware Cloud on AWS, including hybrid solutions such as VMware vCenter Server Hybrid Linked Mode and VMware vCenter Server Cloud Gateway. Chat support is available 24x5 in English across all global regions but is not currently available for on-premises-only solutions.

Can I set my own notification preferences in VMware Cloud Console?

Yes, please navigate to the left menu in the VMware Cloud Console and click “Notification Preferences” to pick and choose which notifications you’d like to receive. Ensure you click “Save Changes” when satisfied with your selections.

Who can control my notification preferences?

For now, these are enabled at the user level. What is meant by that is each user is responsible for setting their own notification preferences and only you have control over those settings. Changes you make within your own VMware Cloud Console will not affect other users.

What roles do I need to be able to set my notification preferences?

To access the Notification Preferences, you must be a part of the associated Organization as either an Organization Owner or Organization User. You must also be assigned one of the following Service Roles:

  • VMware Cloud Admin
  • VMware NSX Cloud Admin
  • VMware NSX Cloud Auditor

Single Host SDDC

What is the Single Host SDDC offering?

With the new time-bound Single Host SDDC starter configuration, you can now purchase a single host VMware Cloud on AWS environment with the ability to seamlessly scale the number of hosts up within that period, while still retaining your data. The service life of the Single Host SDDC starter configuration is limited to 60-day intervals. This single host offering applies to customers who want a lower-cost entry point for proving the value of VMware Cloud on AWS in their environments.

How is Single Host SDDC priced?

Single Host SDDC is available on-demand only at $7/host/hour. Please visit the pricing page for the latest information.

Where is the Single Host SDDC available today?

The Single Host SDDC is available across all supported regions.

What are the features included in the Single Host SDDC?

Features that do not require more than one host are included in the Single Host SDDC offering, including hybrid operations between on-premises and VMware Cloud on AWS. However, any operations or capabilities that require more than one host would not work. For example, High Availability (HA) and stretched clusters across two AWS Availability Zone. Due to the nature of single host, the FTT=0, meaning that if your host fails, your data would be lost. VMware does not currently offer patching or upgrades to a Single Host SDDC.

Single Host SDDC highlights:

  • Accelerated onboarding
  • Migration capabilities between on-premises and VMware Cloud on AWS, using VMware HCX for large-scale rapid migration, VMware vMotion for live migration and lastly cold migration.
  • Seamless high-bandwidth, low latency access to native AWS services
  • Disaster Recovery: Evaluate VMware Site Recovery, the cloud-based DR service optimized for VMware Cloud on AWS. VMware Site Recovery is purchased separately as an add-on service on a per-VM basis.
  • Expert support: Single Host SDDC receives the same unlimited 24/7 VMware Global Support Services as well as 24/5 live chat support
  • Hybrid Linked Mode support: Single logical view of on-premises and VMware Cloud on AWS resources
  • All-Flash vSAN storage: All Flash vSAN configuration, using flash for both caching and capacity, delivers maximum storage performance.

I am a partner of VMware. Can I use Single Host SDDC as well?

Of course! Please log in to Partner Central for more details. If you are a Technology Alliance Partner, please scroll down to the Third-Party Technology Solutions FAQ section.

How many Single Host SDDCs can I provision?

You may provision no more than one Single Host SDDC at a time. For selected partners, you can have up to two SDDCs at a time.

Can I run a Single Host SDDC indefinitely?

A Single Host SDDC will be deleted after 60 days. All data on the SDDC will be lost. You can scale up a Single Host SDDC into a 2-Host SDDC and retain all your data. A 2-Host SDDC is not time-bound.

Can I extend the lifetime of my Single Host SDDC beyond 60 days?

No, but you may create a new Single Host SDDC if you are under your Single Host SDDC limit, and use migration techniques such as Cross-vCenter vMotion to move workloads.

Can I add hosts to a Single Host SDDC?

Yes, a Single Host SDDC can be non-disruptively scaled up to a 2-Host SDDC at any point.

Can I upgrade from Single Host to a production SDDC?

Yes.

How do I scale up to a production SDDC?

You can simply click on the "Scale Up" button to scale up to the standard production SDDC service. Your data will be retained. If you want to contact our account team, please reach out to us via the chat service.

Do I have to connect my Single Host SDDC to an AWS account?

It is possible to defer account linking for Single Host SDDCs for up to 14 days, but it is not possible to scale your Single Host SDDC to a production configuration without connecting to an AWS account.

Can I convert my standard 2-Host SDDC into a Single Host SDDC?

No, a Single Host SDDC must be created as a single host. You cannot scale down from a 2-Host to Single Host SDDC.

What support is available for the Single Host SDDC?

Single Host SDDC receives the same unlimited 24/7 VMware Global Support Services as well as 24/5 live chat support via the VMware Cloud on AWS Console and via vSphere Client.

What service level agreement (SLA) do you offer for a Single Host SDDC?

We offer no SLA for the Single Host SDDC. In case of a component or host failure, you may lose your data.

How can I purchase the Single Host SDDC Offering?

There are three payment methods available for the service. You can choose to pay for the service via credit card, by invoice, or you can purchase Subscription Purchasing Program (SPP) credits or Hybrid Purchasing Program (HPP) credits and redeem those credits on the service.

2-Host SDDC Cluster

What is the 2-Host cluster capability?

The 2-Host cluster capability enables a customer to provision a persistent production cluster with just 2-Hosts in VMware Cloud on AWS. This offering is a great place to start for customers who do not need the full 3-host Production cluster due to smaller size workloads or wish to prove the value of VMware Cloud on AWS for a longer duration than the Single Host SDDC can offer today.

How is the 2-Host cluster priced?

The cost per host is the same as the 3+ host pricing. For a cluster, this means that the 2-Host cluster results in a 33% lower cost of entry with a persistent, full production environment.

Does the 2-Host cluster support Custom Core Counts?

Yes, secondary 2-Host clusters within existing SDDCs can use custom core counts.

In which regions is the 2-Host cluster available today?

The 2-Host cluster is available in all regions where VMware Cloud on AWS is available today.

What are the features included in the 2-Host cluster?

Features included in the 2-Host cluster are the same as a 3+ host Production SDDC, except for Optimized Elastic DRS policies (optimize for cost, optimize for performance and rapid scale-out).

How many 2-Host clusters can I provision?

You may provision as many 2-Host clusters as you wish. You can mix an SDDC with a 2-Host cluster and 3+ host clusters.

Can I run a 2-Host cluster beyond 60 days (unlike the Single Host offering?)

Yes, there is no limitation to the lifetime of a 2-Host cluster.

What support is available for 2-Host Clusters?

The 2-Host cluster has the same level of support as all other production SDDCs.

What (service level agreement) SLA do you offer for the 2-Host cluster?

The 2-Host cluster has the same SLA as other production SDDC clusters.

Can I scale up from two hosts to three hosts?

Yes. Not only does the 2-Host cluster offer the Default Elastic DRS Policy, but manual scale-up is also available.

Can I scale down from 3+ hosts back to 2-Hosts?

Yes. 3-host Production SDDCs can be scaled down to a 2-Host cluster.

What Add-ons are compatible with 2-Host Clusters?

All add-ons supported for production SDDCs are compatible with 2-Host clusters.

Can I use VMware Horizon VDI workloads with the 2-Host cluster?

Yes, Horizon VDI workloads are supported by the 2-Host cluster. For specific sizing questions, you can refer to the VMware Cloud Sizer tool.

Can I use a Stretched Clusters with the 2-Host cluster?

Yes, stretched deployments are available for the 2-Host cluster, in a 1-1 configuration, with 99.9% SLA.

Can I use all the Optimized EDRS policies with the 2-Host cluster?

No. Only the Elastic DRS (EDRS) Baseline policy is currently available.

How can I purchase the 2-Host cluster?

The 2-Host cluster can be purchased and provisioned in the same manner as any other SDDC. Once provisioned, it can be scaled up in a matter of minutes to a 3-host SDDC.

Can I use a credit card to pay for a 2-Host cluster?

Yes, you can. Credit card users cannot create more than one SDDC or add an additional 2-Host cluster or a 3-host cluster SDDC. For more details on credit card payments, please look at the “Credit Card Payment” section of this FAQ.

I wish to work with a Managed Service Provider (MSP) to use the 2-Host Cluster offering. Can they provide me with a 2-Host Cluster?

Yes, Managed Service Providers (MSPs) can deploy the 2-Host cluster. The SLA for any organization managed by an MSP is subject to the specific terms between the MSP and the tenant and is not bound by the VMware SLA.

How many VMs can I run on a 2-node Cluster?

While a 2-node cluster supports the same number of VMs per host as any other configuration, due to Admission Control, a 2-node I3.metal cluster can power on no more than 35 workload VMs at a time. This is to ensure vSphere HA will be able to restart any running workload in case of a failure. You can find more details on TechZone.

VMware Cloud Disaster Recovery

Where can I find information about VMware Cloud Disaster Recovery?

There is a detailed set of questions & answers in the VMware Cloud Disaster Recovery FAQ.

VMware Site Recovery

Where can I find more information about VMware Site Recovery?

There is a detailed set of questions & answers in the VMware Site Recovery FAQ.

Workload Migration - vMotion

What is vSphere vMotion between on-premises and VMware Cloud on AWS and what does it require?

VMware vSphere vMotion enables live migration of powered on VMs between hosts and environments. This includes on-premises hosts to VMware Cloud on AWS SDDCs, and offers zero downtime for the application, continuous service availability, and complete transaction integrity.

vMotion has several options: regular vMotion, the Advanced Cross-vCenter vMotion, and Hybrid Cloud eXtension (HCX) which also uses vMotion logic. Find more information about migrations to VMware Cloud on AWS here.

By enabling certain advanced configurations vMotion can be enabled across different vSphere Distributed Switch versions. Requirements include:

  • Connectivity between on-premises data centers and VMware Cloud on AWS using AWS Direct Connect (over Private VIF) and/or VMware NSX Layer 2 VPN
  • On-premises vSphere version must be 6.0U3d or above.
  • Sustained bandwidth of 250 Mbps or more is required for optimal performance.
  • No greater than 150ms of round-trip (RTT) latency.

To help ensure success it is recommended that source environments be running the latest updates to that major vSphere version.

What are the different ways to orchestrate vMotion between on-premises and VMware Cloud on AWS?

Single VM vMotion:

  • UI: Hybrid Linked Mode needs to be set-up for orchestrating vMotion via the HTML5 client.
  • PowerCLI: Support via API directly with PowerCLI.

Bulk vMotion:

  • UI: Hybrid Cloud Extension can enable bulk migration through UI.
  • PowerCLI: Sample scripts here, to allow bulk migration scenarios.

Is encrypted vMotion supported from on-premises to VMware Cloud on AWS?

Yes, encrypted vMotion is supported. No additional setup is required beyond the base vMotion requirements.

Can I vMotion from VMware Cloud on AWS back to on-premises?

Yes, you can vMotion from VMware Cloud on AWS back to on-premises if the on-premises hosts are compatible. Enhanced vMotion Compatability (EVC) mode does not work across clusters and there is a possibility that, while in VMware Cloud on AWS, the VM goes through a power cycle and begins running on a new hardware version in VMware Cloud on AWS. In such scenarios, the host on-premises might be on an older version and live migration will not be supported.

Is Enhanced vMotion Compatibility (EVC) setting available for VMware Cloud on AWS?

EVC is disabled in VMware Cloud on AWS. All hosts in a deployed VMware Cloud on AWS SDDC are homogeneous and hence a compatibility check is not required.

How is per-VM EVC different from cluster EVC?

As the name suggests, per-VM EVC abstracts this setting from a cluster to a VM level. By doing so, the EVC mode now can persist through a power cycle of the VM.

What are the requirements for per-VM EVC to work?

Per-VM EVC requires VM hardware version 14 or later. Per-VM EVC requires the VM to be powered off to enable the settings.

Can EVC settings be changed via UI, or it is an API only feature?

Settings can be altered with both methods. There is an edit setting attribute at a per-VM level that can be changed to set the specific EVC mode. But it can also be automated and set for a batch of VMs via a script that uses the API.

How does per-VM EVC interact with cluster EVC while they co-exist?

Cluster EVC is not enabled in VMware Cloud on AWS. Only Per-VM EVC can be set.

Are all hosts in VMware Cloud on AWS homogeneous? How does per-VM EVC mode help there?

Yes, all hosts in VMware Cloud on AWS are homogeneous. The Per-VM EVC setting comes into play when migrating back from VMware Cloud on AWS to on-premises to ensure there are not compatibility issues.

Workload Migration - HCX

What is VMware HCX?

VMware HCX (formerly known as Hybrid Cloud Extension and VMware NSX Hybrid Connect) is a SaaS offering that provides application mobility and infrastructure hybridity across different vSphere versions, on-premises and in the cloud. Learn more here.

What does VMware HCX offer?

The VMware HCX service offers bi-directional application landscape mobility and data center extension capabilities between any vSphere version. VMware HCX includes vMotion, bulk migration, high throughput network extension, WAN optimization, traffic engineering, load balancing, automated VPN with strong encryption (Suite B) and secured data center interconnectivity with built-in hybrid abstraction and hybrid interconnects. VMware HCX enables cloud onboarding without retrofitting source infrastructure, supporting migration from vSphere 5.0+ to VMware Cloud on AWS without introducing application risk and complex migration assessments. Learn more here.

What is Infrastructure Hybridity?

VMware HCX abstracts vSphere-based on-premises and cloud resources and presents them to the applications as one continuous resource, creating infrastructure hybridity. At the core of this hybridity is a secure, encrypted, high throughput, WAN-optimized, load balanced and traffic engineered interconnect that provides network extension. This allows support for hybrid services, such as app mobility, on top of it. Apps are made oblivious to where they reside over this infrastructure hybridity, making them independent of the hardware and software underneath. Learn more here.

What are usage scenarios for VMware HCX?

Here are few examples:

  • Extend on-premises data centers to cloud
  • Enable SDDC transformation
  • Live and bulk VM migration
  • Use ongoing hybridity for application landscape transparency and distributed app components.

Learn more here.

Does VMware HCX support multisite interconnect? What are good usage scenarios of it?

Yes. VMware HCX supports multisite interconnect. Here are few use cases:

  • Consolidate small DCs to VMware Cloud on AWS
  • Extend to multiple VMware Cloud on AWS with separate geo-locations.

Learn more here.

Does VMware HCX support VMware NSX SDDCs?

VMware HCX supports all capabilities in VMware NSX SDDCs. VMware NSX SDDCs also support the ability to leverage the Direct Connect Private VIF option for the VMware HCX interconnects. If you are leveraging the Internet and would like to shift your HCX interconnects to the Private VIF option, please reach out to VMware via support to get assistance in switching the interconnect configuration.

Does VMware HCX require VMware NSX on-premises?

It is not required if the destination environment is an HCX-enabled public cloud. VMware NSX is needed if the destination vSphere environment is also private/on-premises. Optionally, VMware NSX can be installed in the source environment to access the VMware NSX Logical Switch Network Extension feature.

Where can I find pricing for VMware HCX for VMware Cloud on AWS?

VMware HCX is included with all VMware Cloud on AWS SDDCs.

How do I sign up for VMware HCX?

VMware HCX is included with your VMware Cloud on AWS subscription. To activate, login to VMware Cloud Services portal and enable HCX for your VMware Cloud on AWS SDDCs. VMware HCX is integrated with the vSphere Client so you can use the same management environment for day-to-day operations.

What is Cloud Motion with vSphere Replication?

Cloud Motion with vSphere Replication is a new and innovative way to enable mass migration of workloads from on-premises to VMware on AWS. With Cloud Motion with replication, you can migrate VMs at large scale with minimal or no downtime.

How is Cloud Motion with vSphere Replication different than existing HCX migration options?

Previously, there were two ways to migrate with HCX:

  1. vMotion-based: vMotion based migration is live (no downtime) but is serial in nature. Due to vSphere concurrency and cross-cloud limitations, only a handful of VMs could be vMotioned. at the same time. While vMotion is a live migration option, it did not support large scale mobility
  2. Warm migration: Warm migration is a large-scale migration where VMs can move at scale, but the migration needs a VM reboot.

Cloud Motion with vSphere Replication combines the best of both worlds. VMs are replicated to the destination using replication technology, and once the VMs are replicated, the final migration is done via vMotion. This enables large scale migration without the need for reboot. This feature lets you move applications at scale live, without any reboot or reload.

How can Cloud Motion with vSphere Replication help with cloud migrations?

Cloud motion with replication simplifies migration planning and operations in three ways: • Traditionally, you would have to plan for a maintenance window wherein applications would be rebooted. Maintenance windows are tedious to manage and maintain and there is additional complexity when dealing with application reloads/reboots. With Cloud Motion, migrations can be done at scale from source to VMware Cloud on AWS without scheduling any maintenance windows. • Cloud Motion eliminates detailed analysis, dependency mappings and elongated migration planning projects. • Cloud Motion lets you schedule the failover. This enables predictability as to when the application will migrate. In the case of vMotion, there is no predictability since the VMs would move as soon as the vMotion related activities were done. The combination of live migrations at scale with a predictable schedule brings in a paradigm shift in the migration process planning and operations.

What on-premises versions of vSphere are supported with Cloud Motion with vSphere Replication?

This feature requires vSphere version 5.5 or higher.

How do I get more information about VMware HCX?

Learn more here. Try the Hands-on-Lab for VMware HCX.

When should I change my VMware HCX FQDN resolution to private?

Private IP address resolution is useful when users connect to HCX manager either via VPN or via Direct Connect (Direct Connect).

How do I change my HCX FQDN resolution?

For instructions, please refer to the VMware Cloud on AWS documentation.

Compute

Does VMware Cloud on AWS use nested virtualization?

No, VMware ESXi is running directly on bare-metal AWS infrastructure. There is no nested virtualization.

How can I onboard virtual machines to my SDDC on VMware Cloud on AWS?

There are numerous ways to bring VMs and templates into a VMware Cloud on AWS SDDC, including:

  • Build new templates and redeploy
  • Publish vSphere Content Libraries with Templates/OVF/OVA/ISOs, subscribe the SDDC
  • Import templates and VMs as OVF/OVA
  • Cold vMotion (powered off VM)
  • Cross-vCenter vMotion
  • VMware HCX (cloud migration and related methods)

Tools such as PowerCLI can help automate creation and deployment of workloads wherever you wish to run them.

How can VM template support in VMware Cloud on AWS Content Library help me?

VM templates enable consistency and ease of VM content management. You can add a VM template to Content Library, delete it, rename it, update notes, or create a new VM from it.

What can I not do with a VM template in Content Library?

You can't add a VM template into a published library, because the synchronization (data distribution) between Published and Subscribed libraries for VM templates is not supported yet. Also, you can't convert a VM template into a VM via Content Libraries; however, the same template with all capabilities is available for you in VMware vCenter Server Inventory/Folders.

How many VMware ESXi hosts do I need (minimum) in VMware Cloud on AWS?

The minimum size SDDC that you can create in VMware Cloud on AWS is one host with the Single Host SDDC. However, one host SDDCs have a limited SLA, limited lifespan (60 days), and are not intended for production use. For more details, refer to the Single Host SDDC FAQ section.

2-Host Clusters are the smallest production SDDC configurations that are fully supported.

Is there any functional difference between a three host and a four host SDDC?

Yes. Because you only have three hosts, you cannot implement a "RAID 5" SPBM policy. That requires a minimum of four hosts. The only storage redundancy you can choose is RAID 1.

Can I add a cluster to an existing SDDC?

Yes.

What is the maximum supported cluster size in VMware Cloud on AWS?

The maximum cluster size is 16 hosts.

Can I increase or decrease the size of my cluster after I provision an SDDC on VMware Cloud on AWS?

Yes. You can add additional hosts on-demand. You can also remove hosts on-demand. Scaling down depends on multiple factors including storage availability policies and storage consumption below 80%.

What is the maximum number of clusters supported?

VMware Cloud on AWS supports a hard maximum limit of 20 clusters per SDDC. Your organization may have lower "soft" limits set. If you wish to have your limits raised, please contact your customer success team.

With multi-cluster support, how do I move VMs to the new cluster?

Once the new cluster is provisioned, you can cold migrate or vMotion VMs to this cluster via VMware vCenter Server the same way you would move VMs on premises.

With multi-cluster support, can I remove the original cluster created when the SDDC was created?

No. Only additional clusters can be removed. You must have one cluster in your SDDC and this cluster must be the original cluster deployed when the SDDC was created.

Can a customer create multiple SDDCs?

In VMware Cloud on AWS, you can provision multiple SDDCs and can connect to multiple AWS accounts.

Can the SDDCs reside in different regions?

Yes, the SDDCs can reside in any region where VMware Cloud on AWS is available.

Do I have to connect all my SDDCs to an AWS account?

A VMware Cloud on AWS SDDC must be connected to an AWS account. It is possible to defer account linking for Single Host SDDCs for up to 14 days, but it is not possible to scale-up your Single Host SDDC without connecting to an AWS account.

What are the benefits of connecting to an AWS account?

Establishing a connection to an AWS account creates a unique high-bandwidth, low-latency connection between your SDDC and your AWS resources and allows consuming AWS services with no cross-Availability Zone charges. By delaying account linking, you will not be able to choose which availability zone (Availability Zone) your SDDC will be deployed in.

How do I connect my SDDC to a different AWS account?

When creating your SDDC, select Connect to a New AWS Account from the Choose an AWS Account drop down in step number one of creating an SDDC.

Can I connect SDDCs from different Organizations to the same AWS account?

This is not supported.

How do I provision an SDDC in a newly available region?

Select the newly available region when creating your SDDC. It is that simple. You can provision an SDDC in a newly available region in a similar manner to the way you provision an SDDC in other available regions. The region selector will now have another option for the new region. The SDDCs you create in the new region will appear on your dashboard along with your other SDDCs. Further, you can contain SDDCs from different regions.

How can I pay for the new region?

You can use a fund with SPP or HPP credits or a credit card.

Do I need to access region specific endpoints to access my SDDCs?

No, you use the same endpoints to access the VMware Cloud on AWS API and VMware Cloud on AWS Console regardless of the region your SDDCs are in.

Which version of VMware ESXi is available on VMware Cloud on AWS?

The version of VMware ESXi running on VMware Cloud on AWS is optimized for cloud operations and is compatible with the standard vSphere releases. The version of ESXi will vary based on the version of the SDDC that is deployed. VMware ESXi running on VMware Cloud on AWS may have a more frequent update cadence so that you can take advantage of regular service enhancements.

Can I choose the version of VMware ESXi running in my VMware Cloud on AWS SDDC?

Not directly. Versions of ESXi follow the SDDC versions your organization is configured to deploy. You can view the SDDC version in the Support information for that SDDC.

Can I run nested VMware ESXi VMs on VMware Cloud on AWS for testing and training purposes?

VMware does not support nested VMware ESXi VMs running on VMware Cloud on AWS.

Can I use the VMware vCenter Server in my SDDC to manage my on-premises VMware ESXi hosts?

Through Hybrid Linked Mode, you can connect your VMware vCenter Server running in VMware Cloud on AWS to your on-premises VMware vCenter Server to get a single inventory view of both your cloud and on-premises resources.

The SDDC vCenter Server cannot be used to directly manage non-SDDC hosts.

What is Compute Policy?

Compute Policy is a new framework to allow you the flexibility, control, and policy-based automation required to keep up with the demands of your business. You can configure simple VM-Host affinity and anti-affinity, as well as disable DRS vMotion.

How does Compute Policy differ from DRS rules?

Given the granular cluster level at which DRS operates, it becomes difficult to manage, replicate and update the static rules (laid down in the beginning) as the underlying infrastructure grows (number of VMs, hosts, applications). Similarly, the intent (the why and what) for which the rules were created is lost over time. To get around this, Compute Policy provides a higher level of abstraction to capture the customer intent at a SDDC level rather than at a cluster level at which DRS operates. As a result, a single policy can apply to multiple clusters within the SDDC at the same time. It aims to provide a framework to not only allow placement and load balancing decisions for VMs, but also to handle entire workloads.

What is the difference between a mandatory or preferential policy?

Mandatory policies are equivalent to the DRS “must” rules, while preferential policies are like the DRS “should” rules. Preferential policies cannot block a host from entering maintenance mode. However, a policy cannot be violated for fixing cluster imbalance or host over-utilization.

Is VM-Host Affinity a mandatory or preferential policy?

Mandatory policies are not available in a VMware Cloud on AWS environment. As a result, VM-Host affinity is a preferential policy.

What if I delete tags?

If tags associated with a policy are deleted, the policy is no longer in effect, and is deleted.

How many policies can I create?

Compute Policy can support a total of 20 policies per SDDC.

Are some policies preferred over others?

No. All defined policies (except Disable DRS vMotion) are treated the same, and no one policy is preferred over the other. As a result, one policy cannot be violated to remediate another.

How are the interactions between the various policies handled?

In the current implementation there is no conflict detection. This means that if a user configures two policies that conflict with each other, no user error or warning will be generated. DRS will enforce all the policies in the best manner it can, as described below.

Can I choose the Availability Zone in which my VMs run with VM-Host Affinity?

Yes. When defining a VM-Host affinity policy, you can select hosts tagged with the required Availability Zone.

Can I use the VM-Host affinity policy to address my software licensing needs?

Possibly. VM-Host affinity is a preferential policy. Please discuss with your ISV vendor whether preferential policies are acceptable as per the terms of your licensing agreements.

Are there any scenarios where a VM may not run on a designated host?

In VMware Cloud on AWS, VM Power ON, maintenance and availability have a higher priority over policy enforcement. However, policy enforcement has a higher priority over host utilization. As a result, there are scenarios where a VM may not run on a designated host. For example, if a host goes down due to a failure, and if HA is enabled, the recovering VM may be repowered on any available host in the cluster.

Similarly, if reservations are used, and if a compliant host cannot satisfy a VMs reservations, the VM will be repowered on any available (non-compliant) host that can satisfy the reservation.

If there is no compliant host (i.e., if no host has the Host-tag specified by the policy), the VM shall be repowered on an available host.

If the user configures multiple VM-Host affinity policies that are in conflict for VM, the policies shall be ignored and the VM shall be powered ON a suitable host chosen by DRS.

In all cases, Compute Policy will keep trying to move the VMs back to the compliant hosts.

How does the VM-VM Anti-Affinity policy work?

Enforcing a VM-VM anti-affinity policy implies that DRS will try to ensure that it keeps each VM (that has the policy's VM tag) on different hosts. This anti-affinity relation between the VMs will be considered by DRS during VM power-on, host maintenance mode and load balancing. If a VM is involved in a VM-VM anti-affinity policy, then DRS will always prefer those candidate hosts which do not have any powered-on VM that has the policy's VM tag.

Are there any scenarios in which the VM-VM Anti-Affinity policy may not be enforced?

One scenario is when any provisioning operation issued by its corresponding API call specifies a destination host is allowed to violate a policy. However, DRS will try to move the VM in a subsequent remediation cycle. If it is not possible to place a VM as per its VM-VM anti-affinity policies, then the policy is dropped and the operation (power-on or host enter MM) continues. This means that first DRS tries to place the VM such that policy can be satisfied, but if that is not possible then DRS will continue to find the best host per other factors, even if it violates the policy. Other scenarios where VMs may not be placed as per the policy could be: • Every host in the cluster has at least one VM with the tag specified by VM-VM anti-affinity policy. • None of the policy preferred host can satisfy VMs CPU/memory/vNIC reservation requirements.

What is the behavior if there are more VMs than available hosts in an anti-affinity rule?

DRS will first try to place as many VMs on different hosts as possible, which in this case will be equal to the number of hosts available in the cluster. After that, the policy shall not be enforced, i.e. the remaining VMs will be placed based on the other factors DRS, which may result in multiple VMs on the same host. To remedy this violation, additional hosts can be added to the cluster. Once the hosts are added, DRS will move the VMs that are violating the policy to the newly added hosts.

How does the VM-VM Affinity policy work?

Enforcing a VM-VM affinity policy means that DRS will try to ensure that it keeps each VM that has the policy's VM tag on the same host. This affinity relation between the VMs will be considered by DRS during VM power-on, host maintenance mode and load balancing.

How does the Disable DRS vMotion policy work?

This policy indicates that DRS would not migrate or load balance a virtual machine away from the host on which it was powered-on, except for the case when the host is being put into maintenance mode. This policy can be useful for applications that may be sensitive to vMotion, such as large transactional databases. The VMs subjected to this policy are identified using vSphere tags, and this policy is not applicable for a power-on operation. However, once a VM is powered on, and is subjected to this policy, it will not be moved to remediate a VM-Host affinity or VM-VM Anti-affinity policy.

Can I create my own custom roles in the VMware vCenter Server running in VMware Cloud on AWS?

Yes, you can create custom roles in addition to the CloudAdmin role that is provided out of the box. Users that have the Authorization.ModifyRoles privilege can create/update/delete roles. Users with the Authorization.ModifyPermissions privilege can assign roles to users/groups. You may be able to create roles that have privileges greater than CloudAdmin but you will not be able to assign the role to any users or groups.

Are users able to modify other VMware vCenter Server roles as well, or only roles that they've created?

Users will only be able to modify or delete any roles that have lesser than or equal to the privileges of their current role.

Can I view management objects?

Yes, you can view management objects, such as the vCenter Server appliance. You can assign the read only role to the management objects for other users and groups as well.

With this added flexibility, do I now have access to the entire inventory tree?

Yes, you now have access to the entire inventory tree. However, to limit contention across the VMs that you create, we strongly recommend that you continue to use the Compute Resource Pool as the location to create your VMs.

What are the different host instance types available?

The VMware Cloud on AWS documentation lists the different host types available in the service.

Can a customer create I3en Single Host or 2-Host SDDC?

Single host SDDs are not supported with the I3en.metal instances.

What is a Partition Placement Group?

This is an instance placement strategy that helps reduce the likelihood of co-related host failures due to hardware failures. Partition Placement groups increase availability of applications by placing hosts in different logical partitions that do not share the same underlying hardware. Partition placement groups follow a “best effort” algorithm to automatically deploy hosts across as many different partitions as there are available within an AZ. Each partition within a placement group has its own set of racks, and each rack has its own network and power source. No two partitions within a placement group share the same racks, which allows for isolating host failures within an SDDC cluster. VMware Cloud on AWS automatically enables Partition Placement groups for new SDDC, cluster and host provisioning operations. This is enabled for i3.metal and i3en.metal instance types in AWS Regions where these instance types are available for VMware Cloud on AWS.

When is partition placement activated?

VMware Cloud on AWS automatically enables partition placement groups during new SDDC, cluster, and host provisioning operations.

With partition placement groups automatically enabled, what happens when a host is removed or replaced?

When a host is removed, the preference is to remove a host that is not inside a partition; new hosts are added into partitions whenever possible. In this way, SDDCs will benefit from more partitions over time.

What happens if partition placement fails?

Partition placement is a best-effort operation. Placement may fail if there are insufficient physical racks or insufficient capacity. If partition placement fails, a host is added outside of a partition. This means the host is still added, but it is added to a rack that may already have a host from the same cluster. No further action is required when partition placement is sub-optimal.

How can I view partitions for my SDDC?

Partition placement is not configurable or viewable by customers.

Can I retrofit my current SDDC to use partition placement?

No. Existing SDDCs will benefit from partition placement over time, as hosts are added and removed.

In which regions and availability zones will the I4i.metal instances be available?

The I4i.metal instances are available in the following regions and respective availability zones:

  • Paris (CDG/eu-west-3): euw3-az1, euw3-az2, euw3-az3
  • Ohio (CMH/us-east-2): use2-az1, use2-az2, use2-az3
  • Ireland (DUB/eu-west-1): euw1-az1, euw1-az2, euw1-az3
  • Frankfurt (FRA)/eu-central-1): euc1-az1, euc1-az2, euc1-az3
  • N. Virginia (IAD)/us-east-1): use1-az1, use1-az2, use1-az4, use1-az5, use1-az6
  • London (LHR/eu-west-2): euw2-az1, euw2-az2, euw2-az3
  • Tokyo (NRT/ap-northeast-1): apne1-az1, apne1-az2, apne1-az4
  • Oregon (PDirect Connect/us-west-2): usw2-az1, usw2-az2, usw2-az3, usw2-az4
  • N. California (SFO/us-west-1): usw1-az1, usw1-az3
  • Singapore (SIN/ap-southeast-1): apse1-az1, apse1-az2, apse1-az3
  • Sydney (SYD/ ap-southeast-2): apse2-az1, apse2-az2, apse2-az3
  • Canada-Central (YUL/ca-central-1): cac1-az1, cac1-az2

Will there be in-cluster conversion from existing I3/I3en cluster to I4i?

Yes, VMware will provide an in-cluster conversion service for qualified clusters in the upcoming releases. Details of in-cluster conversion are available here.

Custom Core Count

Does VMware Cloud on AWS support Custom core counts?

Yes. The following Custom CPU Core values are supported for each host type:

  • I3 host 2-Host clusters: 16, 36 custom physical CPU cores per host.
  • I3 host 3+ host clusters: 8, 16, 36 custom physical CPU cores per host.
  • I3en host type: 8, 16, 24, 30, 36, 48 custom physical CPU cores per host.
  • I4i host type: 8, 16, 24, 30, 36, 48, 64 custom physical CPU cores per host.

Can I use custom core counts in the primary cluster (Cluster-0)?

No, custom core counts are not supported in the primary cluster due to the need for cores to run management VMs. Cluster 0 must have all cores enabled.

Can I use custom core counts in the secondary (workload) cluster?

Yes. However, the number of custom core counts supported in the secondary cluster depends on the size of the secondary cluster. For a 2-node secondary cluster, the custom core counts supported will be from 16 and above. For a 3-host and above secondary cluster, the custom core counts outlined in the table above are supported.

How do I use Custom CPU Core Count feature?

Go to the VMware Cloud on AWS Console, click on your SDDC, and select Add Cluster. Under the section “Cluster to Be Added” you will see that you can specify the Number of CPU Cores Per Host. Select the value that works best for your workloads and finish the action

What are the current limitations of Custom CPU Core Count capability?

Cluster-0 must have all cores enabled, and this is an at "Add Cluster" deployment time decision only. Core Count cannot be changed after deployment except by deleting and redeploying an SDDC. All hosts in the cluster must have the same number of CPU cores, including Add/Remove Host operations.

Do I get a price discount on the hosts with lower CPU core count?

No, changing the number of cores does not affect the price of the host.

How do I control my licensing, while leveraging Custom CPU Core Count capability?

To preserve the number of licensed CPU cores, it is highly recommended that you leverage VMware Cloud on AWS Compute Policies (Simple VM-Host Affinity) to tag all applicable VMs and all the original hosts in the cluster, so that the compute policy can keep these VMs on those hosts. During regular VMware Cloud on AWS patch and upgrade operations, an additional host is added to a cluster. Therefore, you may need to include the license for this additional host in your initial licensing contract, making it N+1 since day one.

When I specify the lower number of CPU cores, does it impact the performance?

Reducing core count affects the compute capacity of the hosts, which may affect overall performance for both workloads and internal vSphere, NSX, and vSAN processes that execute on the hosts.

Where can I find more information about Custom Core Count?

Check the VMware Cloud Tech Zone for more information about the feature.

Stretched Clusters

What are Stretched Clusters for VMware Cloud on AWS?

Stretched clusters facilitate zero RPO infrastructure availability for applications. This enables you to failover workloads within clusters spanning two AWS Availability Zones (Availability Zones). It also enables developers to focus on core application requirements and capabilities, instead of infrastructure availability. With this feature, you can deploy a single SDDC across two Availability Zones. Using the vSAN Stretched Cluster feature, it allows us to guarantee synchronous writes across two Availability Zones in a single SDDC cluster. This feature also extends workload logical networks to support vMotion between Availability Zones. In the case of an Availability Zone failure, vSphere HA will attempt to restart your VMs on the surviving Availability Zone.

How many Availability Zones can I stretch my cluster across?

Two. When you provision your SDDC, select your Availability Zone just the way you do now. The only change is that you then select a second Availability Zone. Using this information, we automatically deploy your SDDC and stretch your clusters across these two Availability Zones.

Can I have more than one stretched cluster?

You can create multiple stretched clusters in an SDDC.

Can I create stretched clusters and non-stretched clusters in the same SDDC?

No. Cluster types cannot be mixed. An SDDC can only have stretched clusters or non-stretched clusters.

Can I convert a non-stretched cluster to a stretched cluster?

No. The decision to deploy a stretched or a non-stretched cluster is made when the SDDC is created and cannot be changed afterwards.

Is it possible to configure custom CPU cores with multiple stretched clusters?

Yes. Custom CPU cores can be configured in an SDDC that has two or more stretched clusters. However, custom CPU cores cannot be configured in the first stretched cluster. See the “Custom Core Count” FAQ section.

What is the smallest stretched cluster I can make?

The smallest supported stretched cluster is two hosts and provides a 99.9% availability guarantee. At six hosts the service increases the availability guarantee to 99.99%.

Can I add hosts to a stretched cluster?

Yes. Just like a regular cluster, you can add and remove hosts at any time. However, in a stretched cluster these hosts must be added and removed in pairs. You must always have the same number of hosts on each side. Thus, you can grow a cluster from 6 to 8, 10, 12, etc.

What is the largest stretched cluster that would be supported?

We support cluster sizes of up to 16 hosts.

What about the witness?

In addition to the hosts you request, we always provision one additional VMware ESXi host in the case of stretched cluster to act as a witness node. This is to prevent issues such as split brain in the case of a network partition. You will see this host in the UI, but it will not be a member of the cluster and you cannot run guest VMs on that host. This host is a special version of VMware ESXi that runs as a guest. This allows us to save customers money since the witness VMware ESXi does not consume an entire physical host.

Are stretched clusters a good way to implement Disaster Recovery?

No. Stretched clusters improve availability but are not intended for DR. AWS Availability Zones in an AWS region are in the same geographical area. A disaster affecting a geographical area could take out all Availability Zones in an AWS region.

Do you support VMware ESXi as a guest now?

No. The witness host VM is a special case and does not run guest workloads.

Can I downgrade a stretched cluster SDDC to a single Availability Zone SDDC?

No. Enabling stretched cluster is a deployment time decision. You cannot downgrade a stretched cluster to a non-stretched cluster. You can deploy a new cluster and use vMotion or other migration techniques to move to it.

Can I migrate workloads from a single Availability Zone cluster to a stretched cluster?

Yes, using your preferred workload migration method.

Can I choose the Availability Zone in which my VMs run?

Yes. When deploying a VM you can choose a VMware ESXi host in the desired Availability Zone. In case of failure, the VM will stay in its original Availability Zone if possible. You can also enforce the VM placement using Compute Policies.

Can a stretched cluster span across AWS regions?

No. A stretched cluster spans across 2 Availability Zones within the same region. If you wish to protect against a regional failure, please use a DR tool such as our Site Recovery service.

Is there a performance impact when running VMs in a stretched cluster?

Yes. As with any stretched cluster or synchronous mirroring deployment, writes across two Availability Zones will incur additional latency overhead.

How many failures can be tolerated in an Availability Zone?

This depends on your vSAN Storage SPBM settings. By default, VMs are configured to survive the failure of all the hosts in a single Availability Zone without data loss.

What happens when an Availability Zone fails and when it comes back after a failure?

We will resynchronize the vSAN datastore. This resync time will depend on how much data you have stored and how long the systems have been segmented. This operation is automatic and monitored by our operations team. You can learn more on Tech Zone.

How much does it cost to run Stretched Clusters?

There are no additional charges to use the Stretched Clusters feature. Stretched Clusters Cross-Availability Zone charges are also waived for up to 10 petabytes of Cross-Availability Zone traffic per month. Usage will be monitored and for instances where a customer’s usage exceeds this limit, VMware reserves the right to inform the customer of the issue and charge the full amount.

What instance types are supported with the ability to create multiple stretched clusters?

All instance types support stretched clusters.

Can I mix stretched clusters using different host instance types in the same SDDC?

Yes.

Can I have mix of different instance types within the same Stretched Cluster?

No, a single Stretched Cluster can only consist of hosts of the same instance type.

Elastic DRS

What is Elastic DRS (EDRS)?

Elastic DRS (EDRS) is a feature that uses the resource management features of vSphere to analyze the load running in your SDDC to scale your clusters up or down. Using this feature, you can enable VMware Cloud on AWS to manage your cluster sizes without manual intervention.

When will EDRS scale up?

EDRS will automatically scale up when your cluster reaches a configured capacity threshold.

What is the baseline policy in Elastic DRS?

Elastic DRS Baseline Policy is now configured for every cluster deployed within your SDDC. Previously, you were simply advised to maintain at least 20% slack space in your SDDCs, but this is now being enforced. The maximum usable capacity of your vSAN datastore is 80%; when you reach that threshold, EDRS will automatically start the process of adding a host to your cluster and expanding your vSAN datastore. Please note that even if you free up enough storage to fall below the threshold, the cluster will not scale-down automatically. You will need to manually remove host(s) from the cluster.

How quickly does EDRS scale my cluster?

It takes about 10-15 minutes to add a host to an existing cluster. EDRS will make a scaling recommendation approximately every five minutes.

Will EDRS scale my clusters down also?

Yes. When your cluster is lightly loaded, EDRS will also scale down automatically.

How do I control my budget with EDRS?

When configuring EDRS, you configure the minimum and maximum allowed cluster size. EDRS will only scale within the limits you set.

Will EDRS just keep adding hosts? Are there any limits to that?

No, EDRS will not add hosts sequentially. EDRS is throttled to prevent runaway cluster scaling. The system is also monitored by our operations team to ensure that scale operations are conducted correctly.

What happens if I have an SPBM policy of RAID 6 set and EDRS tries to scale down to four hosts?

If you have an SPBM policy that requires a minimum number of hosts (such as RAID 6), EDRS will not scale down below that minimum number. To allow scale-down, reconfigure SPBM to use a policy without that restriction such as RAID 1.

How does EDRS affect my bill?

You are billed per host per hour on VMware Cloud on AWS. EDRS simply changes the number of hosts you have running in your SDDC. It is the same as if you manually added hosts to your SDDC.

Do my workloads get automatically re-balanced onto the new host?

Yes. DRS will automatically re-balance your workloads.

How long does a scale-down operation take?

This depends on how heavily loaded your host is. A lightly loaded host will take only a few minutes to remove from the cluster. A very heavily loaded host could take many hours. In the case of EDRS, we only remove hosts which are lightly loaded so we expect this operation to be on the lower end of this spectrum. However, your actual evacuation time largely depends on how many VMs are running and how much data must be evacuated from the host so your times will vary.

If I know that I am about to bring up many workloads suddenly, as in the case of a DR event, should I rely on EDRS?

No. Because EDRS is throttled, it's not designed for very sudden load spikes such as caused by a DR event. In this case, you should script the host addition process as part of your DR runbook. After the DR workload is started, you can rely on EDRS to maintain the correct number of hosts in your cluster.

Is EDRS turned on by default?

Elastic DRS (EDRS) is enabled by default and cannot be disabled in VMware Cloud on AWS. VMware has pre-configured Elastic DRS thresholds across all available policies to ensure SDDC availability. One of the Elastic DRS policies listed in Select Elastic DRS Policy is always active.

What is the scope of EDRS?

EDRS is enabled on a per-cluster basis.

Would I get notified when hosts are added to my SDDC automatically?

Yes, you will get notified via email and in-console notification once any cluster is within 5% of any storage scale-out event. You will also be notified immediately after any hosts are added.

What is EDRS Rapid Scale Out?

EDRS Rapid Scale-Out causes EDRS to react faster and to add hosts in parallel to allow a cluster to scale out more quickly during a DR event for VDI or other workloads.

How do I enable EDRS Rapid Scale Out?

EDRS Rapid Scale-Out is enabled through the UI as a new EDRS policy type or via the EDRS policy API.

What thresholds are used with EDRS Rapid Scale Out?

EDRS Rapid Scale Out maximum thresholds are the same as the thresholds for the EDRS performance policy. The minimum thresholds are 0%; this means scale-in must be performed manually.

How many hosts could be selected for EDRS scale out per cluster?

You can select 4,8 or 12-Hosts to be deployed in parallel.

What EDRS policies are supported with Stretched Clusters?

All EDRS policies - Cost, Performance and Rapid Scale Out - are supported with Stretched Clusters, in addition to the Storage-only default policy.

How does EDRS decide to scale out when capacity (Storage/CPU/Memory) exceeds a threshold in only one of the Availability Zones?

EDRS monitors utilization in each Availability Zone. A scale-out event is triggered when a threshold is exceeded in either Availability Zone. Scale-in, on the other hand, occurs only when utilization goes below the threshold in both Availability Zones.

Storage

What type of storage can I use with my SDDC on VMware Cloud on AWS?

VMware Cloud on AWS SDDC uses VMware vSAN as a primary datastore. A single cluster-wide vSAN datastore is automatically configured for you when you deploy each cluster in your SDDC. In your first cluster, all management virtual machines are hosted on the vSAN datastore and cannot be moved. You can extend the storage capacity of a cluster by adding hosts or by using the external NFS datastore feature.

Can I use any hybrid vSAN storage (Flash + Spinning Disk)?

We currently do not offer a hybrid storage solution. All hosts are equipped with NVMe SSD Storage.

Can I expand my storage without adding additional hosts?

Yes. VMware Cloud on AWS now offers support for external NFS datastores. Customers can use a VMware managed solution – VMware Cloud Flex Storage, or an AWS managed solution – Amazon FSx for NetAPP ONTAP as your external NFS datastore to extend storage capacity without adding additional hosts.

What vSAN policies can be configured?

The following subset of vSAN policies can be configured by the user:

  • Failures-To-Tolerate (FTT): Configured on a per vSAN Object basis.
  • Customers have a choice of Fault Tolerance Methods (FTM) and Failures-To-Tolerate configurations for their VMs. To optimize for cost, performance & availability, It is recommended to use FTM = RAID 1 and FTT= 1 for 3-node cluster and FTM = RAID 5 (Erasure Coding) and FTT=1 for clusters of size 4 & 5 nodes and the FTM = RAID 6 and FTT=2 for clusters of size 6 nodes and higher.
  • IOPS Limits: Limit IOPS consumption per VM to better manage performance SLAs for different workloads. Eliminates noisy neighbor issues.
  • Checksum: Enabled by default.
  • Disk stripes: The number of disk stripes per object can be up to a maximum of 12, but may be limited by certain cluster configurations (FTT, FTM choices, number of nodes, etc.).
  • Force provisioning: Enable provisioning of VMs even when the storage policy cannot be fully satisfied.

What is a storage policy and why is it important? How is “Managed Storage Policy” different?

Storage policies define levels of protection or performance for your VMs or VMDKs. Typically, a user manually sets a policy for one or more VMs and these are then managed by VMware vCenter Server. With Managed Storage Policy for improved data availability, we will automatically set the policy for you based on the number of nodes in your VMware Cloud on AWS cluster.

How does Managed Storage Policy benefit me?

VMware Cloud on AWS provides a 99.9% availability commitment as per the SLA for a standard SDDC. If an SLA event occurs i.e. a service component is unavailable, you will be eligible for SLA credits, provided that your cluster meets certain protection requirements that are set by storage policies. By allowing VMware Cloud on AWS to automatically set these policies for you, the criteria required to be eligible for these credits is already taken care of while ensuring that your clusters have the optimal level of protection.

If I add more hosts to a cluster and this increases the number of hosts beyond 5, will my policy change automatically with Automatic adjustment of vSAN policy feature?

Yes, we will automatically change the policy for your cluster

Can I manually override the function of Automatic adjustment of vSAN policy and set my own policy?

Yes, you can override this function of Automatic adjustment of vSAN policy and set your own policies.

What does the monitoring and alerting enhancement for managed storage policy do?

This feature scans a customers’ environment for VMs and objects which have SLA non-compliant policies and notifies a VMware Cloud on AWS customers about the same. VMware Cloud on AWS customers will receive an email notification which contains details of all the non-compliant policies and which VMs/objects they are mapped to for their VMware Cloud on AWS ORG. Customers will also be able to view the entire list of VMs with non-compliant policies within the VMware Cloud console and will be able to move to a managed storage policy with the click of a single button.

What does SLA compliant/non-compliant policies mean?

SLA compliance is required to ensure that your workloads are protected and that you are eligible for credits should a failure occur (Click here to learn more about the VMware Cloud on AWS SLA). SLA compliant policies are policies which follow the VMware Cloud on AWS SLA guidance and non-compliant policies are policies which are different from what is stated in the VMware Cloud on AWS SLA document.

How will I be notified about SLA non-compliant policies?

You will be notified via email about which VMs have non-compliant policies. The email will include a link which re-directs you to the VMware Cloud console where you can view the entire list of VMs and objects with SLA non-compliant policies for your ORG.

How frequently is the scan performed and how often will I be notified?

The scan is performed daily and if there are new non-compliant policies, you will only be notified about these policies. Previously notified non-compliant policies will not be included in an email but they will be listed in the inventory view if they haven't been remediated.

Do I have to remediate all the VMs?

No. In the VMware Cloud console inventory view, you will have the option to select which VMs you want to change to a compliant policy. You will have the option to either select specific VMs you want to remediate or remediate the entire inventory. VMs that have not been moved to a SLA compliant policy will remain in the inventory.

Can I mute the notifications?

Yes. You can use NGW to mute the emails notifications. There will be tiles within each cluster window to indicate which clusters have non-compliant policies.

How does Deduplication & Compression work in VMware Cloud on AWS?

Deduplication removes redundant data blocks, whereas compression removes additional redundant data within each data block. These techniques work together to reduce the amount of physical storage required to store the data. VMware vSAN applies deduplication followed by compression as it moves data from the cache tier to the capacity tier.

Deduplication occurs inline when data is destaged from the cache tier to the capacity tier. The deduplication algorithm utilizes a 4K-fixed block size to provide a good balance of efficiency and performance and is performed within each disk group. Redundant copies of a block within the same disk group are reduced to one copy, but redundant blocks across multiple disk groups are not deduplicated.

The compression algorithm is applied after deduplication has occurred, but before the data is written to the capacity tier. To avoid the inefficient use of compute resources for the allocation map overhead of compression, vSAN only stores compressed data if a unique 4K block can be reduced to 2K or less. Otherwise, the block is written uncompressed.

How much storage is saved with the Deduplication & Compression feature in VMware Cloud on AWS?

Storage savings resulting from Deduplication & Compression is highly dependent on the workload data. For example:

  • Operating system files across multiple virtual machines experience great benefit from Deduplication
  • VDI workloads obtain good Deduplication savings.
  • Video files do not compress well.

Although some customers using vSAN on-premises report savings up to 7x for VDI workloads, we generally see storage savings on the average of 2x based on the current deployments.

Can I apply Deduplication & Compression selectively for each volume?

No, deduplication or compression cannot be enabled individually, it is a cluster-wide setting. Also, all the vSAN datastores in VMware Cloud on AWS are automatically enabled for this feature without any user configuration and cannot be turned off.

Is there a performance impact due to Deduplication & Compression?

Although vSAN Deduplication & Compression are very efficient, users may experience some impact. For most workloads the impact is minimal.

Does Deduplication & Compression work with vSAN Encryption?

Yes. vSAN encrypts all data at rest both in the caching and capacity tiers, while preserving the storage efficiencies from deduplication and compression.

How does data encryption at rest work on VMware Cloud on AWS?

Customer data at rest is natively encrypted by vSAN. vSAN uses the AWS Key Management Service to generate the Customer Master Key (CMK). While CMK is acquired from AWS, two additional keys are generated by vSAN. Those keys are an intermediate key, referred as Key Encryption Key (KEK) and Disk Encryption Key (DEK).

The Customer Master Key (CMK) wraps the Key Encryption Key (KEK) and the KEK in turn wraps the Disk Encryption Key (DEK). The CMK never leaves AWS control, and encryption and decryption of the Key Encryption (KEK) is offered via an standard AWS API call.

One Customer Master Key (CMK) and Key Encryption Key (KEK) is required per cluster and one Disk Encryption Key (DEK) for every disk in the cluster.

Can I turn on or turn off vSAN Encryption selectively?

vSAN Data-at-Rest Encryption is on by default for all SDDCs and cannot be deactivated.

How does data-at-rest encryption work in VMware Cloud on AWS?

All customer data at rest will be natively encrypted by vSAN. vSAN will use AWS Key Management Service to generate the Customer Master Key (CMK). While CMK is acquired from AWS, two additional keys are generated by vSAN. Those keys are an intermediate key, referred as Key Encryption Key (KEK) and Disk Encryption Key (DEK). The Customer Master Key (CMK) wraps the Key Encryption Key (KEK), and the Key Encryption Key (KEK) in turn wraps the Disk Encryption Key (DEK). The CMK never leaves AWS control. Encryption and decryption of the Key Encryption Key (KEK) is offered via standard AWS API call. One Customer Master Key (CMK) and one Key Encryption Key (KEK) is required per cluster and one Disk Encryption Key (DEK) is required for every disk in the cluster.

Is there any performance impact because of encryption?

There is always overhead from use of encryption, but the effect on workloads tends to be minimal for environments adequately sized for CPU and I/O. vSAN encryption uses an efficient AES-XTS-256 cipher and leverages CPU-based AES-NI cryptographic instructions for performance.

What provisions are available to rotate the keys used for data at rest encryption in VMware Cloud on AWS?

Customers have the option to change the KEK (Key Encryption Key) either through vSAN API or through the vSphere UI. This process is called shallow rekey. Note, shallow rekey doesn’t change the Disk Encryption Key (DEK) or the Customer Master Key (CMK). Changing the Disk Encryption Key (DEK) and Customer Master Key (CMK) is not supported. In rare situations, if there is a need to change the DEK or CMK, users have the option to set up a new cluster with new CMK and storage vMotion the data from the existing cluster.

Are there any other options for customers to bring their own keys for data at rest encryption?

The Customer Master Key (CMK) is only sourced from the AWS Key Management Service.

Why does vSAN require “slack space?”

Like any storage system, vSAN uses unused, or “slack,” space to maintain the health of the system. This space is used for rebalancing capacity, deduplication, and for recovering from hardware failures.

How are slack space requirements enforced if I turn on EDRS?

EDRS is aware of vSAN and VMware ESXi capacity requirements and will automatically add or remove hosts to be certain that your SDDC remains healthy. EDRS is the best way to ensure that your SDDC is always sized correctly.

Are data compression and deduplication capabilities available on I3en.metal instances?

Compression is available on I3en bare metal instances. Deduplication will not be supported in I3en instances.

What are the policy settings which will be set by Automatic adjustment of vSAN policy for improved data availability?

For Standard Cluster:

=< 5 hosts: Failure to tolerate 1 - Raid-1

>= 6 hosts: Failure to tolerate 2 - Raid-6

For Stretched Cluster:

Dual Site Mirroring, Failure to tolerate 1– Raid-1

What is TRIM/UNMAP?

TRIM/UNMAP is a vSAN feature that allows the guest OS to issue TRIM/UNMAP commands so that vSAN can remove unused blocks inside virtual machines. This benefits thin-provisioned VMDKs as unused blocks can be reclaimed automatically and delivers much better storage capacity utilization.

How does the TRIM/UNMAP feature work?

The guest OS will issue these commands and will continue to run in the background until all the unused blocks are reclaimed.

What benefit do I get from enabling the TRIM/UNMAP feature?

This process carries benefits of freeing up storage space but also has other secondary benefits:

  • Faster repair - Blocks that have been reclaimed do not need to be rebalanced, or re-mirrored in the event of a device failure.
  • Removal of dirty cache pages - Read Cache can be freed up in the DRAM client Cache

How is the TRIM/UNMAP feature enabled for my SDDC?

As this feature is being released as a preview, we will enable the feature on a per cluster basis, based on your preference. Please contact your account team to have this feature enabled for your cluster.

What is the performance impact of TRIM/UNMAP feature?

This process does carry some performance impact. It is recommended that TRIM/UNMAP processes be triggered periodically inside the guest OS, versus running continuously.

TRIM/UNMAP operations will be throttled in the SDDC if they consume more than a predefined amount of storage bandwidth capacity.

What is Cloud Native Storage?

Cloud Native Storage (CNS) is a VMware Cloud on AWS and Kubernetes (K8s) feature that makes K8s aware of how to provision storage on VMware Cloud on-demand in a fully automated, scalable fashion as well as providing visibility for the administrator into container volumes through the CNS UI within VMware vCenter Server. Cloud Native Storage on VMware Cloud is supported with TKG and TKG Plus.

How does Cloud Native Storage work?

Cloud Native Storage (CNS) comprises of two parts: A Container Storage Interface (CSI) plugin for K8s and the CNS Control Plane within VMware vCenter Server. There is nothing to install or configure within the service to get this integration working. Simply deploy Kubernetes with the vSphere CSI.

Are data compression and deduplication capabilities available on I4i.metal instances?

Compression is available on I4i bare metal instances. Deduplication is not supported in I4i instances.

How much vSAN storage comes with VMware Cloud on AWS with different host types?

With the I3.metal host instance, each VMware ESXi host comes with NVMe SSD storage. A 3 VMware ESXi host cluster running vSAN provides approximately 15 TiB usable storage and 4 VMware ESXi host cluster running vSAN provides approximately 21 TiB usable storage, with all virtual machines protected against a single host failure (FTT=1). With the I3en.metal host instance, each VMware ESXi host comes with NVMe SSD Storage as well. A 3 host VMware ESXi cluster running vSAN provides approximately 60 TiB of usable storage. The newly-launched I4i.metal instance provides approximately 30 TiB of raw local NVMe flash storage across a 3 node cluster (2x compared to I3.metal). Please note that exact usable storage will vary depending on the effective storage policy, cluster size, site tolerance. All virtual machines are protected against a single host failure (FTT=1). In addition, you can also use external NFS datastores with your VMware Cloud on AWS deployment with all host types to extend your storage capacity for more storage intensive workloads, without provisioning additional hosts.

How much external storage can I have on an SDDC?

When you are using an external NFS datastore you can configure the volume size up to the configuration limit of the NFS server. Please consult VMware Flex Storage FAQs and Amazon FSx for NetAPP ONTAP FAQs for more details.

Can I still use vSAN storage in an SDDC that has external NFS datastores?

Yes. The VMware Cloud on AWS vSAN local storage is still available when external storage is attached.

What are the use cases that are suitable for external storage access from a VMware Cloud on AWS based guest operating system?

In addition to the ability to mount an external NFS datastore to a vSphere cluster in your SDDC, you can also directly add external storage to a virtual machine, running on VMware Cloud on AWS. Storage provided from an EC2 based virtual storage array to a VMware Cloud on AWS guest OS is ideal for a variety of use cases, including test and development, elasticity for big data workloads and user/home directories. Both block and file protocols are supported.

What external virtual storage arrays are supported on VMware Cloud on AWS?

VMware Cloud on AWS now supports external NFS datastores such as the VMware-managed – VMware Cloud Flex Storage, or an AWS managed solution – Amazon FSx for NetAPP ONTAP to extend storage capacity without adding additional hosts. VMware Cloud on AWS can also support a variety of AWS EC2 based virtual storage arrays and general-purpose operating systems that export storage volumes or LUNs. Our storage partners will independently test and provide documentation for their respective solutions.

Which Managed Service Providers (MSPs) offer external storage with VMware Cloud on AWS?

Faction and Rackspace are currently supported Managed Service Providers (MSPs) that offer external storage for VMware Cloud on AWS.

Are there any functional differences or caveats I should be aware of when using external storage through the Managed Service Provider (MSP)?

Please check the VMware Cloud on AWS release notes for a list of caveats and limitations related to the usage of external storage through the Managed Service Provider (MSP). Also, please check with the Managed Service Provider (MSP) for additional details.

Can I storage vMotion workloads between NFS Datastore and the VMware Cloud vSAN datastore?

Yes. Storage vMotion is supported.

How many external datastores can I attach to a single cluster in my SDDC?

Each cluster can have up to four datastores attached. The size of the datastore depends on the storage target.

What is the minimum software version of VMware Cloud on AWS SDDC to support the external NFS datastore feature?

Your SDDC must be version 1.20 or above to use the external NFS datastore feature.

Where can I find more information about the external NFS datastore support?

For further technical information about VMware Cloud on AWS integration with Amazon FSx for NetApp ONTAP please visit the page: https://vmc.techzone.vmware.com/fsx-ontap and check FAQ: https://vmc.techzone.vmware.com/fsx-ontap-faq.

Storage – Cloud Flex Storage

What is VMware Cloud Flex Storage?

Our vision for VMware Cloud Flex Storage is to deliver an enterprise-class storage-and data management-as-a-service for the multi-cloud. We plan to support a broad range of workloads by enabling multi-dimensional scaling of compute, storage performance, and storage capacity, while delivering a seamless and consistent data management experience across clouds.

VMware Cloud Flex Storage is built on a mature, enterprise-class filesystem that has been developed and production-hardened over many years, dating back to Datrium’s D¬HCI storage product, which VMware acquired in July 2020. It is the same filesystem that has been backing the VMware Cloud Disaster Recovery service. The filesystem has a two-tier design that allows for independent scaling of storage performance and capacity, using a Log-Structure Filesystem (LFS) design. The combination of LFS with a 2-tier design, along with efficient snapshots and immutability, makes this a multi-purpose filesystem that unlocks many use cases, such as backup, disaster recovery, ransomware protection, and recovery. With VMware Cloud Flex Storage, we are extending this proven technology to primary storage and making it available in the public cloud, where it delivers exceptional storage performance, scalability, and cost efficiency for traditional and modern workloads.

In the initial release, we are delivering a new approach to help VMware Cloud on AWS customers better align their cloud resources with the needs of their applications and data. Customers will be able to purchase a disaggregated cloud storage and data management service that if fully managed by VMware. It is scalable, elastic, and natively integrated into VMware Cloud on AWS. With just a few clicks in the VMware Cloud Console, customers can scale their storage environment without adding hosts, and elastically adjust their storage capacity up or down as needed for every application. Customers also benefit from a simple pay-as-you-go consumption model. We are offering VMware Cloud Flex Storage as supplemental storage to vSAN. Together with vSAN, VMware Cloud Flex Storage offers more flexibility and customer value in terms of resilience, performance, scale, and cost In the cloud.

What is the underlying technology for VMware Cloud Flex Storage?

VMware Cloud Flex Storage is built on a mature, enterprise-class filesystem that has been developed and production-hardened over many years, dating back to Datrium’s D¬HCI storage product,  which VMware acquired in July 2020. It is the same filesystem that has been backing the VMware Cloud Disaster Recovery service. The filesystem has a two-tier design that allows for independent scaling of storage performance and capacity, using a Log-Structure Filesystem (LFS) design. You can read more about the filesystem architecture in Sazzala Reddy’s (Chief Technologist and a founder of Datrium) blog here. The combination of LFS with a 2-tier design, along with efficient snapshots and immutability, makes this a multi-purpose filesystem that unlocks many use cases, such as backup, disaster recovery, ransomware protection, and recovery. With VMware Cloud Flex Storage, we are extending this proven technology to primary storage and making it available in the public cloud, where it delivers exceptional storage performance, scalability, and cost efficiency for traditional and modern workloads.

Is VMware Cloud Flex Storage managed by VMware?

Yes, the service is fully managed by VMware.

In which AWS regions is VMware Cloud Flex Storage available?

At launch, VMware Cloud Flex Storage will be available in AMER, EMEA and LATAM. APAC support is expected in subsequent release. VMware Cloud Flex Storage will be available in all AWS regions that support VMware Cloud and VMware Cloud DR.

What are the key use cases of VMware Cloud Flex Storage?

Here are the key use cases of VMware Cloud Flex Storage:

  • Seamless and cost-effective cloud migration: For customers who are looking to use VMware Cloud on AWS for a seamless and cost-effective cloud migration, VMware Cloud Flex Storage delivers true enterprise-class storage. It reduces complexity and time-to-value by supporting the lift and shift of virtual machines without a need to rework the data layer or re-architect the storage design. Customers can also simplify their operations with a storage solution that is natively built into the VMware Cloud on AWS service and readily available without manual configurations.
  • Elastic data center extension: Customers who are looking to use VMware Cloud on AWS for data center extension can use VMware Cloud Flex Storage for easy access to additional storage capacity with dynamic scaling of resources. Common scenarios include high performance burst capacity, on-demand scaling for data analytics, or cost-effective long-term storage of data repositories in the cloud. This gives customers the choice of keeping their data where it best serves their consumption needs, across their data centers and the public cloud. As a result, customers benefit from a VMware-consistent, enterprise-grade hybrid cloud environment with a single pane of glass management through the VMware VMware vCenter Server console.
  • Scaling of storage-intensive workloads: For customers who are running certain workloads on VMware Cloud on AWS using local instance storage with VMware vSAN, but have other workloads that are storage bound, VMware Cloud Flex Storage offers a disaggregated storage service that allows them to independently, seamlessly, and optimally scale their performance and storage capacity to fit every workload individually. VMware Cloud Flex Storage is an ideal solution for scaling large volumes of data in an agile, flexible, and cost-effective way.

How can I learn more about VMware Cloud Flex Storage?

For more information on this service, please visit the VMware Cloud Flex Storage page on https://www.vmware.com/products/cloud-flex-storage.html for more information on this service, and/or please contact your sales representative or partner for more information on this service and how VMware Cloud Flex Storage can help your business.

Networking

How do I connect to the VMware vCenter Server in my SDDC on VMware Cloud on AWS?

By default, there is no external access to the VMware vCenter Server system in your SDDC on VMware Cloud on AWS. Open access to your VMware vCenter Server system by configuring a firewall rule on the Management Gateway Firewall to allow access to the VMware vCenter Server system.

Is there connectivity from the AWS VPC to VMware vCenter Server and ESX host?

Yes, you can configure connect from an EC2 instance deployed in the Connected AWS VPC to VMware vCenter Server.

What are the management and compute gateways?

When you deploy an SDDC in VMware Cloud on AWS, it is configured with two networks: a management network and a compute network. The management network handles network traffic for the SDDC hosts, VMware vCenter Server, VMware NSX Manager, and other management functions. The compute network handles network traffic for your workload VMs. The gateways allow users to access these networks from Internet, on-premises , and connected AWS VPC. The VMware NSX edge acts as the gateway.

How many traffic types exist in VMware Cloud on AWS SDDC?

There are three traffic groups in VMware Cloud on AWS:

  • VMkernel Traffic (ESX Management, vMotion)
  • Management Appliance Traffic (VMware vCenter Server, SRM, vSphere Replication Appliance, VMware NSX Manager)
  • Workload VM Traffic

How does connectivity between the overlay network and the VMware NSX management appliances work with VMware NSX?

By default, the Compute Gateway and Management Gateways are connected through a logical segment. You can control communication through the firewall policy on the Management Gateway.

What is the change in default logical network?

As you deploy a 3 or higher host SDDC, a default logical network will not be created. It is the responsibility of the user to create a network with appropriate CIDR before deploying virtual machines

What is the reason for not creating default logical network for 3+ nodes SDDC?

There were many incidents where default logical network CIDR (192.168.1.0/24) overlapped with on-premises networks and caused connectivity issues. These issues are very difficult to troubleshoot.

Will default logical network be created for one node SDDC?

Yes. A default logical network will be created in one node SDDC. Customers must make sure that there is no overlap with CIDR 192.168.1.0/24

What is IPFIX and is it available with VMware Cloud on AWS?

IPFIX is a standard that allows virtual or physical switches to export flow information going through the switch to collector tools. Customers may decide to monitor all flows on a particular logical switch or set of logical switches. IPFIX is available with VMware Cloud on AWS.

Where can I find additional information about IPFIX?

You can find more information about IPFIX in VMware Cloud on AWS product documentation.

What is Port Mirroring?

Port Mirroring is a networking feature on virtual or physical switches that allows users to capture all packets from a port and send it to a destination device. In VMware Cloud on AWS, port mirroring is configurable on virtual switches only.

What type of port mirroring is supported in VMware Cloud on AWS?

VMware Cloud on AWS supports Encapsulated Remote SPAN.

Can only one vNIC of a virtual machine be selected as part of the port mirror session?

Yes, a single vNIC can be configured in a port mirroring source group.

What are DNS Zones?

DNS Zones allows users to specify different DNS servers based on different domains (FQDN).

How many DNS Zones are supported?

5 zones are supported.

How would I forward requests to DNS servers deployed in VMware Cloud on AWS as well as on-premises DNS servers?

You can configure up to 5 DNS zones. Out of those, one should be with on-premises domain (FQDN) pointing to on-premises DNS server. And the other should be with AWS domain (FQDN) pointing to the DNS server in AWS.

Does VMware Cloud on AWS provide DHCP Relay functionality?

Yes, VMware Cloud on AWS provides both native DHCP capabilities and DHCP Relay.

How can I configure DHCP Relay?

This can be configured under Networking & Security tab under System→DHCP.

Can I use both DHCP Server for some Logical segments and DHCP Relay for other Logical segments?

No, either native DHCP capabilities can be used or DHCP Relay. Users will not be able to use DHCP Relay if there are any network segments using native DHCP capabilities; the respective network segments will have to be deleted first.

Are all VMware NSX APIs in VMware Cloud on AWS available under Developer Center?

Yes, you can find all available VMware NSX APIs for VMware Cloud on AWS in API Explorer.

What is the difference between "VMware NSX VMware Cloud Policy" API and "VMware NSX VMware Cloud AWS Integration" API?

VMware NSX VMware Cloud Policy API includes all the VMware NSX Networking and Security APIs for the VMware NSX capabilities within the SDDC. VMware NSX VMware Cloud AWS Integration API includes APIs that are specific to AWS like Direct Connect.

What is the benefit of using API Explorer for VMware NSX APIs?

VMware NSX APIs can easily be found and used within the VMware Cloud on AWS SDDC’s API Explorer. Furthermore, customers can even perform a search on keywords. Customers can easily lookup and test VMware NSX APIs directly from API Explorer before including them in larger scripts or applications.

How can I use API Explorer with VMware NSX APIs?

Go to API Explorer, which can be found under the Developer Center. From API Explorer, select your Organization and SDDC, and you will see both "VMware NSX VMware Cloud Policy" API and "VMware NSX VMware Cloud AWS Integration" API. Click on the one you would like to use. You will see a list of relevant VMware NSX APIs. You can put in the requested information and click the Execute button to execute the API.

How can I request approval for penetration testing applications and systems in my SDDC?

VMware has a comprehensive vulnerability management program that includes third-party vulnerability scanning and penetration testing. VMware conducts regular security assessments to maintain VMware Cloud on AWS compliance programs and continuously improve cloud platform security controls and processes. While the requirements to conduct penetration testing vary by industry compliance regulations, customer environments benefit greatly with penetration testing to measure the security effectiveness within their virtual infrastructure (SDDCs) and applications. To notify VMware that you plan to conduct penetration testing, please use this Request Form to provide us relevant information about your test plans. VMware will respond with an approval by email. Penetration testing must be conducted in accordance with our Penetration Testing Rules of Engagement.

How can I utilize Jumbo Frames on Direct Connect Network?

VMware Cloud on AWS supports Jumbo Frames for networking traffic on Direct Connect. To fully benefit from Jumbo Frames and avoid fragmentation, you must ensure that the Direct Connect interface MTU is set equal to the end to end path MTU from your SDDC to your Data Center over Direct Connect. On the AWS Account, the Direct Connect private VIF must be created with this MTU size. On the SDDC, the Intranet uplink MTU must be set to 8900.

Can I use Jumbo Frames over VPN?

No, only traffic over Direct Connect, VMware Transit Connect, or across the Connected VPC can leverage Jumbo Frames.

What is the maximum value for the Jumbo frame with VMware Cloud on AWS SDDC?

See the VMware Cloud on AWS configuration maximums page for details.

VMware SD-WAN Integration

What is the integration between VMware Cloud on AWS and VMware SD-WAN about?

The integrated solution is about providing Policy-Based IPsec VPN connectivity between SD-WAN enabled branches and application workloads that reside in VMware Cloud on AWS. The solution leverages the VMware SD-WAN Gateways, as an on-ramp mechanism to VMware SDDC deployed on AWS. The SD-WAN Gateway is the peer end of the tunnel that is set up on the VMware SDDC T0 Gateway. The SD-WAN solution has a feature called “Non-VeloCloud-Site,” which allows SD-WAN Gateways to set up IPsec tunnels to non-SD-WAN locations.

What is VMware SD-WAN by VeloCloud?

VMware SD-WAN by VeloCloud is a global service that delivers high-performance, reliable branch access to cloud services, private data centers, and SaaS-based enterprise applications. SD-WAN increases bandwidth economically by aggregating WAN circuits of any type, providing faster response even for single application flows. Data plane function and orchestration are delivered in the cloud to provide direct and optimized access to cloud as well as on-premises resources. You can deploy a branch in minutes with VMware SD-WAN Edge activation from the cloud. Automatic WAN circuit discovery and monitoring eliminate link-by-link and branch-by-branch configuration.

Why does VMware SD-WAN solution matter to me?

VMware provides hybrid and multi-cloud capacity while VMware SD-WAN provides the fabric between clouds. As customers leverage more of VMware Cloud on AWS, SD-WAN will offer the optimal connectivity VMware Cloud on AWS.

Does VMware SD-WAN support data center migration?

VMware SD-WAN focuses on WAN connection between branches and VMware Cloud on AWS for workload or application access. See the section on Workload Migration.

Does VMware SD-WAN currently work with VMware Cloud on AWS GovCloud (US)?

VMware SD-WAN currently does not support VMware Cloud on AWS GovCloud (US)

What do I need to get started with VMware SD-WAN?

To get started with VMware SD-WAN, customers will need to have an SD-WAN subscription with the Premium license (which provides access to SD-WAN Gateways, and Non-VeloCloud-Site capabilities) or Enterprise License (which needs Non-VeloCloud-Site capability via Gateway add-on option). Customers should also have access to the VMware SD-WAN Orchestrator to have the capability to create a Non-VeloCloud Site Network Service. Customers will also need to have at least a single-host VMware Cloud on AWS environment with access to manage Networking and Security.

How do I set up VMware SD-WAN?

If you have access to both the VMware SD-WAN Orchestrator and your VMware Cloud Console, please follow the deployment guide located at the VMware SD-WAN Documentation site located here.

Are there any special considerations when setting up VMware SD-WAN?

Yes, you must call into VMware GSS and mention this KB article. This KB article discusses that the SD-WAN Gateway private IP must be obtained for the configuration of the VMware Cloud on AWS side, and this information can only be gained from Support. Additionally, while this integration with VMware SD-WAN will provide the capability for branches to communicate with VMware Cloud on AWS workloads, this integration is not recommended to be used for migration of workloads from the data center to cloud using IPsec VPN.

Are there any limitations of VMware SD-WAN?

At this time, there is only a singular non-redundant tunnel that is instantiated. This limitation will be addressed in future releases of VMware Cloud on AWS and SD-WAN integration.

Where can I go to get support for VMware SD-WAN?

When encountering issues with the integration of VMware SD-WAN with VMware Cloud on AWS, please contact VMware Global Support Services (GSS), and they will work with you to reach a resolution and engage the appropriate resources.

Networking - Advanced

What is Multi Compute Gateways (Multi CGW)?

Multi-CGW enables customers to create additional CGWs (T1s) and manage the lifecycle for those CGWs.

Which use cases are enabled by the Multi-CGW?

Multi-CGW will enable the following use cases:

· Multi-tenancy within an SDDC

· Overlapping IPv4 address space across CGWs

· Support for static routes on customer managed CGW

· Deployment of Isolated test 'segments’ for Disaster Recovery (DR) testing or “sandbox” environments.

What are the different types of Multi-CGWs (MCGW) supported?

Three types of MCGWs are supported:

· Routed – Segments behind a routed CGW are part of the SDDC’s routing table

· NATted – Segments behind a NATted CGW are reachable only via NAT configuration and are not part of the SDDC’s routing table.

· Isolated – Segments behind an Isolated CGW are not available to the rest of the SDDC.

Can the Multi-CGW type be changed after creation?

Yes, Multi-CGW configuration can be changed to meet customer network requirements.

Does each Multi-CGW have a gateway firewall?

Yes. Each Multi-CGW has its own gateway firewall.

Which NAT options does the Multi-CGW feature support?

Multi-CGW supports multiple NAT options

  • Source NAT (SNAT) – Changes Source IP
  • Destination NAT (DNAT) – Changes Destination IP
  • Reflexive NAT – Stateless NAT
  • No SNAT
  • No DNAT

Can VPNs be terminated directly on the Multi-CGWs?

Yes. IPsec policy and route-based VPNs as well as L2 VPN are supported on the Multi-CGWs.

Is Route Aggregation necessary for Multi-CGW feature?

For any Multi-CGW connected segment to communicate with Direct Connect, VMware Transit Connect, or the VMware ESXi management network, Route Aggregation must be configured. Route aggregation is not required for Internet via the SDDC’s Internet Gateway.

Which route types are supported on the Multi-CGWs?

Static routes can be configured on the Multi-CGWs. Non-default static routes can be configured on any type of Multi-CGW (Routed, NATted, or Isolated). The default route (0.0.0.0/0) can only be configured on Isolated Multi-CGWs.

How do I configure default drop firewall rule in the Multi-CGW gateway firewall?

In SDDC version 1.18, you cannot change the default firewall from Allow to Drop or Reject. You can add a rule to drop all traffic before the default rule of Allow.

What version of SDDC do I need to use Multi-CGW feature?

The minimum SDDC version required to use Multi-CGW feature is 1.18.

Are additional licenses required to use Multi-CGW feature?

No additional licenses are required to use the Multi-CGW feature.

How many CGWs are supported in Multi-CGW feature?

Please refer to ConfigMax for current scale information.

What is Route Aggregation feature and why do we need it?

Route Aggregation summarizes individual CIDRs into a smaller number of advertisements. This is useful to address scale issues caused by the default underlay constraints in the cloud. Route Aggregation can also help improve convergence as fewer API calls are needed to program tables during network changes.

Route Aggregation is also required for Multi-CGW. For any multi-CGW connected segment to communicate with Direct Connect, VMware Transit Connect, the Connected VPC or the VMware ESXi management network.

Is the AWS Managed Prefix List Mode required for the Route Aggregation feature?

Route Aggregation for Connected VPC can’t be used without enabling AWS Managed Prefix List Mode.

What does enabling AWS Managed Prefix List Mode do?

When AWS Managed Prefix List Mode is enabled, a VMware managed prefix list is created and maintained by the SDDC and shared to the Connected VPC’s AWS account. This simplifies customer routing configuration and improves network convergence. Additionally, it enables the ability for customers to use the prefix list to support multiple route tables and prefix list based AWS Security Groups in the Connected VPC.

Is an aggregate route suppressed when there are no member routes?

No. Aggregate route will be advertised even if there are no member routes.

Will the prefix for a segment be advertised if there is no aggregate route that covers that segment?

For any segment behind a Multi-CGW, there must be an aggregate route that covers that segment. Otherwise, that segment will not be reachable. For any segment behind the default CGW, If there is no aggregate route that covers that segment, that individual prefix will be advertised.

Is the management CIDR suppressed if an aggregate route covers the management CIDR?

If an aggregate route includes the management CIDR, the management CIDR will still be advertised as a discrete CIDR.

What happens if an inaccurate CIDR is configured?

When an incorrect CIDR is configured due to typos or incorrect subnetting, system will normalize inaccurate CIDRs before applying the aggregate prefix. Please check if the applied configuration meets your expectation.

What are the additional considerations when using the Route Aggregation feature?

Here are few additional things to remember when using the Route Aggregation feature:

  • Incorrect aggregation can impact reachability to networks on-premises or in other SDDCs
  • NAT CIDRs need to be included in the aggregation if you want them to be reachable
  • Creation of multiple aggregations is possible for non-contiguous networks

What version of SDDC do I need to use Route Aggregation feature?

The minimum SDDC version required to use Route Aggregation feature is 1.18.

Are additional licenses required to use Route Aggregation feature?

No additional licenses are required to use the Route Aggregation feature.

Networking - Firewall

Will my security policy and services migrate when the VM is migrated to the VMware Cloud on AWS SDDC?

No. You are responsible for moving the security policy and services.

What is Distributed Firewall?

The VMware NSX Distributed Firewall enables micro-segmentation (granular control over East-West traffic) for application workloads running in the VMware Cloud on AWS SDDC.

What is the default Distributed Firewall policy?

The default distributed firewall security policy is allow all. Users can create deny polices as part of the different sections created by default.

How many default sections are created in the DFW?

There are 5 default sections: Ethernet, Emergency, Infrastructure, Environment, and Application.

What is Inventory and why is it used with DFW policies?

Inventory provides the list of VMs deployed in the VMware vCenter Server. It allows users to create security polices using VM context instead of IP address and these policies are easy to configure and manage.

What is Grouping?

Grouping construct enables users to create identifiable group of objects and create security policies using those objects. For example, you can create group of VMs named "web" and "app" and "db" and then use those objects to create FW policy between Web and App and App and DB layers.

What is Tagging?

Tagging allows user to assign tags to virtual machines. These tagged virtual machines can be automatically made part of a group that is used for firewall policies.

What is Firewall Logging?

Firewall Logging enables customers to log packets for specific firewall rules. The captured packet logs help in troubleshooting or security monitoring activities.

Where do the Packet Logs forward?

Packet Logs are forwarded to the Log Intelligence service.

Do I have to purchase the vRealize Log Insight Cloud service to see the packet logs?

Yes. Customers will get a free 60 day trial for checking packet logs, but then they have to purchase the service to continue to have access to the packet logs

Can I enable FW logging for Compute Gateway, Management Gateway, and Distributed Firewall?

Yes. You can enable logging for Compute and Management gateway, and DFW rules.

What information is available on firewall statistics?

Administrators can access firewall statistics directly from the Networking and Security console. When the user clicks on the graph icon on the right-hand side of the rule, he/she can see: Hit Count Packet Count Session Count Byte Count Popularity Index Max Popularity Index Max Session Count Total Session Count

Can the default Distributed Firewall policy be changed?

Users can change the default DFW behavior from its default permit model (allowing all the traffic through and denying specific traffic with the security rules) to drop model (only allowing specific traffic through the security rules and dropping everything else).

Can I limit the scope of a Firewall rule?

The Firewall or Distributed Firewall scope can now more specific with the "Applied-To" feature. Users can now apply a security rule to a specific group instead of across all the workloads.

What is the DFW Exclusion List?

The DFW Exclusion List keeps a list of virtual machines excluded from consideration from the Distributed Firewall. This is to ensure administrators don't block access to key management platforms by applying a strict security policy. By default, VMware vCenter Server, VMware NSX Manager, and VMware NSX Controllers are on the Exclusion List, but this option now adds the ability to add more VMs to it.

How can I use Groups?

Inventory Groups make it easier to create and apply security policies. Users can create Groups using Virtual Machine name, tag, OS name, logical segment and IP set as membership criteria. It's particularly useful for customers that need the ability to dynamically micro-segment virtual machines based on these criteria. Nesting of Groups is supported - users can now create groups nested inside other groups (also called 'nested groups'). This gives users the ability to apply security policies encompassing wider groups but also more granular rules. This enables administrators to have security policies as close as business and compliance policies. Refer to the VMware Cloud on AWS ConfigMax page for specific scale attributes.

Do I need to modify firewall policy to allow SDDCs that are a member of a SDDC Group to communicate?

Yes, firewall policy must be updated to allow SDDCs that are in a group to communicate. The SDDC Grouping construct enables network connectivity but does not dictate security policy. The SDDC group does automatically create groups that can be used to simplify the definition of security policy.

Networking - Direct Connect

What is AWS Direct Connect?

AWS Direct Connect makes it easy to establish a dedicated network connection from your premises to AWS. Using AWS Direct Connect (Direct Connect), you can establish private connectivity between AWS and your data center, office, or colocation environment, which in many cases can reduce your network costs, increase bandwidth throughput and provide a more consistent network experience than Internet-based connections.

What is required while establishing an AWS Direct Connect connection?

You must create an AWS virtual interface (VIF) to begin using your AWS Direct Connect connection. There are two types of virtual interfaces. You can create a Private Virtual Interface to connect to a VPC, or you can create a Public Virtual Interface to connect to AWS public services. The Public Virtual Interface also allows VPN traffic to travel over your Direct Connect.

What are the pre-requisites for connecting to your VMware Cloud on AWS SDDCs with AWS Direct Connect using a private VIF?

You must have established AWS Direct Connect link from on-premises data center to an AWS region. Then create a private VIF and assign the ownership to your VMware Cloud on AWS SDDC. Accept the attachment to the private VIF through the VMware Cloud on AWS Console.

What are the pre-requisites for connecting to your VMware Cloud on AWS SDDCs with AWS Direct Connect using a public VIF?

You must have established AWS Direct Connect link from an on-premises data center to an AWS region. You need to create a public VIF and must establish IPsec VPN tunnel to the SDDC over the public VIF. There is no configuration required on the VMware Cloud on AWS Console. You need to ensure that you can route your IPsec VPN gateway traffic over the public VIF.

How are the traffic charges handled when a Private VIF is connected to VMware Cloud on AWS SDDC?

AWS Direct Connect traffic charges will be applied to the VMware Cloud on AWS account. You will see those charges on your VMware Cloud on AWS bill.

Can I attach multiple private VIFs to a VMware Cloud on AWS SDDC?

Yes. You can attach multiple private VIFs to provide redundancy and higher throughput.

How is the Direct Connect Integration with VMware NSX SDDC?

Direct connect integration with VMware NSX allows all traffic from VMware Cloud on AWS to on-premises over the Private VIF.

Does Direct Connect support management and workload traffic?

Yes. With VMware NSX, SDDCs management appliances and workload traffic is carried over Direct Connect Private VIF. Management appliances and workload network routes are published to on-premises over existing BGP sessions. As long as the BGP configuration on the on-premises router allows these new routes, you will have the connectivity for these traffic types.

What routes are advertised from the SDDC over Direct Connect Private VIF?

Management Appliance CIDR, ESX CIDR, Logical segments CIDRs. Refer to the VMware Cloud on AWS ConfigMax page for specific scale attributes.

Do you support Private or Public ASN with Direct Connect Private VIF?

By default, public ASN is used. However, if you need to utilize private ASN, you can work with the support team for that configuration.

What is BGP ASN (Autonomous System Number) and do I need one to use AWS Direct Connect?

Autonomous System numbers are used to identify networks that present a clearly defined external routing policy to the Internet. AWS Direct Connect requires an ASN to create a public or private virtual interface.

Which ASN can be used for Private VIF connection to VMware Cloud on AWS SDDC?

You can pick any private ASN number between 64512 to 65535 range

Is the ASN common to all Private VIF attached to VMware Cloud on AWS SDDC?

Yes, the ASN is common to all the Private VIFs attached to the SDDC.

Can I change the ASN after the Private VIFs are attached to SDDC?

You have to delete all connected Private VIFs before you can change the ASN

What BGP Local ASN Configuration do I need with AWS Direct Connect Private VIF?

Direct Connect connection to SDDC now uses BGP Local ASN as 64512. This BGP local ASN is editable and any private ASN from the range 64512 – 65534 can be used.

Can I use Public ASN with a new Direct Connect Private VIF connection?

No, you cannot use Public ASN value while configuring the BGP Local ASN on VMware Cloud on AWS SDDC.

Will you continue to support existing Direct Connect Private VIF configuration that uses Public ASN?

Yes. We will continue to support existing Direct Connect configurations.

What do I need to do if I want to change existing Direct Connect Private VIF configuration from Public to Private ASN ?

You have to first delete the Direct Connect Private VIF connection with public ASN. Then you can choose a Private ASN number from the range 64512-65534 and enter it in the BGP Local ASN field in VMware Cloud on AWS. After that, take the configured Private ASN number and AWS account ID and go to AWS account to create a new Hosted Private VIF with these values.

Networking - VPN

What is VMware NSX L2 VPN?

VMware NSX L2 VPN is a tunnel that enables extending layer 2 networks across geographic sites. Extended layer 2 networks enable virtual machines to move across sites (vMotion) while keeping their IP addresses the same. L2 VPN allows enterprises to seamlessly migrate workloads backed by VLAN or VXLAN between on-premises and VMware Cloud on AWS.

Do I need VMware NSX on-premises to use VMware NSX L2 VPN between on-premises and VMware Cloud on AWS?

No. You do not need VMware NSX on-premises to use L2 VPN. There are two components of L2 VPN - a client side component and a server side component – with the server side running in VMware Cloud on AWS. In order to configure an L2 VPN between on-premises and VMware Cloud on AWS, you must configure the client side component on-premises. If you do not have VMware NSX on-premises , you can download a standalone VMware NSX edge and configure the client side of L2VPN.

Will VMware NSX L2 VPN layer 2 network extension work with any other vendor device?

No. You need an VMware NSX standalone edge that you can download separately or have VMware NSX on-premises.

What are the key use cases VMware NSX L2 VPN enables?

One-time migration of applications from on-premises to VMware Cloud on AWS • Workload migration between on-premises and VMware Cloud on AWS • Keeping the IP address same during Disaster Recovery

How many networks can you extend over one VMware NSX L2 VPN tunnel?

Refer to the VMware Cloud on AWS ConfigMax page for specific scale attributes.

What are the bandwidth considerations across the VMware NSX L2 VPN tunnel?

Maximum bandwidth supported across an VMware NSX L2 VPN tunnel is 750 Mbps.

You can download the IPsec VPN configuration for VMware Cloud on AWS. The downloaded file captures all the key parameters that need to be configured on the Peer IPsec VPN device. This is a generic parameter file that will expedite the configuration on the remote side by providing all the key parameters in a single file.

How do you achieve resilience for the L2 VPN Client?

Users can choose to deploy two standalone edge devices and configure them as active and standby for resilience.

What failure scenarios does Active-Standby client deployment protects from?

This protects from the edge failure scenario. If the active edge fails, the standby will take over the tunnel traffic.

How Many L2 VPN tunnels you can create through VMware Cloud on AWS console?

You can create only one L2 VPN tunnel.

Does vMotion traffic flow over L2 VPN tunnel?

No. vMotion traffic doesn't flow through L2 VPN tunnel. This tunnel is for the VMware Cloud on AWS VMs to communicate to on-premises resources. vMotion traffic flows through the AWS Direct Connect (Private VIF).

What is Tunnel Status Monitor?

Tunnel status monitor allows you to see granular information about the traffic through the tunnel with any errors. This information is useful while troubleshooting or monitoring IPsec and L2 VPN tunnels.

What information is available on the tunnel statistics?

You will be able to see packets in/out and bytes in/out per tunnel as well as error counts per tunnel.

How do I find IPsec and VPN tunnel configuration errors when i use the tunnel status monitor?

The tunnel status color (green, yellow, red) will indicate the health of the tunnel and when you click on the information you will see the pop up with the details.

What is route-based VPN?

Route Based VPN provides the ability to dynamically publish networks across the VPN tunnel using the BGP protocol. It simplifies the deployment for customers compared to the manual and static policy-based VPN.

What protocol is supported for Route Based VPN?

Standard eBGP protocol is supported.

What routes are advertised from the VMware Cloud on AWS SDDC?

Management Infrastructure and Logical segment CIDRs are advertised to the on-premises BGP Peer.

With VMware NSX, do I only have to establish one VPN tunnel for management and workload traffic?

Yes. With VMware NSX, user needs to establish just one tunnel.

If two tunnels are established, can traffic flow through both tunnels?

Yes, if multiple tunnels are configured between the SDDC and the same remote VPN endpoint, Equal Cost Multipath (ECMP) routing will be used.

Does VMware NSX support redundant tunnels?

Yes. There is support for redundant tunnels. User can establish these tunnels across the different endpoint devices on-premises.

How many VPN tunnels are supported?

Refer to the VMware Cloud on AWS ConfigMax page for specific scale attributes.

How is traffic flow controlled over the tunnel?

Traffic flow is controlled through the BGP parameters on the remote endpoint devices. The example for the BGP parameters include: AS Path, BGP weights, MED.

Does VMware Cloud on AWS support two different endpoints in the SDDC?

No. Support is only available for one endpoint in active-standby mode.

For Policy based VPN, can I create just one tunnel to carry all traffic?

Yes, you may create one tunnel for all traffic. All management and workload subnets must be advertised.

Does VMware NSX support IKEv2?

Yes, it supports both IKEv1 and IKEv2.

Will I be able to see the BGP routes advertised from on-premises over VPN?

Yes. In the Route based VPN tab, users can now click on "View Routes" to see the advertised networks from on-premises. Users also have choice to "download routes."

What is Source NAT public IP in the Networking Security Topology view?

Any internet facing communication from the SDDC requires a public IP. By default, a public IP is provisioned and Source NAT configuration is done for such communication. Topology view now shows that public IP. This will be useful during any troubleshooting exercise.

Can IPsec VPN be used as backup to Direct Connect Private VIF?

Yes, this is supported with Route Based IPsec VPN.

How do I enable Route Based IPsec VPN as back-up to Direct Connect?

This can be enabled under Networking & Security tab under System→Direct Connect by enabling the option "Use VPN as backup to Direct Connect."

What happens if "Use VPN as backup to Direct Connect" is enabled but no VPN is configured?

The traffic will go over Direct Connect as usual. There will not be any VPN backup to Direct Connect until a route based IPSEC VPN is configured.

Does Route Based IPsec VPN support ECMP?

Yes, Route Based IPSEC VPN supports both Active/Standby and ECMP.

How do I configure ECMP with IPsec VPN?

There is no ECMP setting to enable. If there are multiple VPN tunnels, all VPNs tunnels will be used. Whether a tunnel is active/standby for routes is controlled via BGP metric from on-premises or the other side.

Networking - VMware Transit Connect

What is VMware Transit Connect?

VMware Transit Connect is a high bandwidth, low latency connectivity feature for SDDC Groups. It provides network-level connectivity among SDDC Group members by leveraging an AWS Transit Gateway (TGW) in the AWS region. It also enables network connectivity to AWS VPCs and on-premises/colo data centers (via a Direct Connect Gateway).

Can I utilize AWS Transit Gateway in VMware Cloud on AWS?

VMware Transit Connect establishes network connectivity among SDDCs by leveraging an AWS Transit Gateway. It creates a VMware Managed Transit Gateway (VTGW) for SDDC Group Communication.

What connectivity models are supported with Transit Connect?

VMware Transit Connect supports SDDC to SDDC communications within the same region and across regions, SDDC to Native customer-owned AWS VPC communications within the same region, and SDDC to on-premises networks using an AWS Direct Connect Gateway.

Can my Connected VPC that is part of my SDDC also connect to the VTGW?

Yes, Connected VPC can utilize VTGW for communication. The Connected VPC will use the VPC attachment for communications to the SDDC it is associated to. The Connected VPC would use the VTGW attachment to communicate with other SDDCs in the SDDC Group.

I have connected my native AWS VPC to a VTGW. Do I need to make any changes to enable communication?

Yes, you must add routes to the AWS VPC to the CIDRs in the SDDC(s) to use the VTGW through the AWS console.

Can I connect a VPN to the VTGW instead of a Direct Connect Gateway for my on-premises environment?

No, you cannot use a VPN to connect to the VTGW.

I am using VPNs for SDDC-to-SDDC connectivity today. Can I use Transit Connect to interconnect them?

Yes, you can use Transit Connect to replace your VPN connection and get higher performance connectivity.

What is an SDDC Group?

An SDDC Group is a set of SDDC organized together for a common purpose. It is a logical grouping meant to simplify SDDC operations at scale. SDDC Groups provide customers with the ability to logically organize a set of SDDCs to simplify management at scale, as customers deploy multiple SDDCs within VMware Cloud on AWS. With an SDDC group, customers can manage multiple SDDCs as a single logical entity.

Do the automatically created groups get updated as networks are added or removed from my SDDCs?

Yes, the automatically created groups reflect the current state of networks.

Networking - Multi Edge SDDC

What is Multi Edge SDDC?

Multi Edge SDDC is a feature that enhances the overall network capacity of the SDDC by provisioning additional edge resources in the SDDC. Users can utilize this feature by configuring Traffic Groups and mapping specific network traffic to utilize additional resources assigned to the group.

What are the primary use cases for Multi Edge SDDC?

The primary use cases for Multi Edge SDDC are for traffic flows between the SDDC and destinations connected to a VMware Transit Connect network such as another SDDC, native AWS VPCs and on-premises. Additionally, services in the Connected VPC can take advantage of Multi Edge SDDC’s increased capacity.

What type of traffic should be considered a good use case for Multi Edge SDDC?

While Multi Edge SDDC works with many different types of traffic, we’ve found that services like data backup, database synchronization and file storage are well suited for mapping into a Traffic Group and taking advantage of the increased network capacity.

What do I need to do to enable Multi Edge SDDC?

Multi Edge SDDC requires large-sized SDDC appliances.

Does Multi Edge SDDC require additional compute resources?

Yes, each Traffic Group configured will require 2 additional hosts in the VMware Cloud Management cluster to dedicate to the networking services.

How do I configure my SDDC’s traffic to use Multi Edge SDDC?

Multi Edge SDDC uses Source Based Routing to network traffic flows. To identify traffic, configure a prefix-list of subnets or IP addresses to use the Traffic Group and then associate the prefix-list to the Traffic Group.

Does Multi Edge SDDC work with all of my SDDC’s traffic?

While Multi Edge SDDC works with all types of IP traffic from workloads, there are some specific flows that are not able to take advantage of Multi Edge SDDC. These specific flows are flows that use Network Address Translation (NAT) including S3, VPN traffic and traffic using an AWS Direct Connect. Management VMs and VMware ESXi hosts are not able to take advantage of Multi Edge SDDC. All of these flows will continue to traverse the default edge.

Can I use Multi Edge SDDC with a 2-Host SDDC?

Due to the host requirements for Multi Edge SDDC, 2 node SDDCs are not capable of supporting Multi Edge SDDC and in most cases, don’t generate enough traffic to really need it.

What is a Traffic Group?

A Traffic Group is a new VMware Cloud construct that creates additional network capacity resources in the form of VMware NSX Edge routers.

What is an IP Prefix List?

An IP Prefix List is how customers define the source IP addresses of traffic that will utilize the new network capacity created by the Traffic Group.

What is an Association Map?

An Association Map is the construct used to bind an IP Prefix List to a Traffic Group.

How many Traffic Groups can I have in my SDDC?

Refer to the VMware Cloud on AWS ConfigMax page for specific scale attributes.

Can I reconfigure the Traffic Group/Prefix List/Association Map?

Reconfiguration of the prefix list being used by an association map is not possible. We recommend customers either create a new prefix list with the changes required and apply it in place of the current one, or remove the association map, update the prefix list and re-apply the association map.

Networking - Advanced Firewall

What is the Advanced Firewall Add-On?

The Advanced Firewall Add-On is a new set of capabilities enhancing the security offerings for VMware Cloud on AWS. It features Layer 7 Distributed Firewalling, Fully Qualified Domain Name (FQDN) Filter List, Distributed Intrusion Detection/Prevention Services (D-IDS/IPS), and Active Directory Based Identity Firewalling.

Is the Advanced Firewall Add-On part of the base VMware Cloud on AWS offering?

The Advanced Firewall Add-On is an additional service that needs to be enabled per SDDC to begin using the additional features. Pricing and billing information can be found on the VMware Cloud on AWS pricing page here.

Does the Advanced Firewall Add-On protect East-West and North-South traffic?

Yes, the Advanced Firewall Add-On protects both East-West and North-South traffic based on the user configured policy.

Are the Advanced Firewall Add-On features available for PCI-compliant SDDCs?

No, the Advanced Firewall Add-On features are not available in PCI-compliant SDDCs.

Does the Advanced Firewall Add-On protect against malware?

Yes, the Distributed IDS/IPS feature can protect against malware that matches the curated signatures configured.

In which AWS regions are the Advanced Firewall Add-On available?

The Advanced Firewall Add-On is available in all AWS commercial regions where VMware Cloud is available.

What are the scale attributes for the Advanced Firewall Add-On features?

Please refer to VMware Cloud ConfigMax for current scale attributes.

What level of feature enablement is available for the Distributed IDS/IPS?

The Distributed IDS/IPS is enabled or disabled on a per VMware vCenter Server cluster basis.

Where do I download signatures for Distributed IDS/IPS?

Updated signatures for the Distributed IDS/IPS are obtained from the VMware NSX Threat Intelligence Cloud (NTIC) service. This can be configured for automatic updates to streamline administration and ensure the most current signatures are in place.

What is VMware NSX Threat Intelligence Cloud services?

VMware NSX Threat Intelligence Cloud service is a VMware managed repository of IDS/IPS signatures. It is a cloud based offering hosted in multiple regions across the globe.

Does the ability to perform an offline update of the Distributed IDS/IPS signatures exist?

For customers with isolated SDDCs that cannot automatically update through NTIC, an offline download and upload option exists using APIs.

Where are Distributed IDS/IPS signatures stored?

The signatures for Distributed IDS/IPS are initially downloaded to VMware NSX Manager inside the SDDC, and then automatically placed on each host in a cluster that is configured to use Distributed IDS/IPS.

Can I run the Distributed IDS/IPS in detect only mode?

Yes, when a policy is configured for the Distributed IDS/IPS it can be configured for detect only (IDS) or detect and prevent (IPS) actions.

What is the use case for Identity Firewall (IDFW)?

The primary use case for IDFW is for granular, per user session based firewall policy in Virtual Desktop Infrastructure (VDI) environments.

Does Identity Firewall (IDFW) support Remote Desktop Session Host (RDSH)?

The IDFW supports both VDI and RDSH methods for remote access.

What level of feature enablement is available for the Identity Firewall (IDFW)?

The IDFW is enabled or disabled on a per VMware vCenter Server cluster basis.

Is Guest Introspection required to use the Identity Firewall (IDFW) feature?

Guest Introspection is used by the IDFW feature.

Does Guest Introspection require a dedicated VM to operate?

VMware Cloud on AWS uses a kernel based Guest Introspection engine that does not require a dedicated VM to operation.

Is VMTools required for Identity Firewall (IDFW)?

The IDFW feature requires VMTools 11.x or higher to be installed on the guest VMs.

What are the use cases for Layer 7 Firewalling?

The common use case for Layer 7 Firewalling is to allow granular inspection of traffic inside a given port or protocol. This is frequently used to detect and prevent unauthorized traffic from using commonly allowed ports and protocols. It is also used to ensure specific encryption protocols are used for secure traffic.

Does the Layer 7 Firewalling feature have pre-configured application definitions?

The Layer 7 Firewalling feature has more than 70 pre-configured application definitions based on commonly used enterprise applications, enabling fast deployment of the feature.

Is it possible to define a custom application in the Layer 7 Firewall?

The Layer 7 Firewall uses Context Profiles to define applications. The ability to add custom profiles is available.

What are the use cases for Fully Qualified Domain Name (FQDN) filtering?

The common use cases for FQDN filtering include restricting access to unauthorized URLs or conversely restricting access to specific authorized URLs.

Does the Fully Qualified Domain Name (FQDN) filtering feature require DNS Snooping?

The FQDN Filtering feature uses DNS Snooping on the Distributed Firewall (DFW) to observe and track the DNS requests from guests.

Is it possible to deactivate the Advanced Firewall Add-On?

The Advanced Firewall Add-On can be enabled or disabled by the user at any time.

What happens if I disable the Advanced Firewall Add-On?

If the Advanced Firewall Add-On is disabled, additional policy for Distributed IDS/IPS, FQDN Filtering, IDFW or Layer 7 firewalling cannot be added, and existing policy cannot be edited. Previously configured policy will still be enforced and is retained until deleted by the administrator.

What happens if I re-enable the Advanced Firewall Add-On?

If the Advanced Firewall Add-On is re-enabled, existing policy will become configurable.

Networking - SDDC Group Connectivity to Transit VPC

What is SDDC Group Connectivity to Transit VPC?

SDDC Group Connectivity to Transit VPC designs enable customers to take advantage of additional flexibility in VMware Cloud on AWS network topologies by providing the ability to configure static routes to control network traffic to external destinations.

What are the use cases for connecting a SDDC Group to a Transit VPC design?

Some common use cases for a Transit VPC design include:

  • Security VPC where all traffic must be inspected before being routed to the Internet or on-premises
  • Interconnecting different SDDC groups in the same region in either the same VMware Cloud Organization or different ones
  • A temporary workaround for intra-region Transit Connect to AWS TGW peering

What are the requirements to use SDDC Group Connectivity to a Transit VPC?

The requirements to use SDDC Group Connectivity to a Transit VPC are:

  • SDDC version 1.12(M12) or higher
  • VMware Transit Connect

Are additional licenses required to use SDDC Group Connectivity to a Transit VPC?

No additional licenses are required.

Are there charges or fees to use SDDC Group Connectivity to a Transit VPC?

The normal VMware Transit Connect fee structure still applies, but there is no incremental cost to use SDDC Group Connectivity to a Transit VPC. Pricing information can be found on the VMware Cloud on AWS pricing page here.

How do I configure SDDC Group Connectivity to a Transit VPC?

The configuration for SDDC Group Connectivity to a Transit VPC is performed at the SDDC Group level on a per-VPC attachment basis through a static route.

How many static routes can be configured on a VPC attachment?

100 static routes can be configured per VPC attachment. Please refer to VMware Cloud ConfigMax for current scale attributes here.

Is it possible to configure a default route (0.0.0.0/0) as the static route?

Yes, a default route can be configured but should be done with a complete understanding of the connectivity to and from the SDDC as all traffic, including VMware ESXi host traffic, will follow the default route unless a more specific route exists.

Networking - Transit Connect Inter-Region

What is Transit Connect Inter-Region Support?

Transit Connect Inter-Region support enables customers to simply make VMware Cloud on AWS SDDCs in different regions members of an SDDC Group. This provides a consistent and simplified network topology while broadening the high speed, resilient interconnectivity between regions.

What are the use cases for Transit Connect Inter-Region?

Some common use cases for Transit Connect Inter-Region include:

 Inter-Region disaster recovery

Are additional licenses required to use Transit Connect Inter-Region?

No additional licenses are required to use the Transit Connect Inter-Region feature.

Are there charges or fees to use Transit Connect Inter-Region?

The normal VMware Transit Connect fee structure still applies, but there is no incremental cost to use Transit Connect Inter-Region. Pricing information can be found on the VMware Cloud on AWS pricing page here.

Is Transit Connect Inter-Region available in all commercial regions?

Yes, Transit Connect Inter-Region is available in all AWS commercial regions where VMware Cloud is available.

Can I connect my customer-managed AWS Transit Gateway to the SDDC Group?

It is not possible to connect a customer-managed AWS Transit Gateway to the SDDC Group at this time.

Do all SDDCs that are members of the group need to be in the same VMware Cloud Organization?

Yes, all SDDCs that are members of the group need to be in the same VMware Cloud Cloud Organization.

How many regions are supported in a single SDDC group?

Transit Connect Inter-Region supports groups with members of up to three regions. Please refer to VMware Cloud ConfigMax for current scale attributes.

Can all resources connected to the SDDC Group communicate?

SDDCs connected to the SDDC Group can communicate regardless of region. On-premises connections via Direct Connect Gateway and or External VPC connections can only communicate with SDDCs in their same region.

How many routes can be advertised from a SDDC to the SDDC Group?

The number of routes advertised from a SDDC to the SDDC Group is 250. Please refer to VMware Cloud ConfigMax for current scale attributes here.

Hybrid Linked Mode

What is VMware vCenter Server Hybrid Linked Mode?

VMware vCenter Server Hybrid Linked Mode (HLM) allows you to link the Cloud VMware vCenter Server (VMware Cloud on AWS) to your on-premises VMware vCenter Server to provide a Hybrid management interface across Cloud and on-premises resources. With HLM, you can view and manage the on-premises and Cloud VMware vCenter Servers from a single pane of glass and perform hybrid operations such as workload mobility across the two environments. For more details, please refer to the VMware Cloud on AWS Getting Started Guide here.

What on-premises VMware vCenter Server versions and topologies are supported in VMware vCenter Server HLM?

HLM supports on-premises VMware vCenter Server running 6.0 U3c and later with embedded or external PSC (both Windows and vCSA). On-premises VMware vCenter Servers with external PSCs linked in Enhanced Linked Mode are also supported, up to the documented vSphere scale limits.

What is the VMware vCenter Server Cloud Gateway?

The VMware vCenter Server Cloud Gateway is an on-premises appliance that allows you to configure VMware vCenter Server Hybrid Linked Mode to link your on-premises VMware vCenter Server(s) to the VMware Cloud on AWS SDDC VMware vCenter Server, and to manage both resources from a single pane of glass (vSphere Client) running in your data center.

How does the VMware vCenter Server Cloud Gateway get updated?

The VMware vCenter Server Cloud Gateway gets automatically updated following the VMware Cloud on AWS SDDC updates. It periodically checks against the cloud version and auto-updates when a new version is available.

Do I get a separate maintenance notification for the VMware vCenter Server Cloud Gateway updates?

No, you get a notification for the Cloud SDDC maintenance window, which also serves as notification for the Cloud Gateway update.

During the installation of the VMware vCenter Server Cloud Gateway, you configure it to join your on-premises SSO domain. The next step in the installation process is to link to the cloud SDDC by configuring VMware vCenter Server Hybrid Linked Mode (HLM).

How many on-premises VMware vCenter Servers can be linked to the cloud SDDC using the VMware vCenter Server Cloud Gateway?

The VMware vCenter Server Cloud Gateway allows you to link a single on-premises SSO domain to the cloud SDDC. All VMware vCenter Servers in the same on-premises SSO domain (Enhanced Linked Mode) are automatically linked to the cloud SDDC when you configure HLM.

The Cloud Gateway currently allows you to link your on-premises SSO domain to a single cloud SDDC.

Can I configure HLM from both VMware Cloud on AWS and from on-premises using the gateway?

Yes, but not at the same time. HLM can be configured either from VMware Cloud on AWS or from on-premises using the Cloud Gateway.

Do I need to add AD over LDAP to the cloud VMware vCenter Server to configure HLM with the Cloud Gateway?

No, the Cloud Gateway allows you to map on-premises AD groups to the Cloud SDDC. The on-premises AD groups will be assigned CloudAdmin role in the cloud SDDC. Note that this does not allow users from those AD groups direct authentication to the cloud SDDC but enables them to manage the cloud SDDC resources from the Cloud Gateway.

What is the maximum latency supported between on-premises VMware vCenter Server and VMware Cloud on AWS VMware vCenter Server for Hybrid Linked Mode?

100 ms round trip latency.

What is the max latency supported between the VMware vCenter Server Cloud Gateway and the on-premises VMware vCenter Servers/PSC?

The VMware vCenter Server Cloud Gateway should be co-located with the on-premises PSC it is connected to (as part of the SSO join configuration). Latencies between the Cloud Gateway and the on-premises PSC could impact the overall UI performance.

What is the on-premises VMware vCenter Server version supported with the VMware vCenter Server Cloud Gateway?

The VMware vCenter Server Cloud Gateway supports on-premises VMware vCenter Server version 6.5 or later. If using on-premises VMware vCenter Server versions < 6.5 U2, you will be prompted to enter the Cloud Admin user credentials when performing VM clone/migration to the cloud SDDC.

Are SDDC Groups needed to be able to manage VMware vCenter Servers from multiple SDDCs together?

Yes, SDDC Grouping is a pre-requisite for the VMware vCenter Server linking feature to work across multiple VMware Cloud on AWS VMware vCenter Servers. This feature allows customers to manage resources from multiple SDDCs in a single vSphere Client interface.

Do the SDDCs within a group have to be at a certain version for linking to work within an SDDC Group?

All the SDDCs within a group should be minimally at version 1.12 for VMware vCenter Server linking to work. The feature will not be enabled on the group if any SDDC is older than 1.12

Are there any firewall rules configured as part of the VMware vCenter Server linking feature within SDDC Groups?

Firewall rules are automatically created between each of the SDDCs to enable the required connectivity to VMware vCenter Server on port 443 and ESX on port 902.

Can a Cloud Gateway be used with linking enabled within an SDDC Group?

You can continue to use the Cloud Gateway to manage a single Cloud VMware vCenter Server with your on-premises infrastructure, but you cannot manage the entire group from the Cloud Gateway.

Can HLM from the Cloud be used along with linking within an SDDC Group?

No, you cannot enable the VMware vCenter Server linking feature within an SDDC Group if any SDDC has HLM from the Cloud configured.

Can VMs be migrated using vMotion across VMware vCenter Servers in a linked SDDC?

vMotion (Hot migration) of a VM across linked VMware vCenter Servers in the SDDC group will not work because VMware Transit Connect only creates L3 connectivity between the group members.

What happens with SDDCs are added or removed from an SDDC group with linking enabled?

If an SDDC is added to a group when linking is enabled, the VMware vCenter Server of the added SDDC is automatically linked to the group's others. If an SDDC is removed from a group with linking enabled, the VMware vCenter Server is unlinked from the remaining members.

Microsoft Workloads

What was announced by Microsoft in Aug 2019 regarding its product licenses on dedicated hosted cloud services including VMware Cloud on AWS?

Microsoft announced that on October 1, 2019, the licensing terms for its products deployed on dedicated hosted cloud services will change. This change in Microsoft licensing affects customers planning to move and/or deploy Windows Server and Microsoft SQL Server workloads to non-Azure clouds including VMware Cloud on AWS. Details here.

What products does VMware support under the SPLA license?

Currently, Windows Server and SQL Server are offered by VMware.

Does VMware support other products under the SPLA license beyond Windows Server and SQL Server?

Various Microsoft products have either License Mobility rights (from on-premises licenses) or can be purchased via a set of SPLA partners.

What are my options to buy Windows Server and SQL Server Licenses from VMware?

Licenses are offered on a per-host basis.  A Windows Server License will allow a customer to deploy an unlimited number of Windows Server Datacenter editions VMs on a VMware Cloud on AWS host.  A SQL Server License will allow a customer to deploy an unlimited number of SQL Server licenses on a VMware Cloud on AWS host. A customer must license all hosts in a cluster. Licenses are billed on a calendar month basis based on the maximum number of hosts that were deployed on that month.

What is the licensing model?

We provide “per VMware Cloud on AWS host “ based Microsoft licensing model to the VMware Cloud on AWS customers, and all hosts in a cluster must be licensed. You should consider creating separate clusters for Microsoft software if possible to limit your licensing costs

Can I split my Windows Server SPLA License across multiple hosts?

No. Windows Server Licenses provided by Microsoft are only provided on a per-host basis. Each license can only be assigned to a single physical VMware Cloud on AWS host and all hosts in the cluster must be licensed.

Does VMware supplied licenses provide the Unlimited virtualization benefit?

Yes, VMware supplied licenses include the unlimited virtualization benefit both for Windows Server and SQL Server. You can run an unlimited number (up to technical maximum) of VMs with Windows Server and/or SQL Server on a fully licensed cluster of VMware ESXi hosts.

What are my options for acquiring the Windows and SQL Server software binaries from VMware?

A customer has three options:  A VMware-supplied Windows Server VM (with and without SQL Server) packaged as an OVF, Microsoft ISO binaries to allow the customer to provide their own VMs or migration of a customer-supplied VM image for use on VMware Cloud on AWS.

Can you tell me more about the VMware-supplied VM?

The VMs will be packaged as an OVF (Open Virtual Format) which can be included in the customer's Content Library. As part of initial deployment, the VM will be activated and the VM is now ready for customer use.

  • VMware will provide current binaries but it’s the customer's responsibility to install and maintain Microsoft patches and updates;
  • A customer can customize the VM as they require by configuring services or adding custom agents and software.

Can I supply my own Windows Server and SQL Server Binary?

Yes.  You can transfer your Windows Server and SQL Server binary as a VM, VM Template, or OVF.  VMware will provide the customer with a script to activate the VM.

What Editions of Microsoft Software will VMware provide to me?

For Windows Server, we will provide the Windows Datacenter.  We will provide SQL Enterprise.

  • Windows Server 2019 Datacenter
  • Windows Server 2016 Datacenter
  • Windows Server Datacenter
  • SQL Server 2019 Enterprise  on Windows Server 2019 Datacenter

I only need Windows Standard Edition.  How can I get that?

An end-user can provide a customer-provided Windows Standard edition.  However, that doesn't change the licensing cost. VMware provides only a Windows Server Datacenter edition license.

Can I bring Windows Server versions from before 2019 to VMware Cloud on AWS?

Yes. You can bring Windows Server licenses from before 2019 (e.g. 2016, 2012, 2008) that you have acquired previously, prior to Oct 1, 2019, to VMware Cloud on AWS under the BYOL license terms.

Can I upgrade or downgrade the Microsoft licenses purchased from VMware on the VMware Cloud on AWS?

Yes. There are two ways to "upgrade/downgrade"; by edition and by version. Customers can upgrade to the latest version as the SPLA covers VMware for the latest version. An example is that the customer can upgrade from SQL Server Enterprise 2017 to SQL Server Enterprise 2019, as it becomes available. The customer can also "downgrade" editions as well, on the SPLA licenses VMware provides. For example, an end-user can "downgrade" from Windows Server 2019 Datacenter Edition to Windows Server 2019 Standard Edition, as down-grade rights are included. However, VMware is only allowed to sell the higher-priced "Datacenter" edition at this time.

Is Microsoft software supported on VMware Cloud on AWS?

VMware will provide commercially reasonable assistance with installation, configuration, and troubleshooting. In some cases, when Support doesn't have dedicated skilled experts, they may refer you to Microsoft for more assistance.  Microsoft Support is not included.

Why do customers need to add a vTPM device to virtual machines running Windows 11 desktop?

Microsoft has introduced additional hardware requirements with the release of Microsoft Windows 11 Desktop for virtual machines. Windows 11 requirements - What's new in Windows | Microsoft Docs. Additionally, workloads can take advantage of Trusted Platform Modules as part of security and compliance efforts, enabling guest OS security features such as Microsoft Device Guard and Virtualization-Based Security.

What is a TPM and why do I need it?

See: Trusted Platform Module (TPM) version 2.0. Microsoft’s Windows 11 new hardware requirement for TPM can be fulfilled by adding a vTPM in virtualized environments like vSphere.

When will customers be able to add the vTPM device to their virtual machines in VMware Cloud on AWS?

vTPM is available in SDDC versions 1.19 and later. The VMware Cloud on AWS vTPM feature includes the automated installation of the vSphere Native Key Provider in VMware vCenter Server when the SDDC is created.

vTPM functionality depends on VM Encryption to protect the secrets held by the vTPM. Migrations of encrypted virtual machines are not directly available in VMware Cloud on AWS 1.19. However, the vTPM may be removed from the virtual machine enabling it to be migrated. Removing the vTPM will destroy any data held in it; please ensure that you have recovery keys and methods for the guest OS and workload data in the vTPM. Use a cloned copy of the VM to test recovery processes.

Note on odd-numbered VMware Cloud on AWS releases:  Beginning with the SDDC version 1.11 release, odd-numbered releases of the SDDC software are optional and available for new SDDC deployments only. If you want to deploy an SDDC with an odd-numbered release version, contact your VMware TAM, sales, or customer success representative to make the request.

How do customers add the vTPM device to their virtual machines in VMware Cloud on AWS?

On an SDDC that is version 1.19 or newer, simply add a Trusted Platform Module from the Edit VM Configuration screen.

What guest operating systems can use a vTPM?

Customers can add a vTPM device to virtual machines running Windows Server 2008 and later, Windows desktop 7 and later, and major Linux distributions.

Can VMware Cloud on AWS customers configure Microsoft BitLocker with vTPM on VMware Cloud on AWS?

vTPM is a full TPM 2.0 implementation, and all in-guest activities will work as expected. This includes Microsoft BitLocker, Device Guard, and Credential Guard.

Please read the KB article - BitLocker support in a virtual machine (2036142)

https://kb.vmware.com/s/article/2036142

All encryption features have a performance impact, varying based on the specific workload’s I/O patterns. In-guest encryption also impacts the effectiveness of vSAN space-efficiency technologies, such as deduplication and compression. Care should be taken to assess these impacts in production environments.

How can customers create a Windows VM that complies with the DISA STIG on VMware Cloud on AWS?

By adding a vTPM, customers who are obligated to comply with US Department of Defense STIGs can meet the STIG requirements directly. Please refer to the specific STIG for your version of Microsoft Windows.

What instance types are supported by Microsoft to run Windows 11 desktop OS?

I3en.metal and I4i.metal instance types support Windows 11 CPU hardware requirements as set by Microsoft.

Can customers clone a virtual machine that has a vTPM device?

Yes, within an SDDC. SDDCs at version 1.18 or earlier will create an exact replica of the source VM, including the vTPM and its contents. SDDCs at version 1.19 and newer offer a choice to create an exact replica or replace the vTPM with a blank one. Please ensure that cloning workflows are correct for your use case and needs.

Can virtual machines that have vTPM devices be migrated to VMware Cloud on AWS or from VMware Cloud on AWS to another SDDC?

vTPM functionality depends on VM Encryption to protect the secrets held by the vTPM. Migrations of encrypted virtual machines are not directly available in VMware Cloud on AWS 1.19. However, the vTPM may be removed from the virtual machine enabling it to be migrated. Removing the vTPM will destroy any data held in it; please ensure that you have recovery keys and methods for the guest OS and workload data in the vTPM. Use a cloned copy of the VM in order to test recovery processes.

Improved mobility of workloads with a vTPM attached device is planned for a future release.

Can Windows 11 Virtual Machines be migrated from VMware Cloud on AWS using VMware HCX?

Future releases of VMware HCX will support the migration of virtual machines that have a vTPM device.

When will the vSphere Native Key Provider (NKP) be included in the SDDC default configuration?

NKP will be configured by default on all SDDCs during the deployment of version 1.19 and with 1.20 upgraded SDDCs. The Native Key Provider is not configurable by users.

Can customers configure/use a different Key Provider in VMware Cloud on AWS?

Not currently. VMware Cloud on AWS preinstalls the vSphere Native Key Provider when the SDDC is provisioned to support customers who need to add vTPM devices to their Virtual Machines. Customers do not have privileges to manage Key Providers in VMware Cloud on AWS.

Can customers import their on-premises vSphere Native Key Provider backup to VMware Cloud on AWS?

Not currently. Import and export of the vSphere Native Key provider backup to or from the VMware Cloud on AWS SDDC is on the roadmap. VMware Cloud on AWS supports only a single vSphere Native Key Provider and cannot backup or restore vSphere Native Key Provider (keys) to or from another instance of Native Key Provider.

How is the vSphere Native Key Provider backed up?

The VMware Cloud on AWS service automatically backs up and stores the backup for the vSphere Native Key Provider with VMware vCenter Server when the SDDC is first provisioned. VMware Cloud on AWS support can restore the vSphere Native Key Provider in the original SDDC if necessary.

Can customers use their third-party backup tools to backup and restore their vTPM-enabled VMs?

vTPM support has been present in vSphere since vSphere 6.7, and most backup solutions are able to handle virtual machines with those virtual devices. Please consult your backup vendor for specifics of their support.

Can a virtual machine with a vTPM be backed up/restored from VMware Cloud on AWS to another SDDC or from another SDDC to VMware Cloud on AWS?

Please consult your backup vendor for specifics of their support.

Service Operations

Who is responsible for supporting customers when they have issues?

VMware will provide VMware Global Support Services (GSS) and Customer Success team support for customers. You will be able to contact GSS via phone, chat feature in the service portal. VMware's service operations team will handle escalations.

What does VMware manage and operate vs. what is the responsibility for customers?

VMware is responsible for the SDDC software components and the IaaS infrastructure resources. Customers are responsible for their applications and workloads running on the service.

Can you describe the operations and support models for VMware Cloud on AWS?

VMware provides a 24x7 command center that supports the service along with site reliability teams and engineering teams that are on-¬call supporting the service. Service operational readiness and live service operations and support are key activities for the service teams. VMware will actively monitor and maintain the SDDC components and IaaS infrastructure to ensure customers receive a high¬‐quality service experience. In addition, fleet SDDC lifecycle management will enable efficient and reliable operations at scale.

How do I install a patch for VMware Cloud on AWS & VMware Cloud on AWS GovCloud (US) SDDC components?

VMware handles all patching, updates, and maintenance for VMware Cloud on AWS & VMware Cloud on AWS GovCloud (US) SDDC components.

Who is responsible for conducting maintenance updates on my SDDC software running in VMware Cloud on AWS & VMware Cloud on AWS GovCloud (US)?

VMware handles all patching, updates, and maintenance for VMware Cloud on AWS & VMware Cloud on AWS GovCloud (US) SDDC components.

What happens during a maintenance update for the SDDC software running on VMware Cloud on AWS & VMware Cloud on AWS GovCloud (US)?

Prior to a maintenance update, you will receive an email notification telling you the date and time of when the update is going to occur. When the update process is initiated, you will receive another email notification. The process occurs in 2 main phases, control plane update and data plane update. During the control plane update, customers are temporarily prevented from gaining access to VMware vCenter Server. Direct access to VMs will still be available during this phase. A backup of VMware vCenter Server and VMware NSX Manager is taken prior to installing the update. The update is then installed. Once the installation is completed, access to VMware vCenter Server is restored and the control plane phase is completed. An email is sent to you once the control plane is completed. In the data plane update phase, an extra VMware ESXi host is temporarily added to each cluster to ensure sufficient capacity to complete the update process. The data plane update process is conducted on a rolling basis, with the hosts being updated one at a time. Each VMware ESXi host is placed into maintenance mode and VMs are migrated to another host in the cluster. Update of the VMware ESXi host is done in-place after the VMs are migrated. Once all of the hosts are updated, one of the hosts is removed from the cluster to restore the host count to the original number before the update process gets over. An email is sent to customers once the data plane update is completed.

Is there any planned downtime during maintenance updates for SDDC software running on VMware Cloud on AWS & VMware Cloud on AWS GovCloud (US)?

Yes, during the control plane phase of the SDDC maintenance update, access to VMware vCenter Server will be removed. Once the control plane phase is finished, access will be restored.

Is my SDDC software backed up before the SDDC maintenance updates?

VMware will backup VMware vCenter Server and VMware NSX Manager prior to installing control plane updates. VMware will be able to restore from these backups as needed. VMware does not back up virtual machines and user data, as these are the customer’s responsibility.

How often will VMware perform maintenance on my SDDC on VMware Cloud on AWS & VMware Cloud on AWS GovCloud (US)?

Due to the nature of software updates, this will be done on an as-needed basis. For planning purposes, VMware anticipates monthly updates to infrastructure during the initial rollout and expects to transition to quarterly updates as the service matures.

How does VMware notify me about planned or unplanned SDDC Maintenance?

VMware is responsible for managed delivery of Software Defined Data Center updates and emergency patches. This involves maintaining consistent software versions across the SDDC fleet with continuous delivery of features and bug fixes. Detailed information about the SDDC upgrade and maintenance process is available in SDDC Upgrades and Maintenance page. Typical updates are scheduled based on SDDC regions, outside business hours and are not workload impacting. Major updates occur approximately once a quarter with patch bundles in between. Updates may include new functionality, bug fixes and new operational enhancements, patches include bug fixes and security patches. VMware attempts to provide update notifications several weeks in advance but at a minimum will provide 24 hours of notice. VMware Cloud on AWS has multiple notification mechanisms used to contact customers regarding maintenance and uses all of them to ensure customers are informed about any activity that may affect their use of the service. 1. Within the VMware Cloud on AWS Console is a multi-channel notification service that is used to notify customers for important events. Customers can subscribe to the notification webhook for the events. 2. Maintenance activities are published on the VMware Cloud on AWS status page - https://status.vmware-services.io/. Customers can subscribe to updates on this page and email notifications will be sent by noreply@vmware-services.io. 3. Maintenance communications are sent from the email ID vmc-services-notices@vmware.com to the email addresses of all organization members and organization owners. Additional information about the contents of an update can be found on the Release Notes page: https://docs.vmware.com/vmc/releasenote

Can I change any cluster settings, such as DRS or HA?

DRS and HA settings are fixed to values that provide the best performance and availability for both management components as well as virtual machines you deploy.

Can I rename the hosts in my SDDC on VMware Cloud on AWS?

The names for the hosts are generated automatically and cannot be changed. In addition, if a host is replaced, there is no guarantee that the host name will be the same. You should modify any scripts and other tools so that they do not rely upon fixed hostnames.

Can I add my own VIBs to my SDDC hosts on VMware Cloud on AWS?

You are not able to add any software to the base VMware ESXi image installed on your hosts. Patching and updates will be handled for you by the VMware Cloud service.

What happens when I delete an SDDC on VMware Cloud on AWS?

When you delete an SDDC, your VMs and data are deleted and the hosts and other resources allocated to the SDDC are released for use in other SDDCs.

What Network Time Protocol Server (NTP) is used by VMware Cloud on AWS?

VMware Cloud on AWS uses the Amazon Time Sync Service to keep all logs globally synchronized.

Which version of VMware Tools is available for my VMs?

VMware will provide installers for a designated release of VMware Tools for all supported guest operating systems and will update those from time to time. You have the option of using a different version of VMware Tools than the one shipped with VMware Cloud on AWS to ensure there is a standardized version between your on-premises and VMware Cloud on AWS environment. You can either upload the desired VMware Tools ISO to vSphere Datastore or you can use Guest Operating System tools to deploy the desired VMware Tools version using Microsoft Windows SCCM, Linux apt-get, etc.

If an AWS region goes down or loses connectivity, will I still be able to access the VMware Cloud on AWS Console, APIs and VMware vCenter Server?

The VMware Cloud on AWS Service, Console and APIs are all located in the AWS US West (Oregon) Region. Only a complete failure of this region would result in a service disruption to the VMware Cloud on AWS Service, Console and APIs. If the region that your SDDCs are deployed in goes down, then you will not have access to VMware vCenter Server and the ability to perform actions on the impacted SDDCs.

Do I need to access region-specific endpoints to access my SDDCs?

No, you use the same endpoints to access the VMware Cloud on AWS API and VMware Cloud on AWS Console regardless of the region your SDDCs are in.

Will VMware ever add hosts to my cluster without my permission?

Yes. As part of our responsibility for maintaining your working SDDC, we may add additional hosts to your SDDC if the health of this SDDC is in danger. Generally, this only occurs when your datastore fills up to an unsafe level. As per our SLA, we require 25% "slack space" in order to support your SDDC.

Will VMware bill me for hosts added automatically?

Yes. You are billed for all hosts in your environment per running host hour.

How do I prevent VMware from adding hosts to my SDDC?

Generally, we advise customers to monitor their capacity and take action when the system passes 70% capacity. At that point, some customer action should be taken. If you take corrective action at 70%, automated remediation by VMware will not occur.

How are my subscriptions affected by an automated scale up event?

We do not automatically add subscriptions to your account. Because scale up events may represent temporary spikes, we do not recommend that you automatically buy a new subscription every time a scale up event causes a host to be added to your SDDC. For most customers, it is more cost effective to buy additional host subscriptions after you have established that baseline capacity. Normally, you want to review your capacity requirements by looking backwards 30 to 60 days and then buy subscriptions based on your minimum capacity requirement for that period. This ensures that you are only buying subscriptions you actually need.

If VMware scales up my cluster due to health concerns, will they then scale it back down?

The best way to ensure that we automatically scale your cluster up or down is to enable EDRS. If EDRS is not enabled, we will only add hosts in an emergency and we will not remove those hosts if usage later drops. So, the only way to ensure that VMware is monitoring your cluster size is to enable EDRS.

API Automation

How can I find the API for VMware Cloud on AWS?

From within the VMware Cloud on AWS Console you will be able to access the RESTful APIs by accessing the Developer Center tab and API Explorer, from within this area you can browse the publicly available APIs and try these out for your given resources.

What is the Developer Center?

Developer Center for VMware Cloud on AWS gives automation experts, DevOps engineers and developers a central portal for getting access to detailed API information, software development kits, code samples and command line interfaces. • Integrated into the VMware Cloud on AWS Service Console. • Easily learn and execute the VMware Cloud on AWS Service RESTful APIs with the Interactive API Explorer. • Quickly integrate your workflows and partner solutions with VMware and community code samples for common development languages. • Obtain open source software development kits (SDK's) and links to getting started guides and documentation that will provide a better developer experience to VMware Cloud on AWS features. • Automation experts and DevOps engineers can seamlessly tie their business workflows into VMware Cloud with a selection of command line interfaces. Learn about the latest updates to the developer center by reading this blog post.

Which APIs are currently in preview?

The /networks resources and any APIs under this resource are currently marked as preview and may change in the future.

What is simple mode VMware NSX API?

In VMware Cloud on AWS, VMware NSX provides simplified consumption of the networking and security functionality - the set of VMware NSX APIs related to this is referred to as simple mode VMware NSX APIs. With these APIs, you can automate:

  • Networking and security functions exposed in the VMware Cloud on AWS Console
  • Day 0 tasks include establishing IPsec VPN tunnel, configuring firewall policies to allow VMware vCenter Server access
  • Day 2 tasks include creating a new logical switch, configuring firewall policies to allow access to the Internet, configuring DNS and NAT etc.

Customers can choose VMware Cloud on AWS endpoint over the public internet or VMware NSX manager endpoint over private connection for automation.

Where can I find Software Development Kits (SDKs) and code samples for using the VMware Cloud on AWS Service APIs?

From within the VMware Cloud on AWS Console you will be able to access code samples and SDKs by using the Developer Center tab which has links to the supported SDK's and code samples made available from VMware and the community.

Third-Party Technology Solutions

What are the terms of service for third party software and how is third party software supported on VMware Cloud on AWS?

Third party ISV software is handled on third party terms. The current certified list is located here.

What additional VMware tools are available in VMware Cloud on AWS?

VMware makes the following optional downloadable tools available at no charge: DCLI and Content Onboarding Assistant. These tools are VMware Software that is governed by our standard EULA.

How can I access third party content?

Access third party content through the VMware Solutions Exchange, but please note that not all solutions are directly integrated with VMware Cloud on AWS.

Can I bring my own third-party software?

Yes. We don’t restrict what you can install, but they may not always be directly integrated with VMware Cloud on AWS.

Can I use my Windows Server Licenses in VMware Cloud on AWS?

Yes, you can bring your own licenses. Please consult your Microsoft Product Terms for more details and any restrictions.

From where can I acquire ISV licenses?

VMware Cloud on AWS operates on a Bring Your Own License (BYOL) model. You can procure your licenses through the channels you normally use or desire and utilize those licenses on dedicated VMware Cloud on AWS hosts.

What is the hardware configuration?

The VMware Cloud on AWS base cluster configuration contains three hosts. Refer to the Compute section for available host models and specifications.

What are dedicated hosts?

The hardware in your cluster is dedicated for your use. The hardware is only replaced when necessitated by hardware failure or host retirement.

How are host failures handled?

VMware Cloud on AWS is able to quickly react to a hardware failure by inserting a new server into your cluster when a fault is detected. Because VMware Cloud on AWS is running vSAN, the VMs are protected and vSphere HA will automatically restart any VMs which were running on the failed server.

How is host retirement handled?

AWS may schedule servers for retirement in cases where there is an unrecoverable issue with the underlying hardware. When VMware receives a retirement request from AWS, VMware handles the server failure in the same manner as it does any other host failure by removing the failed host from your cluster and inserting a new server in its place. Because VMware Cloud on AWS is running vSAN, the VMs are protected.

How is maintenance handled?

Please refer to our question in the Service Operation section about SDDC maintenance.

I am a Technology Partner. What are my options for obtaining a VMware Cloud on AWS SDDC?

You can begin the subscription process by contacting VMware at vmcisv@vmware.com. You can choose to pay by credit card or use your existing SPP/HPP credit fund.

What are my options for certifying or validating my solution on VMware Cloud on AWS?

Technology Partners can begin the process by contacting VMware (vmcisv@vmware.com) to begin the process. Once validated, a solution is registered on the VMware Solution Exchange.

How can I get access to VMware Cloud on AWS for development or testing?

With the latest release, VMware Cloud on AWS is available in 3 host and single host configurations. The single host configuration is ideal for partners that want a low-cost environment for developing/testing their own solution or for customer POCs. Single host configurations have some limitations.

What type of SDDCs can I deploy for solution validation and development?

As a partner, you can deploy either a 3-host or 4-host SDDC or participate in the Single Host SDDC program. As a Technology Partner, we provide you access to the VMware Cloud on AWS service at a discount for development and validation purposes only.

As a TAP Partner, what are my restrictions for the Single Host SDDC Offer?

Please review the Single Host SDDC offer details for the general terms and conditions. There are a few changes for Technology Partners: • Partners can deploy a total of one (1) 3-host SDDC, one (1) 4-host SDDC and up to two (2) Single Host SDDC. • Partner discount will apply for a Single Host SDDC or 3-host SDDC or 4-host SDDC. • 3-host or 4-host or Single Host SDDCs are for development of joint VMware and Partner solutions or Partner validation of their product on VMware Cloud on AWS only. Discounted instances are not available for POCs or production.

Is there special pricing for partners selling the single-host SDDC configuration?

Yes, VMware is offering special, limited time pricing to partners for single host SDDC configuration. This low-cost offering is ideal for partners to develop their own solutions or for customer POCs. This offering is not designed to be resold to customers for production use. The single host SDDC configuration has a 60-day timeout window. Please log in here if you are a TAP partner, or here if you are a RTM partner for more details on pricing.

How do I get support when validating my solution on VMware Cloud on AWS?

Partners have been given access to the DCPN (Developer center partner network) and can communicate with the VMware team by submitting DCPN cases in the DCPN projects as below: • For technical issues, submit DCPN Case in this DCPN project -> priv--cloud-permissions-partner_TR • For program issues, submit DCPN Case in this DCPN project -> priv--cloud-permissions-partner_PR. • Use your myvmware.com account/password to log into VMware{code} and DC Partner Network.

How do I get support for onboarding to VMware Cloud on AWS?

Technical support is provided through the chat widget in lower right corner after you create an Organization and provision an SDDC.

How can I get support for Red Hat Enterprise Linux on VMware Cloud on AWS?

VMware Cloud on AWS is a Red Hat Certified Cloud Service Provider that allows customers to bring their existing Red Hat Enterprise Linux licenses to VMware Cloud on AWS. Please follow the guidance from Red Hat on how to enable this here.

How can I get support for Red Hat OpenShift Container Platform on VMware Cloud on AWS?

VMware Cloud on AWS is a Red Hat Certified Cloud Service Provider that allows customers to bring their existing Red Hat OpenShift Container Platform licenses to VMware Cloud on AWS. Please follow the guidance from Red Hat on how to enable this here.

VMware Cloud Director Service

What is VMware Cloud Director service?

VMware Cloud Director service is a SaaS service, running on top of VMware Cloud on AWS, hosted, and managed by VMware for cloud providers. VMware Cloud Director service enables cloud providers to build a custom branded, multi-tenant, self-service cloud management platform.

What are the main use cases for VMware Cloud Director service?

Unlocks new business opportunities for cloud providers by enabling them to sell VMware Cloud on AWS to their SMB customers. It reduces the entry-point for customers to use VMware Cloud on AWS, by providing flexible smaller footprints suitable for most SMB customers which is the primary target market for VMware cloud providers. 

Helps providers manage customer expansion to different regions by rapidly expanding their cloud footprint to new regions or availability zones and supports new customer segments in an asset-light pay-as-you-grow model. 

Delivers a hybrid cloud model for VMware cloud providers who have built their cloud management stack based on Cloud Director. By bringing VMware Cloud on AWS under the management umbrella of VMware Cloud Director service, cloud providers have the same management model and tooling as used on-premises

How does VMware Cloud Director service enable multi-tenancy on VMware Cloud on AWS?

VMware’s flagship cloud services platform, Cloud Director, delivers multi-tenant resource pooling: Cloud Director helps create virtual datacenters from common or distributed infrastructure to cater to heterogeneous enterprise customer needs. With Cloud Director service, a cloud provider can host and serve multiple customers from a single VMware Cloud on AWS SDDC.

In which regions is VMware Cloud Director service available?

For initial availability, VMware Cloud Director service is only available in US West (Oregon) region. Although the Cloud Director Instances are deployed in US West (Oregon) region, they can connect to VMware Cloud on AWS SDDC’s that are within 150ms of latency. For example, an SDDC in VMware Cloud on AWS US East and US West datacenters can be associated into a VMware Cloud Director Instance for a customer, allowing them to rapidly expand resources into a new region or availability zone. In the future, VMware Cloud Director service will be available in the EU and APJ Regions.

How is VMware Cloud Director service billed?

VMware Cloud Director service is billed based on the number of VMware ESXi host cores under management. It can be purchased on-demand or in a subscription.

Do I need to buy VMware Cloud on AWS separately as well?

Yes, you need to buy a VMware Cloud on AWS Service as normal, through a commit contract in the MSP program and delivered by Cloud Provider Hub. Additionally, you also need to buy VMware Cloud Director service under the MSP program.

What is the minimum VMware Cloud on AWS SDDC size supported by VMware Cloud Director service?

Currently the minimum supported SDDC deployment for production use is 3 hosts. Cloud Providers are able to use 1-host as well as 2-Host SDDC’s for test/dev purposes.

Can I use VMware Site Recovery with VMware Cloud Director service?

VMware Site Recovery is not supported for use with VMware Cloud Director service.

How can I learn more about VMware Cloud Director service?

For more information on VMware Cloud Director service, please visit our website here. For further inquiries, please reach out to cloudproviders@vmware.com

VMware Tanzu

What is included in TKG?

TKG includes the core binaries to install a TKG cluster on VMware Cloud on AWS plus Customer Reliability Engineering support & services to assist customers in successfully planning, deploying and maintaining their Kubernetes environment. You can find a detailed list of technologies & services supported in TKG in KB 78173. Some relevant callouts are:

  • Patching of critical issues prior to upstream releases
  • vSAN Container Storage Interface (CSI)
  • VMware NSX Container Plugin (NCP)
  • Calico 2.6 and above
  • RHEL 7.4 for Node OS
  • Ubuntu LTS 16.04 for Node OS
  • Contour for ingress

Who is responsible for deploying and managing Tanzu services on VMware Cloud on AWS?

The first offering is a self-service model where Customers are responsible for deploying and managing all aspects of Tanzu on VMware Cloud on AWS. The workflows for deploying and managing TKG infrastructure are the same as those for on-premises. VMware is responsible for the management of SDDC software components and the IaaS infrastructure resources. A minimum of 2 VMware ESXi hosts per cluster is required to use this model of Tanzu. Consult the latest Tanzu Kubernetes Grid Product documentation for more details.

The second offering is a full-managed and integrated model where Customers are responsible for providing and maintaining a basic collection of networks, which are used for deploying both Tanzu infrastructure as well as workloads. VMware is responsible for the management of the Tanzu infrastructure in addition to SDDC software components and the IaaS infrastructure resources. As part of this managed service, VMware also provides tighter integrations in the VMware Cloud Console as well as Tanzu Mission Control Essentials. As of VMware Cloud on AWS's 1.16 release, a minimum of 3 VMware ESXi hosts per cluster is required to use this model of Tanzu. Consult Using VMware Tanzu™ Kubernetes Grid™ Service with VMware Cloud on AWS in the VMware Cloud Operations Guide for more details

What are the supported Operating Systems for Kubernetes nodes?

With VMware Tanzu, there are a number of supported operating systems that can be leveraged. Check out the Target Operating Systems section of the Tanzu documentation for the latest options.

Can customers use existing Enterprise PKS or PKS Essentials licenses for TKG on VMware Cloud on AWS deployment?

Existing Enterprise PKS or PKS Essentials do not entitle customers to run TKG on VMware Cloud on AWS. Customers will be required to purchase a TKG subscription license.

Where can I find more information about pricing for TKG on VMware Cloud on AWS?

All VMware Cloud on AWS customers are entitled to Tanzu services (i.e. Tanzu Kubernetes Grid and Tanzu Mission Control Essentials). For pricing on other tiers of Tanzu, Please contact your VMware representative.

How can customers get support for Tanzu on VMware Cloud on AWS?

Customers can get support for Tanzu Kubernetes Grid on VMware Cloud on AWS through a combination of VMware Cloud on AWS Support and Tanzu Support with a valid support contract for the product. For more details, please consult the "How Do I Get Support" section from the VMware Cloud Services Product Documentation.

How can I purchase Tanzu Application Service for VMware Cloud on AWS?

Tanzu Application Service is a separate purchase from your VMware Cloud on AWS subscription. Please contact your VMware Sales representative for more information on purchasing Tanzu Application Service licenses for VMware Cloud on AWS

I am currently using Tanzu Application Service in my on-premises datacenter, do I need a separate Tanzu Application Service license for VMware Cloud on AWS?

For deploying Tanzu Application Service on VMware Cloud on AWS you can use your existing license that you are using on-premises

Are there any prerequisites for running Tanzu Application Service on VMware Cloud on AWS?

There are no prerequisites for running Tanzu Application Service on VMware Cloud on AWS. The same technology foundation stack is supported on VMware Cloud on AWS

Do I need VMware NSX on-premises to use Tanzu Application Service on VMware Cloud on AWS?

No, VMware NSX deployment is not a prerequisite for using Tanzu Application Service on VMware Cloud on AWS.

In which regions is Tanzu Application Service on VMware Cloud on AWS supported?

Tanzu Application Service is supported on all VMware Cloud on AWS regions

How can I get support for Tanzu Application Service deployment on VMware Cloud on AWS?

You can continue to follow the existing Tanzu Application Service support model. On VMware Cloud on AWS, you can also leverage chat support available through VMware Cloud Console to open support tickets with VMware Global Support Services

Who is responsible for deploying and operating Tanzu Application Service on VMware Cloud on AWS?

As a VMware Cloud on AWS customer, you are responsible for deploying, operating and managing the lifecycle of Tanzu Application Service instances on VMware Cloud on AWS

Is there a sizing guideline between running TAS on-premises vs TAS on VMware Cloud on AWS?

You can continue to use the existing sizing guidelines for on-premises deployments for Tanzu Application Service on VMware Cloud on AWS

Can VMware HCX be used for migration of Tanzu Application Service instances to VMware Cloud on AWS?

VMware HCX live migrations are not supported for TAS migrations to VMware Cloud on AWS.

What is VMware Tanzu Mission Control?

VMware Tanzu Mission Control is a centralized Kubernetes management platform for operators to consistently, efficiently and securely manage Kubernetes clusters and applications across teams and clouds, while enabling developers with self-service access to information and resources needed for speedy application development and delivery.

It offers a rich set of capabilities, such as cluster lifecycle management, identity and access management, centralized policy management, centralized visibility across clusters, security and conformance inspection and data protection, to help increase operational efficiency and security while improving developer productivity.

How does Tanzu Mission Control work with VMware Cloud on AWS?

Tanzu Mission Control helps VMware Cloud on AWS customers to centrally operate and manage Kubernetes clusters running on VMware Cloud on AWS. 

Any conformant Kubernetes clusters running on VMware Cloud on AWS can be attached and managed by Tanzu Mission Control, so that the Kubernetes operators can use the capabilities provided by the platform to gain the consistency, efficiency and security needed for managing the Kubernetes on VMware Cloud on AWS at scale.

If the customers use Tanzu Kubernetes Grid clusters in VMware Cloud on AWS, Tanzu Mission Control integrates with Tanzu Kubernetes Grid to also enable centralized lifecycle management of the Tanzu Kubernetes Grid clusters in VMware Cloud on AWS environment, including cluster provisioning, upgrading, scaling and deleting via Tanzu Mission Control UI, API and CLI (Note, this capability is not available to non-Tanzu Kubernetes Grid clusters).

What benefits does Tanzu Mission Control offer for VMware Cloud on AWS customers?

With Tanzu Mission Control, customers are able to significantly increase the operational efficiency of managing multiple Kubernetes clusters running in VMware Cloud on AWS environment, and also enhance the security and compliance of their Kubernetes infrastructure on top of VMware Cloud on AWS. In addition, Tanzu Mission Control enables developers with much easier self-service access to Kubernetes resources hence enhancing developer productivity and shortening the time-to-market.

Do I need to purchase Tanzu Mission Control separately when using it with VMware Cloud on AWS?

Yes, Tanzu Mission Control is sold separately.

Does VMware Tanzu Mission Control include Tanzu Kubernetes Grid?

No, Tanzu Mission Control does not include Tanzu Kubernetes Grid. However, VMware offers multiple Tanzu editions via which you can purchase Tanzu Mission Control and Tanzu Kubernetes Grid together. Check here for information about Tanzu editions.

How is VMware Tanzu Mission Control priced?

Tanzu Mission Control has two versions: Tanzu Mission Control Standard and Tanzu Mission Control Advanced. Tanzu Mission Control Standard can only be purchased via purchasing the Tanzu Standard edition. Tanzu Mission Control Advanced can be purchased either Standalone or via purchasing Tanzu for Kubernetes Operations. This feature comparison chart shows which features are included. For pricing details, please contact your VMware account team.

Where can I learn more about Tanzu Mission Control?

To learn more about Tanzu Mission Control, please go to the Tanzu Mission Control website.

What is the difference between the Tanzu Standard and Tanzu services?

Tanzu Standard is a self-service model where Customers are responsible for deploying and managing all aspects of Tanzu on VMware Cloud on AWS. VMware remains responsible for managing the SDDC software components and the IaaS infrastructure resources

Tanzu Services is a full-managed and integrated model where Customers are responsible for providing and maintaining a basic collection of networks for Tanzu Workloads while VMware is responsible for the management of the Tanzu infrastructure in addition to SDDC software components and the IaaS infrastructure resources.

For more information, see “Who is responsible for deploying and managing Tanzu services on VMware Cloud on AWS?” in this FAQ, as well as the Tech Zone article.

What is included in Tanzu Kubernetes Grid?

Tanzu Kubernetes Grid includes the core binaries to enable and install Tanzu Services on a cluster in VMware Cloud on AWS as well as Tanzu support & services to assist customers in providing break-fix support for their Kubernetes environment. You can find a detailed list of technologies & services supported in the Tanzu Kubernetes Grid documentation.

VMware Horizon on VMware Cloud on AWS

What is Horizon on VMware Cloud on AWS?

VMware Horizon on VMware Cloud on AWS delivers a seamlessly integrated hybrid cloud for virtual desktops and applications. It combines the enterprise capabilities of VMware’s Software-Defined Data Center, delivered as a service on AWS, with the market leading capabilities of VMware Horizon - for a simple, secure and scalable solution.

Where can I find more information on Horizon on VMware Cloud on AWS?

You can find overview information on our Horizon website.

Which version of Horizon will support VMware Cloud on AWS?

Full Clone desktop pool and manual RDSH farms will be supported starting with Horizon 7.5 and onwards. We are working towards additional support options.

Will Horizon on VMware Cloud on AWS be at feature parity with Horizon on-premises?

The Horizon architecture is exactly the same whether it’s running on-premises or on VMware Cloud. However, there are certain Horizon features we do not plan to support on VMware Cloud on AWS: • View Composer / Linked Clones o This applies to both Linked Clone VDI pool as well as Linked Clone RDSH farms. Customers using Linked Clones on-premises will be asked to use Instant Clones on VMware Cloud. Mixing and matching two CPA Pods where the on-premises Pod has Linked Clones and VMware Cloud Pod has Instant Clones will be supported • Content-Based Read Cache (CBRC) o Given the profile of the storage used in VMware Cloud on AWS hardware, CBRC does not add much benefit • Security Server o Use UAG instead • Unmanaged desktops • Manual desktop pools o Note: Manual RDSH farms will be supported • Persona Management ThinApp • Mirage • Fusion • Workstation

When deploying Horizon across both on-premises and VMware Cloud on AWS in CPA configuration, does the Horizon version on-premises have to match the Horizon version on VMware Cloud on AWS?

No that is not necessary. As long as the version of Horizon running on-premises is v7.0 and above, it can be put into the same CPA configuration as a Horizon running on VMware Cloud on AWS.

Who is responsible for deploying and managing Horizon infrastructure on VMware Cloud on AWS?

You are responsible. The workflows of deploying and managing Horizon infrastructure is the same as on-premises. SDDC infrastructure and hardware management is the responsibility of VMware.

Is Horizon part of VMware Cloud on AWS?

No. Horizon is software that can be deployed by you on the IaaS (infrastructure-a-Service) VMware Cloud on AWS. Ultimately you will be responsible for their Horizon infrastructure, even though your SDDC infrastructure will be managed by VMware.

In what regions is Horizon on VMware Cloud on AWS available?

Horizon on VMware Cloud on AWS is available in all the same regions that VMware Cloud on AWS is available.

What is the difference between Horizon on VMware Cloud on AWS and Horizon Cloud?

The biggest difference is the management model. Horizon on VMware Cloud on AWS is an IaaS model where only the cloud platform/SDDC is fully managed, and you must manage your own Horizon infrastructure as well as RDSH farms and desktop pools. For Horizon Cloud, you only have to manage RDSH farms and desktop pools. Horizon Cloud infrastructure as well as the cloud platform/SDDC are fully managed. A significant advantage of Horizon on VMware Cloud on AWS is that it is the same architecture as the Horizon on-premises deployment, and the two can be linked by CPA. For existing on-premises customers who want to build a hybrid VDI cloud, extending Horizon to VMware Cloud on AWS is very easy. Horizon is more customizable than Horizon Cloud. A good example is the desktop model, for example, vCPU and vRAM per VM. With Horizon, you can have any configurations of the vCPU and vRAM. On Horizon Cloud, it is standardized on a limited number of configurations. If you require extensive customized options, you may want to start with Horizon on VMware Cloud on AWS.

Can Horizon also be deployed on VMware Cloud on AWS stand-alone? What are the other ways I can deploy this solution?

Yes. There are two ways you can deploy: • Deploy one or more Horizon pods on VMware Cloud on AWS. You can choose to link them together using CPA (or not). • Deploy one or more Horizon pods on VMware Cloud on AWS and deploy one or more Horizon pods on-premises. You can choose to link them together using CPA (or not).

What is the licensing requirement for Horizon on VMware Cloud on AWS?

There are two main cost components to a Horizon on VMware Cloud on AWS deployment. The first component is the cost of VMware Cloud on AWS infrastructure service. List prices are posted online. The second component is the Horizon license, which is a separate charge from VMware Cloud on AWS. Given that this is a cloud deployment, customers are required to use subscription licenses. There are currently two available options for purchasing Horizon subscription licenses. 1) Workspace ONE Enterprise Subscription License For customers looking for a full digital workspace solution, including Horizon, they can purchase Workspace ONE Enterprise or Workspace ONE Enterprise for VDI. Workspace One Enterprise entitles customers to Workspace ONE Advanced, Workspace One Intelligence, and Horizon Apps. For Horizon customers, this unlocks the RDSH use case. Workspace ONE Enterprise for VDI adds the VDI use case on top of the Workspace ONE Enterprise. In order to use these licenses, the customer would have to connect to cloud vIDM (VMware Identity Manager). 2) Horizon Subscription License Horizon subscription licenses are also available for customers who only want to deploy and pay for Horizon. All subscription licenses can be used for both cloud deployments as well as on-premises deployments.

Can I use existing Horizon perpetual licenses for a Horizon on VMware Cloud on AWS deployment?

Horizon perpetual licenses do not entitle you to run Horizon on VMware Cloud on AWS. You will be required to purchase a Horizon subscription license or Workspace ONE Enterprise subscription license in order to run Horizon on VMware Cloud on AWS.

How do I install Horizon on VMware on AWS?

The installation of Horizon on VMware on AWS is like installing Horizon on-premises. More details will be provided in the Horizon 7.5 product documentation.

What are my options for integrating with my enterprise’s AD?

We recommend that you deploy an Active Directory server in your VMware Cloud on AWS environment, and link it with your on-premises Active Directory. While you can certainly extend your on-premises Active Directory to your Horizon on VMware Cloud on AWS deployment, the latency may be unacceptable.

How many desktops can I run on a VMware Cloud on AWS host?

Each host has 2 CPUs, 36 cores, 512GB RAM, NVMe attached flash storage (3.6 TB cache plus 10.7 TB raw capacity tier). How many VMs you can run on the host will depend on the configuration of each VM. For detailed sizing, please refer to the VMware Cloud on AWS Sizer.

What is Horizon Smart Provisioning for VMware Cloud on AWS?

Instant Clones has been enhanced to support Smart Provisioning. Smart Provisioning is the ability for Horizon to choose the best way to provision an instant clone, depending on the environment. In certain cases, instant clones are provisioned to optimize for the speed of clone creation by creating and leveraging parent VMs on each host. In other cases, when speed is not paramount, they can be provisioned in a way that does not require parent VMs, thus freeing up more host memory for desktop workloads. Horizon can seamlessly choose one method or another without the administrator’s involvement, sometimes even in the same pool. This capability makes resource usage even more efficient on VMware Cloud on AWS.

VMware vRealize Automation Cloud

What are the vRealize Automation Cloud services?

The vRealize Automation Cloud services are a bundle of three individual services: • Cloud Assembly – Orchestrates and expedites infrastructure and application delivery in line with DevOps principles. • Code Stream – Speeds software delivery and streamlines troubleshooting with release pipelines and analytics. • Service Broker – Aggregates native content from multiple cloud and platforms into a single catalog with role-based policies.

In which regions VMware vRealize Automation Cloud is available?

vRealize Automation Cloud is available in US West (Oregon), Asia Pacific (Sydney), Asia Pacific (Singapore), Europe (Frankfurt) and Canada (Central)

What security and compliance certifications have the vRealize Automation Cloud achieved?

CSA Self-Assessment and GDPR are supported.

How is usage determined for the vRealize Automation Cloud bundle?

Usage is on a per node per month metric. A node is defined as a cloud instance (AWS EC2 and virtual machine).

Can native AWS services be used with vRealize Automation Cloud?

Yes, vRealize Automation Cloud has the ability to incorporate or use native AWS services, such as AWS CFTs, RDS, Lambda, etc.

What is vRealize Automation (vRA) Add-on for VMware Cloud on AWS?

The new vRealize Automation Cloud Add-on tile on VMware Cloud on AWS console streamlines vRealize Automation Cloud on-boarding for VMware Cloud on AWS customers. It enables automated workload provisioning by setting up a self-service infrastructure for developers and manage it with governance policies for better insight and control. This console integration:

  • Activates a 60-day trial of vRealize Automation Cloud.
  • Sets up and configures vRealize Automation Cloud with VMware Cloud on AWS.
  • Enables discovery and connection of VMware Cloud on AWS SDDCs to vRealize Automation Cloud.

What features are available in the vRealize Cloud Add-on trial period?

The trial enables full access to vRealize Automation Cloud services – Cloud Assembly, Service Broker and Code Stream. Customers will be able to use all capabilities in the three services including Kubernetes configuration and Terraform integration.

What happens to a customer when vRA trial period offered by vRA Add-on expires?

Upon trial period expiration, customer will no longer have access to vRealize Automation Cloud. All the users will be removed from the organization, including the organization admin.

How do I continue accessing vRealize Automation Cloud after the trial period offered by vRA Add-on is over?

Before the trial period is over and data is lost, customer should contact VMware account team to become a paid subscriber. There are on-demand and 1- or 3-year subscriptions available.

How do I get this vRA Add-on if I am a VMware Cloud on AWS user?

Each VMware Cloud on AWS SDDC is eligible for vRealize Cloud trial activation. You will be able to see the vRealize Cloud Activation tile on your VMware Cloud on AWS console. If you don’t see the tile, you may have to contact your org’s admin.

Where can I find more information about vRA Add-on?

The VMware Documentation site has detailed documentation on activating and exploring quick cloud setup for VMware Cloud on AWS.

Are there any prerequisites to activating the vRealize Automation trial using the Add-on?

Yes, there are a few prerequisites. It is important to note that if your organization already has a vRealize Automation Cloud subscription, trial activation is not available. An existing subscription appears as a vRealize Automation Cloud card in your VMware Cloud services interface. The specific prerequisites are:

  • Have the username and password credentials for your source VMware Cloud on AWS SDDC VMware vCenter Server for a user with the Cloud Administrator role. The source SDDC is the one you’ll use to initiate the trial activation and automatically create starter objects in vRealize Automation Cloud.
  • Be logged in to VMware Cloud on AWS as a user with the Organization Owner role in the organization that owns the source SDDC.
  • Have an API token for a user with administrator access to the source SDDC.

The detailed procedure is described in the documentation

What happens during the vRealize Automation Cloud trial activation process?

The trial activation process takes about 20-30 minutes to complete. During this time, your organization is created in vRealize Automation Cloud and a cloud proxy in your VMware Cloud on AWS SDDC is setup. The activation also configures cloud account, network profile, default lease policy and a catalog item in vRealize Automation Cloud to get started.

If a user accidentally deletes the cloud proxy created during activation process, can it be redeployed without impacting any state?

Yes, the cloud proxy can be deployed again by following the instructions on VMware Documentation for vRealize Automation Cloud

How do I get technical support for vRealize Automation Cloud?

VMware Cloud on AWS users can avail of all support channels from VMware if they run into any issue. If the Level 1 triage deems this to be related to vRealize Automation Cloud, the case will be internally routed to vRealize technical support.

VMware vRealize Operations Cloud

What is VMware vRealize Operations Cloud?

vRealize Operations Cloud is a cloud management platform that delivers self-driving operations from applications to infrastructure. Powered by AI, vRealize Operations Cloud delivers continuous performance optimization, efficient capacity and cost management, intelligent remediation, and integrated compliance as a VMware Cloud service, beginning with the v8.1 release.

In which regions VMware vRealize Operations Cloud is available?

vRealize Operations Cloud is available in US West (Oregon), Asia Pacific (Sydney), Frankfurt(Germany), Canada(Central) and Asia Pacific (Singapore)

How can I try out vRealize Operations Cloud?

Please visit vRealize Operations Cloud here for a 60-day trial to experience the full technical capabilities or reach out to your VMware account team.

How much does vRealize Operations Cloud cost?

You can view the different pricing models and terms from the vRealize Operations Cloud pricing page, along with other subscription upgrade programs currently available

What AWS services are supported on vRealize Operations Cloud on VMware Cloud on AWS?

As a native solution to vRealize Operations Cloud, the management pack for AWS uses AWS Cloudwatch to collect operations data for AWS services including EC2, EBS, ASG, EMG and others to provide pre-configured dashboards, alerts, and reports.

Does vRealize Operations Cloud support vSphere on-premises as well?

Yes, it supports VMware vSphere on-premises as well.

How are Management Packs licensed on vRealize Operation Cloud for VMware Cloud on AWS?

Native Management Packs will be available out of the box. For third party Management Packs, customers will need to bring your own license (BYOL) and a vRealize Operations Cloud SRE will install them.

What is the security and encryption of data in transit?

vRealize Operations Cloud uses TLS encryption for data in transit.

How does vRealize Operations Cloud protect VMware Cloud on AWS customer data?

To learn more about how vRealize Operations Cloud protects customer data, download the VMware Cloud Management Services self-assessment.

Can you monitor VMware Cloud on AWS objects in near real-time with vRealize Operations Cloud?

Yes, with a simple one-click, vRealize Operations Cloud enables near real-time monitoring. 20 second granularity captures alerts with metrics and events and allows observation of data through dashboards and metric charts.

vRealize Log Insight Cloud

What are the benefits of using vRealize Log Insight Cloud?

What are the benefits of using vRealize Log Insight Cloud? • Increased Security – Monitor VMware Cloud on AWS deployments for potential security breaches or internal misuses of infrastructure. • Demonstrate Compliance – Comply with regulations and federal laws for auditing requirements. • Detailed Insight – Gain visibility into activities in your VMware Cloud deployment, including which users performed what actions and when.

How do I activate vRealize Log Insight Cloud?

In the VMware Cloud Console select Open from the vRealize Log Insight Cloud panel. You will be asked to accept the activation. Once you have accepted the activation you will receive a 60-day free trial of vRealize Log Insight Cloud.

How much does vRealize Log Insight Cloud cost?

You can see pricing for vRealize Log Insight Cloud from the vRealize Log Insight Cloud Services home page.

Are my audit and security logs already in vRealize Log Insight Cloud?

No, we will not start forwarding the audit and security logs into vRealize Log Insight Cloud until you have activated your vRealize Log Insight Cloud instance.

Do I need to install a Data Collector to get audit and security logs into vRealize Log Insight Cloud?

No, audit and security logs are automatically forwarded from VMware Cloud on AWS to your instance of vRealize Log Insight Cloud without the need of a Cloud Data Collector.

How do I access the Audit and Security Logs?

From the VMware Cloud Console simply click open on the vRealize Log Insight Cloud panel. The security and audit logs for your VMware Cloud on AWS instance will be available for query.

How do I get application logs in addition to security logs from VMware Cloud on AWS?

Currently, in order to get additional logs, such as application logs, you must deploy a Cloud Data Collector into your VMware Cloud on AWS instance and point your applications to the data collector for ingestion into vRealize Log Insight Cloud. The data collector is a lightweight OVA which can be installed following the normal OVA VMware vCenter Server deployment process. Instructions to download and deploy the data collector are available in vRealize Log Insight Cloud under the Data Collector information page.

What are examples of audit logs?

• Virtual Machine Created • Virtual Machine Deleted • Virtual Machine Modified • Firewall Rule Created • Firewall Rule Deleted • Firewall Rule Modified • NAT Rule Created • NAT Rule Deleted • IPsec VPN Created • IPsec VPN Deleted • IPsec VPN Modified • Number of Failed Logins • Virtual Machine Power On Failures • Logical Networks Created • Logical Networks Deleted

Are audit logs part of the VMware Cloud on AWS core service?

Yes, VMware Cloud on AWS Customers can access VMware Cloud on AWS audit logs through vRealize Log Insight Cloud for faster monitoring and troubleshooting as a core service.

Will customers have access to VMware Cloud on AWS Firewall packet logs?

Yes, packet logs are forwarded to the vRealize Log Insight Cloud service.

What are the benefits for the customers when they get access to the packet logs?

You get the ability to analyze and troubleshoot application flows through visibility into packets matching specific VMware NSX firewall rules.

Will customers be able to disable the feature of forwarding packet logs to vRealize Log Insight Cloud service?

Yes, you can enable or disable the ingestion of packet logs in the vRealize Log Insight Cloud UI.

Is ability to ingest firewall packet logs into vRealize Log Insight Cloud feature a paid feature or a free feature?

The ability to ingest firewall packet logs into vRealize Log Insight Cloud is a paid feature.

vRealize Network Insight Cloud

What is VMware vRealize Network Insight Cloud?

VMware vRealize Network Insight Cloud helps customers build an optimized, highly available and secure network infrastructure across multi-cloud environments. It accelerates micro-segmentation deployment, minimizes business risk during application migration and enables customers to confidently manage and troubleshoot application networking and security across their on-premises and VMware Cloud on AWS environments. vRealize Network Insight Cloud is available in following two form factors, both with the same scale and features: 1. VMware vRealize Network Insight – A perpetual on-premises form factor. It is available in two editions – Advanced and Enterprise. VMware Cloud on AWS monitoring is supported in the Enterprise edition. 2. Network Insight VMware Cloud Service – A subscription-based SaaS form factor. For more information on vRealize Network Insight, click here For more information on Network Insight VMware Cloud Service, click here.

How do I get access to vRealize Network Insight?

You can download vRealize Network Insight platform and collector OVA under All Downloads section of your My VMware account. For an evaluation license, go to the My Evaluation section of your My VMware account. For vRealize Network Insight perpetual license, reach out to your VMware account team.

How do I sign up for Network Insight VMware Cloud Service?

You can sign up for vRealize Network Insight Cloud service here • You will be offered a 60-day free trial initially. After the trial period is over, you will be charged as per your chosen subscription plan. • You sign up for vRealize Network Insight Cloud service with your My VMware ID. If you do not have a My VMware account, please create one before the sign up by going to this link Alternatively, you can ask your VMware account team to submit a vRealize Network Insight Cloud access referral on your behalf.

How are vRealize Network Insight and vRealize Network Insight Cloud service sold for VMware Cloud on AWS monitoring?

vRealize Network Insight and vRealize Network Insight Cloud SaaS are licensed on a per processor basis. Each VMware Cloud on AWS host has two processors, so two per processor licenses of vRealize Network Insight/vRealize Network Insight Cloud SaaS are required to monitor each VMware Cloud on AWS host. The Enterprise edition of vRealize Network Insight supports monitoring for VMware Cloud on AWS.

What happens after vRealize Network Insight Cloud service sign up?

After you sign up for vRealize Network Insight Cloud SaaS, or after the VMware sales person submits a referral on your behalf, you will receive a Thank You email immediately. Following the Thank You email, you will receive an invitation email with NIaaS activation link within 1-2 business days. Note: If you do not see the invitation email with activation link in your inbox folder, please check your spam folder.

How do I activate vRealize Network Insight Cloud service?

Here is the procedure: 1. Click the activation link in your invitation mail. 2. Sign up for VMware Cloud. a. If you have a VMware ID, follow the steps to sign up to VMware Cloud with your VMware ID credentials. b. If you do not have a VMware ID, follow the steps to create your My VMware account, and sign up to VMware Cloud. 3. Log in to VMware Cloud with your VMware ID. If you are not redirected to the VMware Cloud Service Portal (CSP) page, go to this link. Click the vRealize Network Insight Cloud tile on the CSP page. 4. Login to the Network Insight service using your My VMware Credentials.

How do I get vRealize Network Insight Cloud service support?

After you have activated the vRealize Network Insight Cloud service and are logged in to the service console, use In-Service chat support by clicking on the Chat Button at the bottom right corner of the screen.

What are the pre-requisites to onboard a data source in vRealize Network Insight Cloud?

Before you onboard a data source with NIaaS, you need to download data collector OVA file from the NIaaS service and deploy the OVA in your SDDC through the SDDC VMware vCenter Server. Also, have certain information about your public and private cloud accounts available. Use this checklist to help you get set up before your onboarding call with the VMware Cloud services team. More information is available here.

What roles/permissions are required for user to be added in VMware Cloud on AWS data sources?

1. VMware Cloud on AWS VMware vCenter Server – CloudAdmin 2. VMware Cloud on AWS VMware NSX Policy Manager – VMware NSXCloudAdmin or VMware NSXCloudAuditor (read-only user). • The user needs to have role of either VMware NSXCloudAdmin in order to enable DFW IPFIX on VMware Cloud on AWS VMware NSX Policy Manger. • A user with Cloud Auditor role has read-only privileges and would not be able to perform tasks like enable/disable DFW IPFIX.

How to get data if there is wrong/mismatched configuration of VMware NSX Manager and VMware vCenter Server?

If an incorrect VMware Cloud on AWS VMware NSX Manager is configured with a VMware Cloud on AWS VMware vCenter Server, then critical data required for Flows and Topology to function correctly would be missing. In such cases, the remediation would be to delete the incorrectly added VMware Cloud on AWS VMware NSX Manager data source and add a new VMware Cloud on AWS VMware NSX Manager data source using the correct VMware Cloud on AWS VMware vCenter Server and VMware NSX Manager.

How to enable DFW IPFIX?

Please refer to this link to learn more about how to enable DFW IPFIX.

How to obtain CSP refresh token for VMware NSX Manager?

Please refer to this link to learn more about how to obtain CSP refresh token for VMware NSX Manager.

How to obtain credentials for VMware vCenter Server?

Please refer to this link to understand how to obtain credentials for VMware vCenter Server.

What would be the impact on vRealize Network Insight or vRealize Network Insight Cloud service if the VMware vCenter Server or VMware NSX Manager is not available temporarily for any reason?

The relevant data from VMware vCenter Server and VMware NSX Manager would not be available for that duration. There won’t be any other impact on vRealize Network Insight or vRealize Network Insight Cloud service due to this scenario. The vRealize Network Insight or vRealize Network Insight Cloud service will start showing a relevant error message against the unavailable VMware vCenter Server and VMware NSX Manager for that duration. Note: vRealize Network Insight or vRealize Network Insight Cloud service have no impact on VMware Cloud on AWS lifecycle events such as upgrades.

Can the collector OVA be deployed on an extended segment in VMware Cloud on AWS?

The Collector OVA can be deployed only on native VMware Cloud on AWS segments. Note: Deploying the collector on extended L2 segments is not supported.

Will the vRealize Network Insight Cloud collector automatically restart after a service outage (let's say upgrade)?

Yes.

What if connectivity between the SDDC and the vRealize Network Insight Cloud Service is interrupted for an extended (> 4 hours) period of time. Will the data still be stored locally and be transferred when service is restored?

The vRealize Network Insight Cloud service collector stores data on-premises and transmits this data to the cloud service when connection is re-established. The amount and duration of data stored depends on factors such as number of data sources and volume of flows. 5GB of total collected data is kept in the collector if the platform is not available, and this data is pushed to the platform when it becomes accessible.

What firewall rules should be created in the VMware Cloud on AWS SDDC customer environment for vRealize Network Insight or vRealize Network Insight Cloud service?

Please refer to this link to learn more about the firewall rules that need to be created.

CloudHealth Hybrid

What is CloudHealth Hybrid by VMware?

CloudHealth Hybrid by VMware is a relaunch and rebranding of CloudHealth Data Center module with new capabilities that enable customers and partners to optimize and govern hybrid clouds. CloudHealth Hybrid brings together the functionality of CloudHealth Data Center and vRealize Business for Cloud (vRBC) into a single standalone SaaS offering.

What are the key features of CloudHealth Hybrid?

  • Cost benchmarks and drivers: CloudHealth Hybrid reports on all data center costs, including power and cooling, based on a customer’s specific cost drivers and industry benchmarks. Customers can compare their costs to industry benchmarks and have the flexibility to override benchmark pricing for all cost drivers and customize for their specific environment. This provides a complete and accurate view of their hybrid cloud costs.
  • VMware Cloud on AWS support: CloudHealth Hybrid added support VMware Cloud on AWS in addition to current support for vSphere. VMware Cloud on AWS support is currently in private beta.
  • Migration Assessment: Customers can plan migrations to different public clouds based on actual costs, incorporating different Availability Zones and optimizing their use of reserved instances.- Policy-driven governance - Admins can define policies to enforce proper usage of hybrid cloud resources by flagging policy violations or unexpected cost increases and create custom notifications to quickly take remediation actions.

How does CloudHealth connect to VMware vSphere and VMware Cloud on AWS environments for asset collection?

CloudHealth Hybrid connects to VMware environments the same way as CloudHealth Data Center. With agentless int