VMware Cloud on AWS Frequently Asked Questions
What is VMware Cloud on AWS?
VMware Cloud™ on AWS brings VMware’s enterprise-class Software-Defined Data Center products to the AWS Cloud with optimized access to AWS services. VMware Cloud on AWS integrates our compute, storage, and network virtualization products (VMware vSphere, vSAN™ and VMware NSX) along with VMware VMware vCenter Server management, optimized to run on dedicated, elastic, bare-metal AWS infrastructure.
Where is VMware Cloud on AWS available today?
Where is VMware Cloud on AWS GovCloud (US) available?
VMware Cloud on AWS GovCloud (US) is available in the AWS GovCloud (US West) and AWS GovCloud (US East) regions.
What are the features included in VMware Cloud on AWS?
What do you mean by “SDDC?”
SDDC stands for Software-Defined Data Center. A deployment of vSphere, vSAN, NSX, and more inside VMware Cloud on AWS is encapsulated into a unit we refer to as an SDDC, which is roughly equivalent to a vSphere cluster in the on-premises world.
Can workloads running in a VMware Cloud on AWS SDDC integrate with AWS services?
Yes. VMware Cloud on AWS SDDC is running directly on AWS elastic bare metal infrastructure, which provides high bandwidth and low latency connectivity to AWS services. Virtual machine workloads can access public API endpoints for AWS services such as AWS Lambda, Amazon Simple Queue Service (SQS), Amazon S3 and Elastic Load Balancing, as well as private resources in the customer's Amazon VPC, such as Amazon EC2, and data and analytics services such as Amazon RDS, Amazon DynamoDB, Amazon Kinesis and Amazon Redshift. You can also now enjoy Amazon Elastic File System (EFS) for fully managed file service to scale the file-based storage automatically to petabyte scale with high availability and durability across multiple availability zones and the newest generation of VPC Endpoints designed to access AWS services while keeping all the traffic within the AWS network.
How do I sign up for VMware Cloud on AWS?
How does VMware protect customer data in VMware Cloud on AWS?
VMware Cloud on AWS is designed with multiple layers of protection. The service inherits all the physical and network protections of the AWS infrastructure and adds dedicated compute and storage along with the security capabilities built into vSphere, vSAN and VMware NSX. All data transmitted between your customer site and the service can be encrypted via VPN. All management communications between the VMware Cloud on AWS service and your SDDCs is encrypted. Data at rest inside the SDDC is encrypted. The VMware Cloud on AWS infrastructure is monitored and regularly tested for security vulnerabilities and hardened to enhance security.
What VMware SDDC products do I need to have on-premises for VMware Cloud on AWS?
Is there localized language support for the international regions?
VMware Cloud on AWS supports language and regional format settings in French, Spanish, Korean, Simplified Chinese, Traditional Chinese, German, Japanese, and English. These languages are supported in the VMware Cloud on AWS Console and in Cloud Service Platform features such as Identity & Access Management, Billing & Subscriptions, and some areas of the Support Center. You can change your display language before you login to the VMware Cloud on AWS console or in your account settings. See for more information.
How is VMware Cloud on AWS deployed?
VMware Cloud on AWS infrastructure runs on dedicated, single tenant hosts provided by AWS in a single account, provisioned through the VMware Cloud Console. There are different host instance types, such as I3.metal, I3en.metal, and I4i.metal, to choose from based on your sizing requirements. Sizing and differences between the instance types can be found in .
Each host can run many virtual machines (tens to hundreds depending on their compute, memory, and storage requirements). Clusters can range from a minimum of two (2) hosts up to a maximum of sixteen (16) hosts per cluster. A single VMware vCenter Server is deployed per SDDC.
While VMware Cloud on AWS customers need to have an AWS account associated with their deployments, customers do not need to provision hardware directly with AWS. Provisioning and configuration is done automatically through the VMware Cloud Console.
Pricing, TCO, and Subscriptions
How can I purchase VMware Cloud on AWS services?
Please contact your VMware account team. You can purchase either Subscription Purchasing Program (SPP) credits or Hybrid Purchasing Program (HPP) credits and redeem those credits on the service. Please refer to the and/or . You can also use your credit card or pay by invoice for the service.
What currencies are supported for purchasing VMware Cloud on AWS?
USD, GBP, EURO, JPY, AUD, and CNY are supported by VMware Cloud on AWS.
How will I be charged for VMware Cloud on AWS services?
This service is delivered, sold, and supported through VMware, VMware Partners, AWS, and VMware Managed Service Providers. You will get a single bill that includes the total charges for using this service, including the VMware SDDC software and the underlying AWS resources that were provisioned for VMware Cloud on AWS SDDCs.
One of the strengths of VMware Cloud on AWS is the proximity to native AWS services. However, any additional services that are provisioned by customers using the AWS Console, AWS APIs, or other orchestration tools outside of VMware Cloud on AWS will be billed by AWS directly.
How is VMware Cloud on AWS priced?
When do charges for VMware Cloud on AWS service start?
Charges begin when you provision an SDDC.
When do charges for VMware Cloud on AWS service stop?
Charges end when all SDDCs have been deleted.
How is the Single Host SDDC starter configuration priced?
Can I change the region or host type for a subscription?
Flexible Subscriptions can be changed (see below). Other types of subscriptions are limited to the configuration set when the purchase was made. Please ensure that the host types, counts, and regions covered by the purchase agreements are what you intend.
What is Flexible Subscription?
The “Flexible Subscription” for VMware Cloud on AWS allows customers to exchange their VMware Cloud on AWS Flexible Subscription for any new VMware Cloud on AWS term subscription. Customers can terminate an existing flexible term subscription (1- or 3-year commitment) early and transfer the remaining value to a new 1- or 3-year subscription.
How can I purchase a Flexible Subscription?
Flexible Subscription can be purchased through the VMware Cloud console. Please work with your account team to determine if Flexible Subscription is right for you. Flexible Subscriptions are available via all purchasing paths except Managed Service Providers.
Which instance types are available as Flexible Subscriptions?
All instance types are available as Flexible Subscriptions where they are available.
How do I request an exchange for Flexible Subscription?
You start the exchange via the VMware Cloud Console and a support team member will follow up.
Can I exchange partial hosts in my Flexible Subscription?
You must exchange all the hosts on your Flexible Subscription.
Can I exchange my standard Subscription for a Flexible Subscription?
Only Flexible Subscriptions can be exchanged.
Can I receive a refund for an exchange of my Flexible Subscription?
The credit you receive can only be used toward purchasing a new VMware Cloud on AWS subscription.
What will happen to my workloads when I exchange a Flexible Subscription?
The exchange only impacts your financial commitments, there will be no direct impact on workload. However, you may be charged an on-demand rate if you have workloads running that are not covered by your new subscription.
What will happen to my Flexible Subscription when I exchange it?
Your original Flexible Subscription will end.
The leftover value on my Flexible Subscription is higher than the value of the new VMware Cloud on AWS subscription that I am planning to purchase. Will I get credits back?
No, all leftover value will be applied towards your new subscription purchase. We cannot refund credits.
Can I change the host count or type for a purchased subscription?
You cannot change any parameters in a standard subscription after purchase. Before purchasing, please confirm that you select the correct host instance type, count, and regions. You can always purchase additional subscriptions to increase host count.
What are the payment options for 1- and 3-year subscriptions?
You must pay up front in full for 1- or 3-year subscriptions or through monthly installments for 1- and 3-year term commitments.
How do I create a subscription for 1- and 3-year subscription options?
After you land on the VMware Cloud on AWS Console, you can click on the “subscription” tab in the navigation bar to create a subscription. Once the subscription is created, you can start enjoying the discounted rate for the number of hosts that you purchase. Please note that the subscription is charged upfront or monthly to your payment method.
How long does it take for a 1- or 3-year subscription to activate? How will I know the subscription is active?
It takes up to 30 minutes for a subscription to activate, and the activation will be reflected in the Subscription Status.
Do 1- and 3-year subscriptions auto-renew at the end of the term?
No, subscriptions do not auto-renew. Customers can purchase additional subscriptions at any time.
Can customers cancel a 1- or 3-year subscription?
Subscriptions cannot be cancelled before the subscription term expires.
Do any resources get provisioned once I purchase a 1- and 3-year subscription?
Provisioning is independent of purchasing a subscription. A subscription is simply a financial commitment.
Do I get a refund for unused capacity under my 1- or 3-year subscription?
No, we cannot refund unused credits.
Can I purchase additional 1- and 3-year subscriptions? Will additional subscriptions align their start and end dates (co-term)?
You may always purchase additional subscriptions. Each subscription will have its own start and end date (no co-termination).
Can I provision an SDDC with more hosts than the number of hosts in my 1- or 3-year subscription?
Yes. This is considered overage usage and all hosts over the subscription limit will be billed with an on-demand rate.
How is overage calculated? What is the overage rate? When will I be billed for overages?
VMware takes the number of hosts used in your organization per hour in each region and subtracts the total committed hosts in all your subscriptions for each specific region. The remainder is the overage. Overage usage is billed at on-demand rates per VMware Cloud on AWS pricing. Overages are billed in arrears and will be reflected in your invoice, which you receive after your billing date.
What are my financing options for subscriptions?
You can either pay upfront and in full or monthly. In both financing options, the commitment is for either 1- or 3-year terms.
Can I cancel a monthly billed subscription?
Subscriptions are not cancellable; you are liable for either 1- or 3-year full term payments.
I bought a 3-year monthly billed subscription, but my CPP credit fund will expire after 1 year, what should I do?
Please reach out to your VMware Account Team or Customer Success representative to ensure you have enough credits for the appropriate 1 or 3-year commitment duration.
How is the $2000 Prepaid Credit determined and how will I know if I am exempt from the charge?
The implementation of the upfront $2000 Prepaid Credit is part of our fraud-prevention policy. Any charge incurred by the user is then applied to the hourly on-demand rate for the service or an annual subscription. This Prepaid Credit is waived at VMware's discretion based on the user's current level of engagement with VMware. Users will be notified of any waiver affecting their requirement to have a Prepaid Credit when they are about to deploy their first SDDC.
I have a Flexible Subscription with I3.metal/I3en.metal instance types. Can I use my leftover term to replace those hosts with the new I4i.metal type?
You can exchange an existing Flexible Subscription for a new standard subscription with I4i hosts.
I have a standard subscription with I3.metal/I3en.metal instance types, but I'd like to use the new I4i instance types? What are my options?
The terms of a standard subscription cannot be changed, so you cannot exchange the host types. However, you can purchase new subscriptions with the instance types and regions you desire.
Credit Card Payment
I used a credit card to sign up for the service. What is the $2000 USD charge used for?
$2000 USD is used as credit for your future use.
I used a credit card to sign up for the service. When will I be charged $2000 USD?
You will be charged $2000 USD once you deploy your first SDDC. You will not be charged for any subsequent SDDC deployment.
I used a credit card to sign up for the service. What currency will I be charged in?
You will be charged in the currency that corresponds to your billing address in your My VMware account profile.
I used a credit card to sign up for the service and was charged $2000 USD. What can I use this credit for?
You can use this credit only towards VMware Cloud on AWS usage, the credit will expire after 60 days and is only redeemable through VMware Cloud on AWS.
I used my credit card to sign up for the service and was charged $2000 USD, can I get a refund?
The charge is non-refundable, and the credit is valid for 60 days.
I’m a credit card customer and I transitioned to Subscription Purchase Program (SPP) credits, what do I need to do?
You can change your payment method in the CSP portal as described here. Please note that you will be charged on the payment method that was defaulted when the bill was generated.
I signed up last year using a credit card. Will I be charged when I deploy an SDDC?
Yes, you will be charged when you deploy your first SDDC.
I want to change my payment method to credit card from SPP funds. Will I be charged?
You will only be charged if your payment type is credit card and this is your first SDDC deployment.
Can the 60-day timeframe be extended since I was unable to utilize the $2000 USD charge?
VMware cannot extend the 60 day period.
I have not received the invoice for the $2000 USD charge, whom do I engage to get the invoice?
Which credit/debit cards can I use to purchase Single Host?
You can use your personal or corporate Mastercard, Visa, American Express, Discover, JCB or Diners Club credit cards. Please note, however, that Discover, JCB and Diners Club are only supported in certain countries. You may also use a debit card if it is Mastercard, Visa, or American Express.
How do I add a credit card as a payment method?
You can add a credit card during the initial onboarding or add it via the Cloud Console.
Will my card be charged any amount when adding the card as a payment method?
No. We verify to ensure your credit card is valid, but the validation is done with a zero-dollar value authorization.
Can I use a credit card with non-U.S. billing address?
Yes, you can.
What is the largest amount I can pay by credit card?
Your credit card limit and your payment processor determine the size of your transactions. The maximum amount you can spend in a single transaction is $25,000. Please contact your issuing bank for more information about your credit limit. More information .
Can I purchase 1- or 3-year subscriptions using my credit card?
1- or 3-year subscriptions cannot be purchased with credit cards. For exceptions please contact your VMware Account Team or VMware Support.
What is a Seller?
Seller is a Billing Account for an org. In simpler words, the company that would send the bill to the customer. It indicates which legal entity or person is identified as the Seller of Record for a specific product to the end consumer. The Seller of Record also often assumes the responsibility for accounting for a transaction tax on that particular transaction. Sellers have their own set of commerce attributes that may or may not be unique to that seller such as Payment Method, Terms of Service, Offer catalog, Pricing, Regions, Currencies accepted, and Billing engines with different invoice templates and billing business rules.
What aspects does the seller concept apply to?
An organization can have two sellers today: AWS and/or VMware. They can choose the seller while creating new subscriptions and SDDCs.
Would customers need a multi-org setup after enabling two sellers?
More than one org is not needed to support multiple Sellers of Record and it is not encouraged to have more than one org with VMware Cloud on AWS SDDCs.
How do I know a product offering is supported by a seller?
Is the 'Multiple Sellers in one org' feature available for all customers?
It is available for any VMware Cloud on AWS commercial customer that has two sellers established. Please consult with your account team prior to setting up and using multiple sellers and have them contact product management resources as necessary.
Can the customers move their subscriptions from one seller to another?
No. This is not possible.
Can a customer convert VMware SPP Funds to EDP Credits and vice versa?
No. This is not possible.
Is creating a fund equivalent to creating a subscription?
No, adding a fund and creating a subscription are two separate disjoint activities. Customers shouldn't be in the notion that adding new funds would get translated to subscriptions. They would need to create subscriptions in VMware Cloud Console.
Can one seller's subscription cover other sellers too?
No, a subscription can only cover hosts within that seller. Example: If you have 2 SDDCs with 4 hosts each, 1 with VMware, 1 with AWS, and a three-year term subscription for four hosts with VMware as the seller. In that case, the 4 host SDDC with AWS as the seller would be charged on demand.
Can a single SDDC have 2 Sellers?
No, An org can have 2 sellers, but the SDDC’s under the orgs can have only 1 seller for 1 SDDC.
How do distributors purchase VMware Cloud on AWS hosts by SKU?
Please engage with your VMware account account team, select the appropriate VMware Cloud on AWS subscription from the Partner Pricebook and then initiate your order through the account team once your reseller agrees to the terms you define. Your end customer decides when they are ready to consume the service and ready to create a Software-Defined Data Center (SDDC).
As a distributor, do I need SPP Credits or a contract to purchase these SKUs?
No. You can pay for the SKUs directly for a designated reseller and end Customer[AP1] . The end customer’s email address will be used to provision the service, and an email invitation will be sent to onboard and start the service.
Why would a distributor buy VMware Cloud on AWS hosts through this SKU-based transactional motion?
If you want to start your cloud journey but are not ready to sign a contract, purchase a large volume, or make a significant commitment of time and funds upfront. In that case, you can start small (with a 2-Host 1-year subscription) purchased by SKU and scale as needed later.
Like purchasing vSphere+, you can now buy VMware Cloud on AWS by SKU without signing a contract.
When does the subscription start if I purchase VMware Cloud on AWS hosts through SKU?
The subscription starts once the onboarding email invitation is sent to the distributor’s designated end customer’s email address.
As an end customer, what if I start my service two months after the distributor purchases a 1-year subscription for me?
In that case, as an end customer, you start the service with only ten months left on your 1-year subscription. The subscription always starts on the day the onboarding email invitation is sent.
How does the billing work for SKU-based transactional motion?
Subscriptions entitle the end-user to a certain number of host hours. They are billed within the first 30 days of the purchase. Host hour usage over the purchased subscription and non-host charges such as data transfer, elastic IP, EBS, vSAN, or custom networking configuration charges are billed using a 30-day billing cycle in arrears.
Who gets billed when VMware Cloud on AWS hosts are purchased through SKU-based transactional motion?
The distributor is the one who will be billed for the subscription they purchased for the designated reseller and end-user pair. The distributor receives the data to bill the reseller, who uses the report to enable billing to the end customer.
How do distributors purchase VMware Cloud or VMware Cloud Universal through this new commerce motion?
The distributor would need to engage with the VMware account team to sign a Commitment Based Contract (CBC) with VMware. The distributor would need to provide the following details: Type of CBC (VMware Cloud Standalone or VMware Cloud Universal), Reseller & customer details, required product offerings, and CBC term. All the discounts are negotiated upfront between VMware and the distributor and are applicable during the Commitment Based Contract (CBC) tenure. For this new commerce motion, the distributor would need to mention the payment type as “PurchasePay” to the account team.
Does the distributor need to purchase SPP Credits to leverage this new commerce motion?
No, SPP credits are not required to be purchased to take part in this new commerce motion
How much does the distributor need to pay VMware on the day the Commitment Based Contract (CBC) is signed?
No amount is due on the day the CBC is signed.
Why would a distributor buy VMware Cloud or VMware Cloud Universal this way?
Distributors will receive the opportunity to enable a significant volume discount for a specific reseller/end customer combination. The distributor would commit to a budget while allowing the customer the flexibility in consuming what they need when they need it without any renegotiation.
With this new Commerce motion, the distributor is not required to park the money upfront and the distributor needs to pay monthly only for the VMware Cloud offerings purchased by the end customer.
Can the distributor sign multiple Commitment Based Contracts (CBC) with VMware?
A commitment Based Contract (CBC) has a 1:1:1 relationship between the distributor, reseller, and the end customer. VMware does not support a wholesale model i.e. Distributor cannot sign a single Commitment Based Contract (CBC) and use it across the pool of resellers and end customers. For each new end customer, the distributor shall need to sign a new CBC with VMware for the associated reseller. For “n” distinct end customers, the distributor shall need to sign “n” CBCs with VMware.
A distributor had onboarded the customer using the VMware on AWS SKU-based transactional commerce motion. Can the distributor transition the customer to Commitment Based Contracts (CBC)? Will there be any impact on the customer's workloads?
We support seamless migration from SKU-based transactional commerce motion to Commitment Based Contracts (CBC). There would neither be any system downtime nor any impact on the customer’s workloads during the migration.
How does the customer purchase the VMware Cloud offerings via this new commerce motion?
The customer self-serves all the purchases directly from the console. The customer is the owner of the environment/org and can create SDDC, add/remove hosts as well as oversees the Identity & Access Management (IAM)
How does billing work?
The customer receives an onboarding email when the Commitment Based Contract (CBC) is signed. The billing starts only when the customer purchases subscriptions or deploys SDDC. The distributor will be charged monthly by VMware based on the associated customer's consumption of VMware Cloud offerings.
What happens when the distributor signs the Commitment Based Contract (CBC) with VMware but the customer does not onboard use the onboarding link for three months? Will the distributor get any bill from VMware for these three months?
No, since the customer has not onboarded, the distributor will not be billed. However, the Commitment Based Contract (CBC) would still be active and the tenure of the CBC would be reduced by 3 months.
Who gets billed?
The distributor will be billed on the 10th of every month using the proforma process by VMware based on the associated customer's consumption of VMware Cloud offerings. The distributor receives data to then bill the reseller who in turn uses the report to enable billing of the end customer. Distributors and reseller can set up their own prices downstream to get the desired margins. VMware has no visibility into the margins of the distributor or reseller.
What is the VMware Cloud on AWS Sizing and Assessment Tool?
You can use the to size your workloads for VMware Cloud on AWS. The tool enables you to size for factors including storage, compute, memory and IOPS in the logic to provide you with the most optimized server and SDDC recommendation for VMware Cloud on AWS. Once you have completed sizing your workloads, you can calculate your total cost of ownership (TCO) for these workloads and compare it with an on-premises virtual environment. The tool will calculate the number of hosts and clusters required to support your workload to run on a VMware Cloud on AWS SDDC.
How do I access the VMware Cloud on AWS Sizing and Assessment Tool?
How many workload profiles can I create and customize in the Sizing and Assessment Tool?
You can create between 1-10 workload profiles to simulate a mixed workload environment. We have included workflows for some common workloads such as VDI, databases and general-purpose workloads to simplify this process.
What factors do you consider for sizing VMware Cloud on AWS?
In addition to the inputs available in the tool, the factors that we consider are:
- CPU – CPU headroom in steady state and in failure
- IOPS – IOPS per disk group, IO profile, IO amplification
- Capacity – Slack space, swap space, deduplication, compression, disk formatting, base 10 to 2
- Others – FTT, N+ = 1, RAID1, RAID5, RAID6
What server profiles does the Sizing and Assessment Tool recommend?
Currently, the tool recommends "Fixed Server" profile based on the I3, I3en and I4i instance types. In the future, as VMware Cloud on AWS supports more instance and profile types, the recommendation will account for this and recommend the most optimized profile and instance type for your environment.
How does the resource utilization plan impact my sizing exercise?
In a real-world deployment, not all VMs run at the same utilization. The resource utilization plan takes this into consideration by ensuring that you allocate different percentages of utilization to groups of VMs running your applications. By using the resource utilization plan (RUP), you can modify the overcommit in the advanced settings tab, located in the additional information section of the workload profile. Modify the values to meet your desired consolidated state more closely, (e.g., changing % VMs value to 100% and run at 80% would mean that you are anticipating a net utilization cluster wide of 80%.
How do I select I/O profiles which are not listed on the Sizing and Assessment Tool?
The IO profiles are tied to underlying VMware Cloud on AWS performance data. To get the most optimized performance, select the ratio closest to the ratio that you require.
What are the different settings available in the Sizing and Assessment Tool?
- CPU headroom reserved cores in the event of a spike in workload activity to avoid latency. This option allows you to reserve cores in the event of steady state as well as failures.
- Host failure scenario is the equivalent of a N+1 scenario where the logic accounts for an additional host for redundancy. Advanced Settings:
- Resource utilization plan (RUP): Refer to above question on "resource utilization plan" and how it impacts your sizing exercise.
Industry & Regulatory Compliance
What compliance certifications has VMware Cloud on AWS achieved?
VMware Cloud on AWS has been independently verified to comply with many leading compliance programs, including but not limited to ISO 27001, ISO 27017, ISO 27018, SOC 2, HIPAA, PCI-DSS, OSPAR, IRAP. Check the for more information (Please filter for ‘VMware Cloud on AWS’ and ‘VMware Cloud on AWS GovCloud’ in Services).
Are VMware Cloud on AWS SDDCs compliant with PCI-DSS (PCI)?
The VMware Cloud on AWS cloud platform has successfully been assessed to meet PCI compliance as a level 1 service provider.
What regions are available to run PCI-compliant workloads on VMware Cloud on AWS?
If a customer migrates their VMs into a PCI-compliant SDDC, does that mean that their VMs, applications, and workloads are automatically also PCI-compliant?
No. The whitepaper “” illustrates how the Shared Responsibility Model relates to PCI compliance. The responsibilities are shared between VMware and Customers. VMware handles PCI compliance of the VMware Cloud on AWS cloud service and cloud platform. Similarly, customer workloads running in VMware Cloud on AWS must pass an entirely separate PCI assessment solely managed by the customer. Customers must hire a Qualified Security Assessor (QSA) to assess and verify their PCI SDDC configuration and must verify that the workloads are PCI-compliant.
Can a standard SDDC be upgraded to a PCI SDDC?
Yes, a standard SDDC can be retrofitted with PCI compliance hardening through the SDDC settings.
What is the difference between a standard SDDC and a PCI SDDC?
PCI SDDCs will have the following major differences from a standard SDDC to prevent non-compliant services from impacting their PCI compliance status:
- SDDC components (VMware vCenter Server, vSAN, VMware ESXi) are “hardened" based on VMware security standards incorporated from GovCloud. VMware NSX appliances are security hardened using VMware NSX Hardening guidelines.
- PCI Customers must use the local VMware NSX Manager to manage SDDC networking and security. This is accomplished by disabling the Networking & Security Tab in the VMware Cloud Console.
- Although customers can use non-compliant VMware Cloud on AWS Add-ons during the setup of their SDDC, our PCI auditors determined that customers must disable VMware HCX and Site Recovery Add-ons (These Add-ons are not currently PCI-compliant and must be disabled by the customer administrator in the VMware Cloud Console).
- The vRealize Automation Cloud Add-on service is also not PCI-compliant and will not work on PCI SDDCs.
Can I use VMware HCX and/or vRealize Automation Cloud in a PCI-compliant SDDC?
VMware Cloud implementations of VMware HCX and vRealize Automation Cloud are not PCI-compliant.
Can I use VMware Site Recovery (VSR) in a PCI-compliant SDDC?
Yes. Information about the VMware Site Recovery PCI compliance is available in the VMware Cloud Trust Center.
Can a PCI-compliant SDDC be deployed on any host type?
Yes. All PCI configurations are done at the SDDC layer and are independent of the underlying physical hosts.
Which auditor is VMware using for the PCI Audit?
Crowe is the VMware Cloud on AWS PCI QSA.
Will customers need to buy additional VMware Cloud on AWS licenses to deploy a PCI-compliant SDDC?
No, the published pricing for bare metal VMware Cloud on AWS hosts is all that is required from a cost perspective. There are no additional charges for PCI-DSS SDDCs.
How many SDDCs will customers need for Development, Production, and PCI workloads?
System sizing and design is ultimately a customer-driven activity, though VMware can help. Many organizations choose to limit the scope of compliance and compliance audits by deploying separate SDDCs for PCI-DSS workloads.
Will PCI-compliant SDDCs be upgraded like standard SDDCs?
Yes, patching and upgrading will be automatically handled by the VMware Operations team via standard lifecycle processes.
Can APIs and/or automation like PowerCLI or Terraform be used to configure a PCI SDDC?
Yes. Terraform and APIs can be used to configure a PCI SDDC.
If business requirements change can an SDDC be reverted to the non-compliant configuration?
Yes, but not through the VMware Cloud console. Please contact VMware Support.
How does a customer log into the local VMware NSX Manager to create network segments, manage DFW micro-segmentation rules, etc.?
Customers can use the VMware NSX Manager URL and local VMware NSX account credentials. That information is found in the SDDC Settings tab.
What connectivity differences are there in a PCI-compliant SDDC?
All the same connectivity options are available to a PCI-compliant SDDC as with a standard SDDC.
What are the steps to provision a PCI-compliant SDDC from the VMware Cloud console for a customer:
A customer needs to perform the following steps:
- Identify the Organization where a PCI SDDC will be created.
- Create a ticket with VMware Support to request enabling PCI for the Organization.
- Confirm that the change has been implemented by VMware.
- Deploy a new SDDC.
- Prepare SDDC to host PCI workloads. Configure a network connection to on-premises.
- Create firewall rules on the Management Gateway Firewall to enable access to the local VMware NSX Manager and validate access was setup correctly.
- Disable Networking & Security Tab using the Components Control section of the VMware Cloud console.
- Deactivate HCX components and add-ons if they were configured.
- Deactivate vRealize Automation Cloud components if they were configured.
- Complete successful customer PCI audit with a QSA.
- The customer QSA will confirm when customers can start running PCI-compliant VMs, applications and production cardholder data.
How can I request approval for penetration testing applications and systems in my SDDC?
VMware has a comprehensive vulnerability management program that includes third-party vulnerability scanning and penetration testing. VMware conducts regular security assessments to maintain and continuously improve cloud platform security controls and processes. While the requirements to conduct penetration testing vary by industry compliance regulations, customer environments benefit greatly with penetration testing to measure the security effectiveness within their virtual infrastructure (SDDCs) and applications. To notify VMware that you plan to conduct penetration testing, please use to provide us relevant information about your test plans. VMware will respond with an approval by email. Penetration testing must be conducted in accordance with our Penetration Testing Rules of Engagement
Where can I take advantage of the chat support feature?
In-service chat support is available for all features of VMware Cloud on AWS, including hybrid solutions such as VMware vCenter Server Hybrid Linked Mode and VMware vCenter Server Cloud Gateway. Chat support is available 24x5 in English across all global regions but is not currently available for on-premises-only solutions.
Can I set my own notification preferences in VMware Cloud Console?
Yes, please navigate to the left menu in the VMware Cloud Console and click “Notification Preferences” to pick and choose which notifications you’d like to receive. Ensure you click “Save Changes” when satisfied with your selections.
Who can control my notification preferences?
For now, these are enabled at the user level. What is meant by that is each user is responsible for setting their own notification preferences and only you have control over those settings. Changes you make within your own VMware Cloud Console will not affect other users.
What roles do I need to be able to set my notification preferences?
To access the Notification Preferences, you must be a part of the associated Organization as either an Organization Owner or Organization User. You must also be assigned one of the following Service Roles:
- VMware Cloud Admin
- VMware NSX Cloud Admin
- VMware NSX Cloud Auditor
Single Host SDDC
What is the Single Host SDDC offering?
With the new time-bound Single Host SDDC starter configuration, you can now purchase a single host VMware Cloud on AWS environment with the ability to seamlessly scale the number of hosts up within that period, while still retaining your data. The service life of the Single Host SDDC starter configuration is limited to 60-day intervals. This single host offering applies to customers who want a lower-cost entry point for proving the value of VMware Cloud on AWS in their environments.
How is Single Host SDDC priced?
Where is the Single Host SDDC available today?
The Single Host SDDC is available across all supported regions.
What are the features included in the Single Host SDDC?
Features that do not require more than one host are included in the Single Host SDDC offering, including hybrid operations between on-premises and VMware Cloud on AWS. However, any operations or capabilities that require more than one host would not work. For example, High Availability (HA) and stretched clusters across two AWS Availability Zone. Due to the nature of single host, the FTT=0, meaning that if your host fails, your data would be lost. VMware does not currently offer patching or upgrades to a Single Host SDDC.
Single Host SDDC highlights:
- Accelerated onboarding
- Migration capabilities between on-premises and VMware Cloud on AWS, using VMware HCX for large-scale rapid migration, VMware vMotion for live migration and lastly cold migration.
- Seamless high-bandwidth, low latency access to native AWS services
- Disaster Recovery: Evaluate VMware Site Recovery, the cloud-based DR service optimized for VMware Cloud on AWS. VMware Site Recovery is purchased separately as an add-on service on a per-VM basis.
- Expert support: Single Host SDDC receives the same unlimited 24/7 VMware Global Support Services as well as 24/5 live chat support
- Hybrid Linked Mode support: Single logical view of on-premises and VMware Cloud on AWS resources
- All-Flash vSAN storage: All Flash vSAN configuration, using flash for both caching and capacity, delivers maximum storage performance.
I am a partner of VMware. Can I use Single Host SDDC as well?
How many Single Host SDDCs can I provision?
You may provision no more than one Single Host SDDC at a time. For selected partners, you can have up to two SDDCs at a time.
Can I run a Single Host SDDC indefinitely?
A Single Host SDDC will be deleted after 60 days. All data on the SDDC will be lost. You can scale up a Single Host SDDC into a 2-Host SDDC and retain all your data. A 2-Host SDDC is not time-bound.
Can I extend the lifetime of my Single Host SDDC beyond 60 days?
No, but you may create a new Single Host SDDC if you are under your Single Host SDDC limit, and use migration techniques such as Cross-vCenter vMotion to move workloads.
Can I add hosts to a Single Host SDDC?
Yes, a Single Host SDDC can be non-disruptively scaled up to a 2-Host SDDC at any point.
Can I upgrade from Single Host to a production SDDC?
How do I scale up to a production SDDC?
You can simply click on the "Scale Up" button to scale up to the standard production SDDC service. Your data will be retained. If you want to contact our account team, please reach out to us via the chat service.
Do I have to connect my Single Host SDDC to an AWS account?
It is possible to defer account linking for Single Host SDDCs for up to 14 days, but it is not possible to scale your Single Host SDDC to a production configuration without connecting to an AWS account.
Can I convert my standard 2-Host SDDC into a Single Host SDDC?
No, a Single Host SDDC must be created as a single host. You cannot scale down from a 2-Host to Single Host SDDC.
What support is available for the Single Host SDDC?
Single Host SDDC receives the same unlimited 24/7 VMware Global Support Services as well as 24/5 live chat support via the VMware Cloud on AWS Console and via vSphere Client.
What service level agreement (SLA) do you offer for a Single Host SDDC?
We offer no SLA for the Single Host SDDC. In case of a component or host failure, you may lose your data.
How can I purchase the Single Host SDDC Offering?
There are three payment methods available for the service. You can choose to pay for the service via credit card, by invoice, or you can purchase Subscription Purchasing Program (SPP) credits or Hybrid Purchasing Program (HPP) credits and redeem those credits on the service.
2-Host SDDC Cluster
What is the 2-Host cluster capability?
The 2-Host cluster capability enables a customer to provision a persistent production cluster with just 2-Hosts in VMware Cloud on AWS. This offering is a great place to start for customers who do not need the full 3-host Production cluster due to smaller size workloads or wish to prove the value of VMware Cloud on AWS for a longer duration than the Single Host SDDC can offer today.
How is the 2-Host cluster priced?
The cost per host is the same as the 3+ host pricing. For a cluster, this means that the 2-Host cluster results in a 33% lower cost of entry with a persistent, full production environment.
Does the 2-Host cluster support Custom Core Counts?
Yes, secondary 2-Host clusters within existing SDDCs can use custom core counts.
In which regions is the 2-Host cluster available today?
The 2-Host cluster is available in all regions where VMware Cloud on AWS is available today.
What are the features included in the 2-Host cluster?
Features included in the 2-Host cluster are the same as a 3+ host Production SDDC, except for Optimized Elastic DRS policies (optimize for cost, optimize for performance and rapid scale-out).
How many 2-Host clusters can I provision?
You may provision as many 2-Host clusters as you wish. You can mix an SDDC with a 2-Host cluster and 3+ host clusters.
Can I run a 2-Host cluster beyond 60 days (unlike the Single Host offering?)
Yes, there is no limitation to the lifetime of a 2-Host cluster.
What support is available for 2-Host Clusters?
The 2-Host cluster has the same level of support as all other production SDDCs.
What (service level agreement) SLA do you offer for the 2-Host cluster?
Can I scale up from two hosts to three hosts?
Yes. Not only does the 2-Host cluster offer the Default Elastic DRS Policy, but manual scale-up is also available.
Can I scale down from 3+ hosts back to 2-Hosts?
Yes. 3-host Production SDDCs can be scaled down to a 2-Host cluster.
What Add-ons are compatible with 2-Host Clusters?
All add-ons supported for production SDDCs are compatible with 2-Host clusters.
Can I use VMware Horizon VDI workloads with the 2-Host cluster?
Can I use a Stretched Clusters with the 2-Host cluster?
Yes, stretched deployments are available for the 2-Host cluster, in a 1-1 configuration, with 99.9% SLA.
Can I use all the Optimized EDRS policies with the 2-Host cluster?
No. Only the Elastic DRS (EDRS) Baseline policy is currently available.
How can I purchase the 2-Host cluster?
The 2-Host cluster can be purchased and provisioned in the same manner as any other SDDC. Once provisioned, it can be scaled up in a matter of minutes to a 3-host SDDC.
Can I use a credit card to pay for a 2-Host cluster?
Yes, you can. Credit card users cannot create more than one SDDC or add an additional 2-Host cluster or a 3-host cluster SDDC. For more details on credit card payments, please look at the “Credit Card Payment” section of this FAQ.
I wish to work with a Managed Service Provider (MSP) to use the 2-Host Cluster offering. Can they provide me with a 2-Host Cluster?
Yes, Managed Service Providers (MSPs) can deploy the 2-Host cluster. The SLA for any organization managed by an MSP is subject to the specific terms between the MSP and the tenant and is not bound by the VMware SLA.
How many VMs can I run on a 2-node Cluster?
While a 2-node cluster supports the same number of VMs per host as any other configuration, due to Admission Control, a 2-node I3.metal cluster can power on no more than 35 workload VMs at a time. This is to ensure vSphere HA will be able to restart any running workload in case of a failure. You can find .
VMware Cloud Disaster Recovery
Where can I find information about VMware Cloud Disaster Recovery?
VMware Site Recovery
Where can I find more information about VMware Site Recovery?
Workload Migration - vMotion
What is vSphere vMotion between on-premises and VMware Cloud on AWS and what does it require?
VMware vSphere vMotion enables live migration of powered on VMs between hosts and environments. This includes on-premises hosts to VMware Cloud on AWS SDDCs, and offers zero downtime for the application, continuous service availability, and complete transaction integrity.
By enabling certain advanced configurations vMotion can be enabled across different vSphere Distributed Switch versions. Requirements include:
- Connectivity between on-premises data centers and VMware Cloud on AWS using AWS Direct Connect (over Private VIF) and/or VMware NSX Layer 2 VPN
- On-premises vSphere version must be 6.0U3d or above.
- Sustained bandwidth of 250 Mbps or more is required for optimal performance.
- No greater than 150ms of round-trip (RTT) latency.
To help ensure success it is recommended that source environments be running the latest updates to that major vSphere version.
What are the different ways to orchestrate vMotion between on-premises and VMware Cloud on AWS?
Single VM vMotion:
- UI: Hybrid Linked Mode needs to be set-up for orchestrating vMotion via the HTML5 client.
- PowerCLI: Support via API directly with PowerCLI.
- UI: Hybrid Cloud Extension can enable bulk migration through UI.
- PowerCLI: Sample scripts , to allow bulk migration scenarios.
Is encrypted vMotion supported from on-premises to VMware Cloud on AWS?
Yes, encrypted vMotion is supported. No additional setup is required beyond the base vMotion requirements.
Can I vMotion from VMware Cloud on AWS back to on-premises?
Yes, you can vMotion from VMware Cloud on AWS back to on-premises if the on-premises hosts are compatible. Enhanced vMotion Compatability (EVC) mode does not work across clusters and there is a possibility that, while in VMware Cloud on AWS, the VM goes through a power cycle and begins running on a new hardware version in VMware Cloud on AWS. In such scenarios, the host on-premises might be on an older version and live migration will not be supported.
Is Enhanced vMotion Compatibility (EVC) setting available for VMware Cloud on AWS?
EVC is disabled in VMware Cloud on AWS. All hosts in a deployed VMware Cloud on AWS SDDC are homogeneous and hence a compatibility check is not required.
How is per-VM EVC different from cluster EVC?
As the name suggests, per-VM EVC abstracts this setting from a cluster to a VM level. By doing so, the EVC mode now can persist through a power cycle of the VM.
What are the requirements for per-VM EVC to work?
Per-VM EVC requires VM hardware version 14 or later. Per-VM EVC requires the VM to be powered off to enable the settings.
Can EVC settings be changed via UI, or it is an API only feature?
Settings can be altered with both methods. There is an edit setting attribute at a per-VM level that can be changed to set the specific EVC mode. But it can also be automated and set for a batch of VMs via a script that uses the API.
How does per-VM EVC interact with cluster EVC while they co-exist?
Cluster EVC is not enabled in VMware Cloud on AWS. Only Per-VM EVC can be set.
Are all hosts in VMware Cloud on AWS homogeneous? How does per-VM EVC mode help there?
Yes, all hosts in VMware Cloud on AWS are homogeneous. The Per-VM EVC setting comes into play when migrating back from VMware Cloud on AWS to on-premises to ensure there are not compatibility issues.
Workload Migration - HCX
What is VMware HCX?
VMware HCX (formerly known as Hybrid Cloud Extension and VMware NSX Hybrid Connect) is a SaaS offering that provides application mobility and infrastructure hybridity across different vSphere versions, on-premises and in the cloud. .
What does VMware HCX offer?
The VMware HCX service offers bi-directional application landscape mobility and data center extension capabilities between any vSphere version. VMware HCX includes vMotion, bulk migration, high throughput network extension, WAN optimization, traffic engineering, load balancing, automated VPN with strong encryption (Suite B) and secured data center interconnectivity with built-in hybrid abstraction and hybrid interconnects. VMware HCX enables cloud onboarding without retrofitting source infrastructure, supporting migration from vSphere 5.0+ to VMware Cloud on AWS without introducing application risk and complex migration assessments. Learn more .
What is Infrastructure Hybridity?
VMware HCX abstracts vSphere-based on-premises and cloud resources and presents them to the applications as one continuous resource, creating infrastructure hybridity. At the core of this hybridity is a secure, encrypted, high throughput, WAN-optimized, load balanced and traffic engineered interconnect that provides network extension. This allows support for hybrid services, such as app mobility, on top of it. Apps are made oblivious to where they reside over this infrastructure hybridity, making them independent of the hardware and software underneath. Learn more .
What are usage scenarios for VMware HCX?
Here are few examples:
- Extend on-premises data centers to cloud
- Enable SDDC transformation
- Live and bulk VM migration
- Use ongoing hybridity for application landscape transparency and distributed app components.
Does VMware HCX support multisite interconnect? What are good usage scenarios of it?
Yes. VMware HCX supports multisite interconnect. Here are few use cases:
- Consolidate small DCs to VMware Cloud on AWS
- Extend to multiple VMware Cloud on AWS with separate geo-locations.
Does VMware HCX support VMware NSX SDDCs?
VMware HCX supports all capabilities in VMware NSX SDDCs. VMware NSX SDDCs also support the ability to leverage the Direct Connect Private VIF option for the VMware HCX interconnects. If you are leveraging the Internet and would like to shift your HCX interconnects to the Private VIF option, please reach out to VMware via support to get assistance in switching the interconnect configuration.
Does VMware HCX require VMware NSX on-premises?
It is not required if the destination environment is an HCX-enabled public cloud. VMware NSX is needed if the destination vSphere environment is also private/on-premises. Optionally, VMware NSX can be installed in the source environment to access the VMware NSX Logical Switch Network Extension feature.
Where can I find pricing for VMware HCX for VMware Cloud on AWS?
VMware HCX is included with all VMware Cloud on AWS SDDCs.
How do I sign up for VMware HCX?
VMware HCX is included with your VMware Cloud on AWS subscription. To activate, login to and enable HCX for your VMware Cloud on AWS SDDCs. VMware HCX is integrated with the vSphere Client so you can use the same management environment for day-to-day operations.
What is Cloud Motion with vSphere Replication?
Cloud Motion with vSphere Replication is a new and innovative way to enable mass migration of workloads from on-premises to VMware on AWS. With Cloud Motion with replication, you can migrate VMs at large scale with minimal or no downtime.
How is Cloud Motion with vSphere Replication different than existing HCX migration options?
Previously, there were two ways to migrate with HCX:
- vMotion-based: vMotion based migration is live (no downtime) but is serial in nature. Due to vSphere concurrency and cross-cloud limitations, only a handful of VMs could be vMotioned. at the same time. While vMotion is a live migration option, it did not support large scale mobility
- Warm migration: Warm migration is a large-scale migration where VMs can move at scale, but the migration needs a VM reboot.
Cloud Motion with vSphere Replication combines the best of both worlds. VMs are replicated to the destination using replication technology, and once the VMs are replicated, the final migration is done via vMotion. This enables large scale migration without the need for reboot. This feature lets you move applications at scale live, without any reboot or reload.
How can Cloud Motion with vSphere Replication help with cloud migrations?
Cloud motion with replication simplifies migration planning and operations in three ways: • Traditionally, you would have to plan for a maintenance window wherein applications would be rebooted. Maintenance windows are tedious to manage and maintain and there is additional complexity when dealing with application reloads/reboots. With Cloud Motion, migrations can be done at scale from source to VMware Cloud on AWS without scheduling any maintenance windows. • Cloud Motion eliminates detailed analysis, dependency mappings and elongated migration planning projects. • Cloud Motion lets you schedule the failover. This enables predictability as to when the application will migrate. In the case of vMotion, there is no predictability since the VMs would move as soon as the vMotion related activities were done. The combination of live migrations at scale with a predictable schedule brings in a paradigm shift in the migration process planning and operations.
What on-premises versions of vSphere are supported with Cloud Motion with vSphere Replication?
This feature requires vSphere version 5.5 or higher.
How do I get more information about VMware HCX?
When should I change my VMware HCX FQDN resolution to private?
Private IP address resolution is useful when users connect to HCX manager either via VPN or via Direct Connect (Direct Connect).
How do I change my HCX FQDN resolution?
Does VMware Cloud on AWS use nested virtualization?
No, VMware ESXi is running directly on bare-metal AWS infrastructure. There is no nested virtualization.
How can I onboard virtual machines to my SDDC on VMware Cloud on AWS?
There are numerous ways to bring VMs and templates into a VMware Cloud on AWS SDDC, including:
- Build new templates and redeploy
- Publish vSphere Content Libraries with Templates/OVF/OVA/ISOs, subscribe the SDDC
- Import templates and VMs as OVF/OVA
- Cold vMotion (powered off VM)
- Cross-vCenter vMotion
- VMware HCX (cloud migration and related methods)
Tools such as PowerCLI can help automate creation and deployment of workloads wherever you wish to run them.
How can VM template support in VMware Cloud on AWS Content Library help me?
VM templates enable consistency and ease of VM content management. You can add a VM template to Content Library, delete it, rename it, update notes, or create a new VM from it.
What can I not do with a VM template in Content Library?
You can't add a VM template into a published library, because the synchronization (data distribution) between Published and Subscribed libraries for VM templates is not supported yet. Also, you can't convert a VM template into a VM via Content Libraries; however, the same template with all capabilities is available for you in VMware vCenter Server Inventory/Folders.
How many VMware ESXi hosts do I need (minimum) in VMware Cloud on AWS?
The minimum size SDDC that you can create in VMware Cloud on AWS is one host with the Single Host SDDC. However, one host SDDCs have a limited SLA, limited lifespan (60 days), and are not intended for production use. For more details, refer to the Single Host SDDC FAQ section.
2-Host Clusters are the smallest production SDDC configurations that are fully supported.
Is there any functional difference between a three host and a four host SDDC?
Yes. Because you only have three hosts, you cannot implement a "RAID 5" SPBM policy. That requires a minimum of four hosts. The only storage redundancy you can choose is RAID 1.
Can I add a cluster to an existing SDDC?
What is the maximum supported cluster size in VMware Cloud on AWS?
The maximum cluster size is 16 hosts.
Can I increase or decrease the size of my cluster after I provision an SDDC on VMware Cloud on AWS?
Yes. You can add additional hosts on-demand. You can also remove hosts on-demand. Scaling down depends on multiple factors including storage availability policies and storage consumption below 80%.
What is the maximum number of clusters supported?
VMware Cloud on AWS supports a hard maximum limit of 20 clusters per SDDC. Your organization may have lower "soft" limits set. If you wish to have your limits raised, please contact your customer success team.
With multi-cluster support, how do I move VMs to the new cluster?
Once the new cluster is provisioned, you can cold migrate or vMotion VMs to this cluster via VMware vCenter Server the same way you would move VMs on premises.
With multi-cluster support, can I remove the original cluster created when the SDDC was created?
No. Only additional clusters can be removed. You must have one cluster in your SDDC and this cluster must be the original cluster deployed when the SDDC was created.
Can a customer create multiple SDDCs?
In VMware Cloud on AWS, you can provision multiple SDDCs and can connect to multiple AWS accounts.
Can the SDDCs reside in different regions?
Yes, the SDDCs can reside in any region where VMware Cloud on AWS is available.
Do I have to connect all my SDDCs to an AWS account?
A VMware Cloud on AWS SDDC must be connected to an AWS account. It is possible to defer account linking for Single Host SDDCs for up to 14 days, but it is not possible to scale-up your Single Host SDDC without connecting to an AWS account.
What are the benefits of connecting to an AWS account?
Establishing a connection to an AWS account creates a unique high-bandwidth, low-latency connection between your SDDC and your AWS resources and allows consuming AWS services with no cross-Availability Zone charges. By delaying account linking, you will not be able to choose which availability zone (Availability Zone) your SDDC will be deployed in.
How do I connect my SDDC to a different AWS account?
When creating your SDDC, select Connect to a New AWS Account from the Choose an AWS Account drop down in step number one of creating an SDDC.
Can I connect SDDCs from different Organizations to the same AWS account?
This is not supported.
How do I provision an SDDC in a newly available region?
Select the newly available region when creating your SDDC. It is that simple. You can provision an SDDC in a newly available region in a similar manner to the way you provision an SDDC in other available regions. The region selector will now have another option for the new region. The SDDCs you create in the new region will appear on your dashboard along with your other SDDCs. Further, you can contain SDDCs from different regions.
How can I pay for the new region?
You can use a fund with SPP or HPP credits or a credit card.
Do I need to access region specific endpoints to access my SDDCs?
No, you use the same endpoints to access the VMware Cloud on AWS API and VMware Cloud on AWS Console regardless of the region your SDDCs are in.
Which version of VMware ESXi is available on VMware Cloud on AWS?
The version of VMware ESXi running on VMware Cloud on AWS is optimized for cloud operations and is compatible with the standard vSphere releases. The version of ESXi will vary based on the version of the SDDC that is deployed. VMware ESXi running on VMware Cloud on AWS may have a more frequent update cadence so that you can take advantage of regular service enhancements.
Can I choose the version of VMware ESXi running in my VMware Cloud on AWS SDDC?
Not directly. Versions of ESXi follow the SDDC versions your organization is configured to deploy. You can view the SDDC version in the Support information for that SDDC.
Can I run nested VMware ESXi VMs on VMware Cloud on AWS for testing and training purposes?
VMware does not support nested VMware ESXi VMs running on VMware Cloud on AWS.
Can I use the VMware vCenter Server in my SDDC to manage my on-premises VMware ESXi hosts?
Through Hybrid Linked Mode, you can connect your VMware vCenter Server running in VMware Cloud on AWS to your on-premises VMware vCenter Server to get a single inventory view of both your cloud and on-premises resources.
The SDDC vCenter Server cannot be used to directly manage non-SDDC hosts.
What is Compute Policy?
Compute Policy is a new framework to allow you the flexibility, control, and policy-based automation required to keep up with the demands of your business. You can configure simple VM-Host affinity and anti-affinity, as well as disable DRS vMotion.
How does Compute Policy differ from DRS rules?
Given the granular cluster level at which DRS operates, it becomes difficult to manage, replicate and update the static rules (laid down in the beginning) as the underlying infrastructure grows (number of VMs, hosts, applications). Similarly, the intent (the why and what) for which the rules were created is lost over time. To get around this, Compute Policy provides a higher level of abstraction to capture the customer intent at a SDDC level rather than at a cluster level at which DRS operates. As a result, a single policy can apply to multiple clusters within the SDDC at the same time. It aims to provide a framework to not only allow placement and load balancing decisions for VMs, but also to handle entire workloads.
What is the difference between a mandatory or preferential policy?
Mandatory policies are equivalent to the DRS “must” rules, while preferential policies are like the DRS “should” rules. Preferential policies cannot block a host from entering maintenance mode. However, a policy cannot be violated for fixing cluster imbalance or host over-utilization.
Is VM-Host Affinity a mandatory or preferential policy?
Mandatory policies are not available in a VMware Cloud on AWS environment. As a result, VM-Host affinity is a preferential policy.
What if I delete tags?
If tags associated with a policy are deleted, the policy is no longer in effect, and is deleted.
How many policies can I create?
Compute Policy can support a total of 20 policies per SDDC.
Are some policies preferred over others?
No. All defined policies (except Disable DRS vMotion) are treated the same, and no one policy is preferred over the other. As a result, one policy cannot be violated to remediate another.
How are the interactions between the various policies handled?
In the current implementation there is no conflict detection. This means that if a user configures two policies that conflict with each other, no user error or warning will be generated. DRS will enforce all the policies in the best manner it can, as described below.
Can I choose the Availability Zone in which my VMs run with VM-Host Affinity?
Yes. When defining a VM-Host affinity policy, you can select hosts tagged with the required Availability Zone.
Can I use the VM-Host affinity policy to address my software licensing needs?
Possibly. VM-Host affinity is a preferential policy. Please discuss with your ISV vendor whether preferential policies are acceptable as per the terms of your licensing agreements.
Are there any scenarios where a VM may not run on a designated host?
In VMware Cloud on AWS, VM Power ON, maintenance and availability have a higher priority over policy enforcement. However, policy enforcement has a higher priority over host utilization. As a result, there are scenarios where a VM may not run on a designated host. For example, if a host goes down due to a failure, and if HA is enabled, the recovering VM may be repowered on any available host in the cluster.
Similarly, if reservations are used, and if a compliant host cannot satisfy a VMs reservations, the VM will be repowered on any available (non-compliant) host that can satisfy the reservation.
If there is no compliant host (i.e., if no host has the Host-tag specified by the policy), the VM shall be repowered on an available host.
If the user configures multiple VM-Host affinity policies that are in conflict for VM, the policies shall be ignored and the VM shall be powered ON a suitable host chosen by DRS.
In all cases, Compute Policy will keep trying to move the VMs back to the compliant hosts.
How does the VM-VM Anti-Affinity policy work?
Enforcing a VM-VM anti-affinity policy implies that DRS will try to ensure that it keeps each VM (that has the policy's VM tag) on different hosts. This anti-affinity relation between the VMs will be considered by DRS during VM power-on, host maintenance mode and load balancing. If a VM is involved in a VM-VM anti-affinity policy, then DRS will always prefer those candidate hosts which do not have any powered-on VM that has the policy's VM tag.
Are there any scenarios in which the VM-VM Anti-Affinity policy may not be enforced?
One scenario is when any provisioning operation issued by its corresponding API call specifies a destination host is allowed to violate a policy. However, DRS will try to move the VM in a subsequent remediation cycle. If it is not possible to place a VM as per its VM-VM anti-affinity policies, then the policy is dropped and the operation (power-on or host enter MM) continues. This means that first DRS tries to place the VM such that policy can be satisfied, but if that is not possible then DRS will continue to find the best host per other factors, even if it violates the policy. Other scenarios where VMs may not be placed as per the policy could be: • Every host in the cluster has at least one VM with the tag specified by VM-VM anti-affinity policy. • None of the policy preferred host can satisfy VMs CPU/memory/vNIC reservation requirements.
What is the behavior if there are more VMs than available hosts in an anti-affinity rule?
DRS will first try to place as many VMs on different hosts as possible, which in this case will be equal to the number of hosts available in the cluster. After that, the policy shall not be enforced, i.e. the remaining VMs will be placed based on the other factors DRS, which may result in multiple VMs on the same host. To remedy this violation, additional hosts can be added to the cluster. Once the hosts are added, DRS will move the VMs that are violating the policy to the newly added hosts.
How does the VM-VM Affinity policy work?
Enforcing a VM-VM affinity policy means that DRS will try to ensure that it keeps each VM that has the policy's VM tag on the same host. This affinity relation between the VMs will be considered by DRS during VM power-on, host maintenance mode and load balancing.
How does the Disable DRS vMotion policy work?
This policy indicates that DRS would not migrate or load balance a virtual machine away from the host on which it was powered-on, except for the case when the host is being put into maintenance mode. This policy can be useful for applications that may be sensitive to vMotion, such as large transactional databases. The VMs subjected to this policy are identified using vSphere tags, and this policy is not applicable for a power-on operation. However, once a VM is powered on, and is subjected to this policy, it will not be moved to remediate a VM-Host affinity or VM-VM Anti-affinity policy.
Can I create my own custom roles in the VMware vCenter Server running in VMware Cloud on AWS?
Yes, you can create custom roles in addition to the CloudAdmin role that is provided out of the box. Users that have the Authorization.ModifyRoles privilege can create/update/delete roles. Users with the Authorization.ModifyPermissions privilege can assign roles to users/groups. You may be able to create roles that have privileges greater than CloudAdmin but you will not be able to assign the role to any users or groups.
Are users able to modify other VMware vCenter Server roles as well, or only roles that they've created?
Users will only be able to modify or delete any roles that have lesser than or equal to the privileges of their current role.
Can I view management objects?
Yes, you can view management objects, such as the vCenter Server appliance. You can assign the read only role to the management objects for other users and groups as well.
With this added flexibility, do I now have access to the entire inventory tree?
Yes, you now have access to the entire inventory tree. However, to limit contention across the VMs that you create, we strongly recommend that you continue to use the Compute Resource Pool as the location to create your VMs.
What are the different host instance types available?
Can a customer create I3en Single Host or 2-Host SDDC?
Single host SDDs are not supported with the I3en.metal instances.
What is a Partition Placement Group?
This is an instance placement strategy that helps reduce the likelihood of co-related host failures due to hardware failures. Partition Placement groups increase availability of applications by placing hosts in different logical partitions that do not share the same underlying hardware. Partition placement groups follow a “best effort” algorithm to automatically deploy hosts across as many different partitions as there are available within an AZ. Each partition within a placement group has its own set of racks, and each rack has its own network and power source. No two partitions within a placement group share the same racks, which allows for isolating host failures within an SDDC cluster. VMware Cloud on AWS automatically enables Partition Placement groups for new SDDC, cluster and host provisioning operations. This is enabled for i3.metal and i3en.metal instance types in AWS Regions where these instance types are available for VMware Cloud on AWS.
When is partition placement activated?
VMware Cloud on AWS automatically enables partition placement groups during new SDDC, cluster, and host provisioning operations.
With partition placement groups automatically enabled, what happens when a host is removed or replaced?
When a host is removed, the preference is to remove a host that is not inside a partition; new hosts are added into partitions whenever possible. In this way, SDDCs will benefit from more partitions over time.
What happens if partition placement fails?
Partition placement is a best-effort operation. Placement may fail if there are insufficient physical racks or insufficient capacity. If partition placement fails, a host is added outside of a partition. This means the host is still added, but it is added to a rack that may already have a host from the same cluster. No further action is required when partition placement is sub-optimal.
How can I view partitions for my SDDC?
Partition placement is not configurable or viewable by customers.
Can I retrofit my current SDDC to use partition placement?
No. Existing SDDCs will benefit from partition placement over time, as hosts are added and removed.
In which regions and availability zones will the I4i.metal instances be available?
The I4i.metal instances are available in the following regions and respective availability zones:
- Paris (CDG/eu-west-3): euw3-az1, euw3-az2, euw3-az3
- Ohio (CMH/us-east-2): use2-az1, use2-az2, use2-az3
- Ireland (DUB/eu-west-1): euw1-az1, euw1-az2, euw1-az3
- Frankfurt (FRA)/eu-central-1): euc1-az1, euc1-az2, euc1-az3
- N. Virginia (IAD)/us-east-1): use1-az1, use1-az2, use1-az4, use1-az5, use1-az6
- London (LHR/eu-west-2): euw2-az1, euw2-az2, euw2-az3
- Tokyo (NRT/ap-northeast-1): apne1-az1, apne1-az2, apne1-az4
- Oregon (PDirect Connect/us-west-2): usw2-az1, usw2-az2, usw2-az3, usw2-az4
- N. California (SFO/us-west-1): usw1-az1, usw1-az3
- Singapore (SIN/ap-southeast-1): apse1-az1, apse1-az2, apse1-az3
- Sydney (SYD/ ap-southeast-2): apse2-az1, apse2-az2, apse2-az3
- Canada-Central (YUL/ca-central-1): cac1-az1, cac1-az2
Will there be in-cluster conversion from existing I3/I3en cluster to I4i?
Custom Core Count
Does VMware Cloud on AWS support Custom core counts?
Yes. The following Custom CPU Core values are supported for each host type:
- I3 host 2-Host clusters: 16, 36 custom physical CPU cores per host.
- I3 host 3+ host clusters: 8, 16, 36 custom physical CPU cores per host.
- I3en host type: 8, 16, 24, 30, 36, 48 custom physical CPU cores per host.
- I4i host type: 8, 16, 24, 30, 36, 48, 64 custom physical CPU cores per host.
Can I use custom core counts in the primary cluster (Cluster-0)?
No, custom core counts are not supported in the primary cluster due to the need for cores to run management VMs. Cluster 0 must have all cores enabled.
Can I use custom core counts in the secondary (workload) cluster?
Yes. However, the number of custom core counts supported in the secondary cluster depends on the size of the secondary cluster. For a 2-node secondary cluster, the custom core counts supported will be from 16 and above. For a 3-host and above secondary cluster, the custom core counts outlined in the table above are supported.
How do I use Custom CPU Core Count feature?
Go to the VMware Cloud on AWS Console, click on your SDDC, and select Add Cluster. Under the section “Cluster to Be Added” you will see that you can specify the Number of CPU Cores Per Host. Select the value that works best for your workloads and finish the action
What are the current limitations of Custom CPU Core Count capability?
Cluster-0 must have all cores enabled, and this is an at "Add Cluster" deployment time decision only. Core Count cannot be changed after deployment except by deleting and redeploying an SDDC. All hosts in the cluster must have the same number of CPU cores, including Add/Remove Host operations.
Do I get a price discount on the hosts with lower CPU core count?
No, changing the number of cores does not affect the price of the host.
How do I control my licensing, while leveraging Custom CPU Core Count capability?
To preserve the number of licensed CPU cores, it is highly recommended that you leverage VMware Cloud on AWS Compute Policies (Simple VM-Host Affinity) to tag all applicable VMs and all the original hosts in the cluster, so that the compute policy can keep these VMs on those hosts. During regular VMware Cloud on AWS patch and upgrade operations, an additional host is added to a cluster. Therefore, you may need to include the license for this additional host in your initial licensing contract, making it N+1 since day one.
When I specify the lower number of CPU cores, does it impact the performance?
Reducing core count affects the compute capacity of the hosts, which may affect overall performance for both workloads and internal vSphere, NSX, and vSAN processes that execute on the hosts.
Where can I find more information about Custom Core Count?
What are Stretched Clusters for VMware Cloud on AWS?
Stretched clusters facilitate zero RPO infrastructure availability for applications. This enables you to failover workloads within clusters spanning two AWS Availability Zones (Availability Zones). It also enables developers to focus on core application requirements and capabilities, instead of infrastructure availability. With this feature, you can deploy a single SDDC across two Availability Zones. Using the vSAN Stretched Cluster feature, it allows us to guarantee synchronous writes across two Availability Zones in a single SDDC cluster. This feature also extends workload logical networks to support vMotion between Availability Zones. In the case of an Availability Zone failure, vSphere HA will attempt to restart your VMs on the surviving Availability Zone.
How many Availability Zones can I stretch my cluster across?
Two. When you provision your SDDC, select your Availability Zone just the way you do now. The only change is that you then select a second Availability Zone. Using this information, we automatically deploy your SDDC and stretch your clusters across these two Availability Zones.
Can I have more than one stretched cluster?
You can create multiple stretched clusters in an SDDC.
Can I create stretched clusters and non-stretched clusters in the same SDDC?
No. Cluster types cannot be mixed. An SDDC can only have stretched clusters or non-stretched clusters.
Can I convert a non-stretched cluster to a stretched cluster?
No. The decision to deploy a stretched or a non-stretched cluster is made when the SDDC is created and cannot be changed afterwards.
Is it possible to configure custom CPU cores with multiple stretched clusters?
Yes. Custom CPU cores can be configured in an SDDC that has two or more stretched clusters. However, custom CPU cores cannot be configured in the first stretched cluster. See the “Custom Core Count” FAQ section.
What is the smallest stretched cluster I can make?
The smallest supported stretched cluster is two hosts and provides a 99.9% availability guarantee. At six hosts the service increases the availability guarantee to 99.99%.
Can I add hosts to a stretched cluster?
Yes. Just like a regular cluster, you can add and remove hosts at any time. However, in a stretched cluster these hosts must be added and removed in pairs. You must always have the same number of hosts on each side. Thus, you can grow a cluster from 6 to 8, 10, 12, etc.
What is the largest stretched cluster that would be supported?
We support cluster sizes of up to 16 hosts.
What about the witness?
In addition to the hosts you request, we always provision one additional VMware ESXi host in the case of stretched cluster to act as a witness node. This is to prevent issues such as split brain in the case of a network partition. You will see this host in the UI, but it will not be a member of the cluster and you cannot run guest VMs on that host. This host is a special version of VMware ESXi that runs as a guest. This allows us to save customers money since the witness VMware ESXi does not consume an entire physical host.
Are stretched clusters a good way to implement Disaster Recovery?
No. Stretched clusters improve availability but are not intended for DR. AWS Availability Zones in an AWS region are in the same geographical area. A disaster affecting a geographical area could take out all Availability Zones in an AWS region.
Do you support VMware ESXi as a guest now?
No. The witness host VM is a special case and does not run guest workloads.
Can I downgrade a stretched cluster SDDC to a single Availability Zone SDDC?
No. Enabling stretched cluster is a deployment time decision. You cannot downgrade a stretched cluster to a non-stretched cluster. You can deploy a new cluster and use vMotion or other migration techniques to move to it.
Can I migrate workloads from a single Availability Zone cluster to a stretched cluster?
Yes, using your preferred workload migration method.
Can I choose the Availability Zone in which my VMs run?
Yes. When deploying a VM you can choose a VMware ESXi host in the desired Availability Zone. In case of failure, the VM will stay in its original Availability Zone if possible. You can also enforce the VM placement using Compute Policies.
Can a stretched cluster span across AWS regions?
No. A stretched cluster spans across 2 Availability Zones within the same region. If you wish to protect against a regional failure, please use a DR tool such as our Site Recovery service.
Is there a performance impact when running VMs in a stretched cluster?
Yes. As with any stretched cluster or synchronous mirroring deployment, writes across two Availability Zones will incur additional latency overhead.
How many failures can be tolerated in an Availability Zone?
This depends on your vSAN Storage SPBM settings. By default, VMs are configured to survive the failure of all the hosts in a single Availability Zone without data loss.
What happens when an Availability Zone fails and when it comes back after a failure?
We will resynchronize the vSAN datastore. This resync time will depend on how much data you have stored and how long the systems have been segmented. This operation is automatic and monitored by our operations team. .
How much does it cost to run Stretched Clusters?
There are no additional charges to use the Stretched Clusters feature. Stretched Clusters Cross-Availability Zone charges are also waived for up to 10 petabytes of Cross-Availability Zone traffic per month. Usage will be monitored and for instances where a customer’s usage exceeds this limit, VMware reserves the right to inform the customer of the issue and charge the full amount.
What instance types are supported with the ability to create multiple stretched clusters?
All instance types support stretched clusters.
Can I mix stretched clusters using different host instance types in the same SDDC?
Can I have mix of different instance types within the same Stretched Cluster?
No, a single Stretched Cluster can only consist of hosts of the same instance type.
What is Elastic DRS (EDRS)?
Elastic DRS (EDRS) is a feature that uses the resource management features of vSphere to analyze the load running in your SDDC to scale your clusters up or down. Using this feature, you can enable VMware Cloud on AWS to manage your cluster sizes without manual intervention.
When will EDRS scale up?
EDRS will automatically scale up when your cluster reaches a configured capacity threshold.
What is the baseline policy in Elastic DRS?
Elastic DRS Baseline Policy is now configured for every cluster deployed within your SDDC. Previously, you were simply advised to maintain at least 20% slack space in your SDDCs, but this is now being enforced. The maximum usable capacity of your vSAN datastore is 80%; when you reach that threshold, EDRS will automatically start the process of adding a host to your cluster and expanding your vSAN datastore. Please note that even if you free up enough storage to fall below the threshold, the cluster will not scale-down automatically. You will need to manually remove host(s) from the cluster.
How quickly does EDRS scale my cluster?
It takes about 10-15 minutes to add a host to an existing cluster. EDRS will make a scaling recommendation approximately every five minutes.
Will EDRS scale my clusters down also?
Yes. When your cluster is lightly loaded, EDRS will also scale down automatically.
How do I control my budget with EDRS?
When configuring EDRS, you configure the minimum and maximum allowed cluster size. EDRS will only scale within the limits you set.
Will EDRS just keep adding hosts? Are there any limits to that?
No, EDRS will not add hosts sequentially. EDRS is throttled to prevent runaway cluster scaling. The system is also monitored by our operations team to ensure that scale operations are conducted correctly.
What happens if I have an SPBM policy of RAID 6 set and EDRS tries to scale down to four hosts?
If you have an SPBM policy that requires a minimum number of hosts (such as RAID 6), EDRS will not scale down below that minimum number. To allow scale-down, reconfigure SPBM to use a policy without that restriction such as RAID 1.
How does EDRS affect my bill?
You are billed per host per hour on VMware Cloud on AWS. EDRS simply changes the number of hosts you have running in your SDDC. It is the same as if you manually added hosts to your SDDC.
Do my workloads get automatically re-balanced onto the new host?
Yes. DRS will automatically re-balance your workloads.
How long does a scale-down operation take?
This depends on how heavily loaded your host is. A lightly loaded host will take only a few minutes to remove from the cluster. A very heavily loaded host could take many hours. In the case of EDRS, we only remove hosts which are lightly loaded so we expect this operation to be on the lower end of this spectrum. However, your actual evacuation time largely depends on how many VMs are running and how much data must be evacuated from the host so your times will vary.
If I know that I am about to bring up many workloads suddenly, as in the case of a DR event, should I rely on EDRS?
No. Because EDRS is throttled, it's not designed for very sudden load spikes such as caused by a DR event. In this case, you should script the host addition process as part of your DR runbook. After the DR workload is started, you can rely on EDRS to maintain the correct number of hosts in your cluster.
Is EDRS turned on by default?
Elastic DRS (EDRS) is enabled by default and cannot be disabled in VMware Cloud on AWS. VMware has pre-configured Elastic DRS thresholds across all available policies to ensure SDDC availability. One of the Elastic DRS policies listed in Select Elastic DRS Policy is always active.
What is the scope of EDRS?
EDRS is enabled on a per-cluster basis.
Would I get notified when hosts are added to my SDDC automatically?
Yes, you will get notified via email and in-console notification once any cluster is within 5% of any storage scale-out event. You will also be notified immediately after any hosts are added.
What is EDRS Rapid Scale Out?
EDRS Rapid Scale-Out causes EDRS to react faster and to add hosts in parallel to allow a cluster to scale out more quickly during a DR event for VDI or other workloads.
How do I enable EDRS Rapid Scale Out?
EDRS Rapid Scale-Out is enabled through the UI as a new EDRS policy type or via the EDRS policy API.
What thresholds are used with EDRS Rapid Scale Out?
EDRS Rapid Scale Out maximum thresholds are the same as the thresholds for the EDRS performance policy. The minimum thresholds are 0%; this means scale-in must be performed manually.
How many hosts could be selected for EDRS scale out per cluster?
You can select 4,8 or 12-Hosts to be deployed in parallel.
What EDRS policies are supported with Stretched Clusters?
All EDRS policies - Cost, Performance and Rapid Scale Out - are supported with Stretched Clusters, in addition to the Storage-only default policy.
How does EDRS decide to scale out when capacity (Storage/CPU/Memory) exceeds a threshold in only one of the Availability Zones?
EDRS monitors utilization in each Availability Zone. A scale-out event is triggered when a threshold is exceeded in either Availability Zone. Scale-in, on the other hand, occurs only when utilization goes below the threshold in both Availability Zones.
What type of storage can I use with my SDDC on VMware Cloud on AWS?
VMware Cloud on AWS SDDC uses VMware vSAN as a primary datastore. A single cluster-wide vSAN datastore is automatically configured for you when you deploy each cluster in your SDDC. In your first cluster, all management virtual machines are hosted on the vSAN datastore and cannot be moved. You can extend the storage capacity of a cluster by adding hosts or by .
Can I use any hybrid vSAN storage (Flash + Spinning Disk)?
We currently do not offer a hybrid storage solution. All hosts are equipped with NVMe SSD Storage.
Can I expand my storage without adding additional hosts?
Yes. VMware Cloud on AWS now offers support for external NFS datastores. Customers can use a VMware managed solution – , or an AWS managed solution – as your external NFS datastore to extend storage capacity without adding additional hosts.
What vSAN policies can be configured?
The following subset of vSAN policies can be configured by the user:
- Failures-To-Tolerate (FTT): Configured on a per vSAN Object basis.
- Customers have a choice of Fault Tolerance Methods (FTM) and Failures-To-Tolerate configurations for their VMs. To optimize for cost, performance & availability, It is recommended to use FTM = RAID 1 and FTT= 1 for 3-node cluster and FTM = RAID 5 (Erasure Coding) and FTT=1 for clusters of size 4 & 5 nodes and the FTM = RAID 6 and FTT=2 for clusters of size 6 nodes and higher.
- IOPS Limits: Limit IOPS consumption per VM to better manage performance SLAs for different workloads. Eliminates noisy neighbor issues.
- Checksum: Enabled by default.
- Disk stripes: The number of disk stripes per object can be up to a maximum of 12, but may be limited by certain cluster configurations (FTT, FTM choices, number of nodes, etc.).
- Force provisioning: Enable provisioning of VMs even when the storage policy cannot be fully satisfied.
What is a storage policy and why is it important? How is “Managed Storage Policy” different?
Storage policies define levels of protection or performance for your VMs or VMDKs. Typically, a user manually sets a policy for one or more VMs and these are then managed by VMware vCenter Server. With Managed Storage Policy for improved data availability, we will automatically set the policy for you based on the number of nodes in your VMware Cloud on AWS cluster.
How does Managed Storage Policy benefit me?
VMware Cloud on AWS provides a 99.9% availability commitment as per the SLA for a standard SDDC. If an SLA event occurs i.e. a service component is unavailable, you will be eligible for SLA credits, provided that your cluster meets certain protection requirements that are set by storage policies. By allowing VMware Cloud on AWS to automatically set these policies for you, the criteria required to be eligible for these credits is already taken care of while ensuring that your clusters have the optimal level of protection.
If I add more hosts to a cluster and this increases the number of hosts beyond 5, will my policy change automatically with Automatic adjustment of vSAN policy feature?
Yes, we will automatically change the policy for your cluster
Can I manually override the function of Automatic adjustment of vSAN policy and set my own policy?
Yes, you can override this function of Automatic adjustment of vSAN policy and set your own policies.
What does the monitoring and alerting enhancement for managed storage policy do?
This feature scans a customers’ environment for VMs and objects which have SLA non-compliant policies and notifies a VMware Cloud on AWS customers about the same. VMware Cloud on AWS customers will receive an email notification which contains details of all the non-compliant policies and which VMs/objects they are mapped to for their VMware Cloud on AWS ORG. Customers will also be able to view the entire list of VMs with non-compliant policies within the VMware Cloud console and will be able to move to a managed storage policy with the click of a single button.
What does SLA compliant/non-compliant policies mean?
SLA compliance is required to ensure that your workloads are protected and that you are eligible for credits should a failure occur (Click here to learn more about the VMware Cloud on AWS SLA). SLA compliant policies are policies which follow the VMware Cloud on AWS SLA guidance and non-compliant policies are policies which are different from what is stated in the VMware Cloud on AWS SLA document.
How will I be notified about SLA non-compliant policies?
You will be notified via email about which VMs have non-compliant policies. The email will include a link which re-directs you to the VMware Cloud console where you can view the entire list of VMs and objects with SLA non-compliant policies for your ORG.
How frequently is the scan performed and how often will I be notified?
The scan is performed daily and if there are new non-compliant policies, you will only be notified about these policies. Previously notified non-compliant policies will not be included in an email but they will be listed in the inventory view if they haven't been remediated.
Do I have to remediate all the VMs?
No. In the VMware Cloud console inventory view, you will have the option to select which VMs you want to change to a compliant policy. You will have the option to either select specific VMs you want to remediate or remediate the entire inventory. VMs that have not been moved to a SLA compliant policy will remain in the inventory.
Can I mute the notifications?
Yes. You can use NGW to mute the emails notifications. There will be tiles within each cluster window to indicate which clusters have non-compliant policies.
How does Deduplication & Compression work in VMware Cloud on AWS?
Deduplication removes redundant data blocks, whereas compression removes additional redundant data within each data block. These techniques work together to reduce the amount of physical storage required to store the data. VMware vSAN applies deduplication followed by compression as it moves data from the cache tier to the capacity tier.
Deduplication occurs inline when data is destaged from the cache tier to the capacity tier. The deduplication algorithm utilizes a 4K-fixed block size to provide a good balance of efficiency and performance and is performed within each disk group. Redundant copies of a block within the same disk group are reduced to one copy, but redundant blocks across multiple disk groups are not deduplicated.
The compression algorithm is applied after deduplication has occurred, but before the data is written to the capacity tier. To avoid the inefficient use of compute resources for the allocation map overhead of compression, vSAN only stores compressed data if a unique 4K block can be reduced to 2K or less. Otherwise, the block is written uncompressed.
How much storage is saved with the Deduplication & Compression feature in VMware Cloud on AWS?
Storage savings resulting from Deduplication & Compression is highly dependent on the workload data. For example:
- Operating system files across multiple virtual machines experience great benefit from Deduplication
- VDI workloads obtain good Deduplication savings.
- Video files do not compress well.
Although some customers using vSAN on-premises report savings up to 7x for VDI workloads, we generally see storage savings on the average of 2x based on the current deployments.
Can I apply Deduplication & Compression selectively for each volume?
No, deduplication or compression cannot be enabled individually, it is a cluster-wide setting. Also, all the vSAN datastores in VMware Cloud on AWS are automatically enabled for this feature without any user configuration and cannot be turned off.
Is there a performance impact due to Deduplication & Compression?
Although vSAN Deduplication & Compression are very efficient, users may experience some impact. For most workloads the impact is minimal.
Does Deduplication & Compression work with vSAN Encryption?
Yes. vSAN encrypts all data at rest both in the caching and capacity tiers, while preserving the storage efficiencies from deduplication and compression.
How does data encryption at rest work on VMware Cloud on AWS?
Customer data at rest is natively encrypted by vSAN. vSAN uses the AWS Key Management Service to generate the Customer Master Key (CMK). While CMK is acquired from AWS, two additional keys are generated by vSAN. Those keys are an intermediate key, referred as Key Encryption Key (KEK) and Disk Encryption Key (DEK).
The Customer Master Key (CMK) wraps the Key Encryption Key (KEK) and the KEK in turn wraps the Disk Encryption Key (DEK). The CMK never leaves AWS control, and encryption and decryption of the Key Encryption (KEK) is offered via an standard AWS API call.
One Customer Master Key (CMK) and Key Encryption Key (KEK) is required per cluster and one Disk Encryption Key (DEK) for every disk in the cluster.
Can I turn on or turn off vSAN Encryption selectively?
vSAN Data-at-Rest Encryption is on by default for all SDDCs and cannot be deactivated.
How does data-at-rest encryption work in VMware Cloud on AWS?
All customer data at rest will be natively encrypted by vSAN. vSAN will use AWS Key Management Service to generate the Customer Master Key (CMK). While CMK is acquired from AWS, two additional keys are generated by vSAN. Those keys are an intermediate key, referred as Key Encryption Key (KEK) and Disk Encryption Key (DEK). The Customer Master Key (CMK) wraps the Key Encryption Key (KEK), and the Key Encryption Key (KEK) in turn wraps the Disk Encryption Key (DEK). The CMK never leaves AWS control. Encryption and decryption of the Key Encryption Key (KEK) is offered via standard AWS API call. One Customer Master Key (CMK) and one Key Encryption Key (KEK) is required per cluster and one Disk Encryption Key (DEK) is required for every disk in the cluster.
Is there any performance impact because of encryption?
There is always overhead from use of encryption, but the effect on workloads tends to be minimal for environments adequately sized for CPU and I/O. vSAN encryption uses an efficient AES-XTS-256 cipher and leverages CPU-based AES-NI cryptographic instructions for performance.
What provisions are available to rotate the keys used for data at rest encryption in VMware Cloud on AWS?
Customers have the option to change the KEK (Key Encryption Key) either through vSAN API or through the vSphere UI. This process is called shallow rekey. Note, shallow rekey doesn’t change the Disk Encryption Key (DEK) or the Customer Master Key (CMK). Changing the Disk Encryption Key (DEK) and Customer Master Key (CMK) is not supported. In rare situations, if there is a need to change the DEK or CMK, users have the option to set up a new cluster with new CMK and storage vMotion the data from the existing cluster.
Are there any other options for customers to bring their own keys for data at rest encryption?
The Customer Master Key (CMK) is only sourced from the AWS Key Management Service.
Why does vSAN require “slack space?”
Like any storage system, vSAN uses unused, or “slack,” space to maintain the health of the system. This space is used for rebalancing capacity, deduplication, and for recovering from hardware failures.
How are slack space requirements enforced if I turn on EDRS?
EDRS is aware of vSAN and VMware ESXi capacity requirements and will automatically add or remove hosts to be certain that your SDDC remains healthy. EDRS is the best way to ensure that your SDDC is always sized correctly.
Are data compression and deduplication capabilities available on I3en.metal instances?
Compression is available on I3en bare metal instances. Deduplication will not be supported in I3en instances.
What are the policy settings which will be set by Automatic adjustment of vSAN policy for improved data availability?
For Standard Cluster:
=< 5 hosts: Failure to tolerate 1 - Raid-1
>= 6 hosts: Failure to tolerate 2 - Raid-6
For Stretched Cluster:
Dual Site Mirroring, Failure to tolerate 1– Raid-1
What is TRIM/UNMAP?
TRIM/UNMAP is a vSAN feature that allows the guest OS to issue TRIM/UNMAP commands so that vSAN can remove unused blocks inside virtual machines. This benefits thin-provisioned VMDKs as unused blocks can be reclaimed automatically and delivers much better storage capacity utilization.
How does the TRIM/UNMAP feature work?
The guest OS will issue these commands and will continue to run in the background until all the unused blocks are reclaimed.
What benefit do I get from enabling the TRIM/UNMAP feature?
This process carries benefits of freeing up storage space but also has other secondary benefits:
- Faster repair - Blocks that have been reclaimed do not need to be rebalanced, or re-mirrored in the event of a device failure.
- Removal of dirty cache pages - Read Cache can be freed up in the DRAM client Cache
How is the TRIM/UNMAP feature enabled for my SDDC?
As this feature is being released as a preview, we will enable the feature on a per cluster basis, based on your preference. Please contact your account team to have this feature enabled for your cluster.
What is the performance impact of TRIM/UNMAP feature?
This process does carry some performance impact. It is recommended that TRIM/UNMAP processes be triggered periodically inside the guest OS, versus running continuously.
TRIM/UNMAP operations will be throttled in the SDDC if they consume more than a predefined amount of storage bandwidth capacity.
What is Cloud Native Storage?
Cloud Native Storage (CNS) is a VMware Cloud on AWS and Kubernetes (K8s) feature that makes K8s aware of how to provision storage on VMware Cloud on-demand in a fully automated, scalable fashion as well as providing visibility for the administrator into container volumes through the CNS UI within VMware vCenter Server. Cloud Native Storage on VMware Cloud is supported with TKG and TKG Plus.
How does Cloud Native Storage work?
Cloud Native Storage (CNS) comprises of two parts: A Container Storage Interface (CSI) plugin for K8s and the CNS Control Plane within VMware vCenter Server. There is nothing to install or configure within the service to get this integration working. Simply deploy Kubernetes with the vSphere CSI.
Are data compression and deduplication capabilities available on I4i.metal instances?
Compression is available on I4i bare metal instances. Deduplication is not supported in I4i instances.
How much vSAN storage comes with VMware Cloud on AWS with different host types?
With the I3.metal host instance, each VMware ESXi host comes with NVMe SSD storage. A 3 VMware ESXi host cluster running vSAN provides approximately 15 TiB usable storage and 4 VMware ESXi host cluster running vSAN provides approximately 21 TiB usable storage, with all virtual machines protected against a single host failure (FTT=1). With the I3en.metal host instance, each VMware ESXi host comes with NVMe SSD Storage as well. A 3 host VMware ESXi cluster running vSAN provides approximately 60 TiB of usable storage. provides approximately 30 TiB of raw local NVMe flash storage across a 3 node cluster (2x compared to I3.metal). Please note that exact usable storage will vary depending on the effective storage policy, cluster size, site tolerance. All virtual machines are protected against a single host failure (FTT=1). In addition, you can with your VMware Cloud on AWS deployment with all host types to extend your storage capacity for more storage intensive workloads, without provisioning additional hosts.
How much external storage can I have on an SDDC?
When you are using an external NFS datastore you can configure the volume size up to the configuration limit of the NFS server. Please consult VMware Flex Storage FAQs and Amazon FSx for NetAPP ONTAP FAQs for more details.
Can I still use vSAN storage in an SDDC that has external NFS datastores?
Yes. The VMware Cloud on AWS vSAN local storage is still available when external storage is attached.
What are the use cases that are suitable for external storage access from a VMware Cloud on AWS based guest operating system?
In addition to the ability to mount an external NFS datastore to a vSphere cluster in your SDDC, you can also directly add external storage to a virtual machine, running on VMware Cloud on AWS. Storage provided from an EC2 based virtual storage array to a VMware Cloud on AWS guest OS is ideal for a variety of use cases, including test and development, elasticity for big data workloads and user/home directories. Both block and file protocols are supported.
What external virtual storage arrays are supported on VMware Cloud on AWS?
VMware Cloud on AWS now supports external NFS datastores such as the VMware-managed – , or an AWS managed solution – to extend storage capacity without adding additional hosts. VMware Cloud on AWS can also support a variety of AWS EC2 based virtual storage arrays and general-purpose operating systems that export storage volumes or LUNs. Our storage partners will independently test and provide documentation for their respective solutions.
Which Managed Service Providers (MSPs) offer external storage with VMware Cloud on AWS?
Faction and Rackspace are currently supported Managed Service Providers (MSPs) that offer external storage for VMware Cloud on AWS.
Are there any functional differences or caveats I should be aware of when using external storage through the Managed Service Provider (MSP)?
Please check the VMware Cloud on AWS release notes for a list of caveats and limitations related to the usage of external storage through the Managed Service Provider (MSP). Also, please check with the Managed Service Provider (MSP) for additional details.
Can I storage vMotion workloads between NFS Datastore and the VMware Cloud vSAN datastore?
Yes. Storage vMotion is supported.
How many external datastores can I attach to a single cluster in my SDDC?
Each cluster can have up to four datastores attached. The size of the datastore depends on the storage target.
What is the minimum software version of VMware Cloud on AWS SDDC to support the external NFS datastore feature?
Your SDDC must be version 1.20 or above to use the external NFS datastore feature.
Where can I find more information about the external NFS datastore support?
For further technical information about VMware Cloud on AWS integration with Amazon FSx for NetApp ONTAP please visit the page: https://vmc.techzone.vmware.com/fsx-ontap and check FAQ: https://vmc.techzone.vmware.com/fsx-ontap-faq.
Storage – Cloud Flex Storage
What is VMware Cloud Flex Storage?
Our vision for VMware Cloud Flex Storage is to deliver an enterprise-class storage-and data management-as-a-service for the multi-cloud. We plan to support a broad range of workloads by enabling multi-dimensional scaling of compute, storage performance, and storage capacity, while delivering a seamless and consistent data management experience across clouds.
VMware Cloud Flex Storage is built on a mature, enterprise-class filesystem that has been developed and production-hardened over many years, dating back to Datrium’s D¬HCI storage product, which VMware acquired in July 2020. It is the same filesystem that has been backing the VMware Cloud Disaster Recovery service. The filesystem has a two-tier design that allows for independent scaling of storage performance and capacity, using a Log-Structure Filesystem (LFS) design. The combination of LFS with a 2-tier design, along with efficient snapshots and immutability, makes this a multi-purpose filesystem that unlocks many use cases, such as backup, disaster recovery, ransomware protection, and recovery. With VMware Cloud Flex Storage, we are extending this proven technology to primary storage and making it available in the public cloud, where it delivers exceptional storage performance, scalability, and cost efficiency for traditional and modern workloads.
In the initial release, we are delivering a new approach to help VMware Cloud on AWS customers better align their cloud resources with the needs of their applications and data. Customers will be able to purchase a disaggregated cloud storage and data management service that if fully managed by VMware. It is scalable, elastic, and natively integrated into VMware Cloud on AWS. With just a few clicks in the VMware Cloud Console, customers can scale their storage environment without adding hosts, and elastically adjust their storage capacity up or down as needed for every application. Customers also benefit from a simple pay-as-you-go consumption model. We are offering VMware Cloud Flex Storage as supplemental storage to vSAN. Together with vSAN, VMware Cloud Flex Storage offers more flexibility and customer value in terms of resilience, performance, scale, and cost In the cloud.
What is the underlying technology for VMware Cloud Flex Storage?
VMware Cloud Flex Storage is built on a mature, enterprise-class filesystem that has been developed and production-hardened over many years, dating back to Datrium’s D¬HCI storage product, which VMware acquired in July 2020. It is the same filesystem that has been backing the VMware Cloud Disaster Recovery service. The filesystem has a two-tier design that allows for independent scaling of storage performance and capacity, using a Log-Structure Filesystem (LFS) design. You can read more about the filesystem architecture in Sazzala Reddy’s (Chief Technologist and a founder of Datrium) blog here. The combination of LFS with a 2-tier design, along with efficient snapshots and immutability, makes this a multi-purpose filesystem that unlocks many use cases, such as backup, disaster recovery, ransomware protection, and recovery. With VMware Cloud Flex Storage, we are extending this proven technology to primary storage and making it available in the public cloud, where it delivers exceptional storage performance, scalability, and cost efficiency for traditional and modern workloads.
Is VMware Cloud Flex Storage managed by VMware?
Yes, the service is fully managed by VMware.
In which AWS regions is VMware Cloud Flex Storage available?
At launch, VMware Cloud Flex Storage will be available in AMER, EMEA and LATAM. APAC support is expected in subsequent release. VMware Cloud Flex Storage will be available in all AWS regions that support VMware Cloud and VMware Cloud DR.
What are the key use cases of VMware Cloud Flex Storage?
Here are the key use cases of VMware Cloud Flex Storage:
- Seamless and cost-effective cloud migration: For customers who are looking to use VMware Cloud on AWS for a seamless and cost-effective cloud migration, VMware Cloud Flex Storage delivers true enterprise-class storage. It reduces complexity and time-to-value by supporting the lift and shift of virtual machines without a need to rework the data layer or re-architect the storage design. Customers can also simplify their operations with a storage solution that is natively built into the VMware Cloud on AWS service and readily available without manual configurations.
- Elastic data center extension: Customers who are looking to use VMware Cloud on AWS for data center extension can use VMware Cloud Flex Storage for easy access to additional storage capacity with dynamic scaling of resources. Common scenarios include high performance burst capacity, on-demand scaling for data analytics, or cost-effective long-term storage of data repositories in the cloud. This gives customers the choice of keeping their data where it best serves their consumption needs, across their data centers and the public cloud. As a result, customers benefit from a VMware-consistent, enterprise-grade hybrid cloud environment with a single pane of glass management through the VMware VMware vCenter Server console.
- Scaling of storage-intensive workloads: For customers who are running certain workloads on VMware Cloud on AWS using local instance storage with VMware vSAN, but have other workloads that are storage bound, VMware Cloud Flex Storage offers a disaggregated storage service that allows them to independently, seamlessly, and optimally scale their performance and storage capacity to fit every workload individually. VMware Cloud Flex Storage is an ideal solution for scaling large volumes of data in an agile, flexible, and cost-effective way.
How can I learn more about VMware Cloud Flex Storage?
For more information on this service, please visit the VMware Cloud Flex Storage page on for more information on this service, and/or please contact your sales representative or partner for more information on this service and how VMware Cloud Flex Storage can help your business.
How do I connect to the VMware vCenter Server in my SDDC on VMware Cloud on AWS?
By default, there is no external access to the VMware vCenter Server system in your SDDC on VMware Cloud on AWS. Open access to your VMware vCenter Server system by configuring a firewall rule on the Management Gateway Firewall to allow access to the VMware vCenter Server system.
Is there connectivity from the AWS VPC to VMware vCenter Server and ESX host?
Yes, you can configure connect from an EC2 instance deployed in the Connected AWS VPC to VMware vCenter Server.
What are the management and compute gateways?
When you deploy an SDDC in VMware Cloud on AWS, it is configured with two networks: a management network and a compute network. The management network handles network traffic for the SDDC hosts, VMware vCenter Server, VMware NSX Manager, and other management functions. The compute network handles network traffic for your workload VMs. The gateways allow users to access these networks from Internet, on-premises , and connected AWS VPC. The VMware NSX edge acts as the gateway.
How many traffic types exist in VMware Cloud on AWS SDDC?
There are three traffic groups in VMware Cloud on AWS:
- VMkernel Traffic (ESX Management, vMotion)
- Management Appliance Traffic (VMware vCenter Server, SRM, vSphere Replication Appliance, VMware NSX Manager)
- Workload VM Traffic
How does connectivity between the overlay network and the VMware NSX management appliances work with VMware NSX?
By default, the Compute Gateway and Management Gateways are connected through a logical segment. You can control communication through the firewall policy on the Management Gateway.
What is the change in default logical network?
As you deploy a 3 or higher host SDDC, a default logical network will not be created. It is the responsibility of the user to create a network with appropriate CIDR before deploying virtual machines
What is the reason for not creating default logical network for 3+ nodes SDDC?
There were many incidents where default logical network CIDR (192.168.1.0/24) overlapped with on-premises networks and caused connectivity issues. These issues are very difficult to troubleshoot.
Will default logical network be created for one node SDDC?
Yes. A default logical network will be created in one node SDDC. Customers must make sure that there is no overlap with CIDR 192.168.1.0/24
What is IPFIX and is it available with VMware Cloud on AWS?
IPFIX is a standard that allows virtual or physical switches to export flow information going through the switch to collector tools. Customers may decide to monitor all flows on a particular logical switch or set of logical switches. IPFIX is available with VMware Cloud on AWS.
Where can I find additional information about IPFIX?
You can find more information about IPFIX in VMware Cloud on AWS product documentation.
What is Port Mirroring?
Port Mirroring is a networking feature on virtual or physical switches that allows users to capture all packets from a port and send it to a destination device. In VMware Cloud on AWS, port mirroring is configurable on virtual switches only.
What type of port mirroring is supported in VMware Cloud on AWS?
VMware Cloud on AWS supports Encapsulated Remote SPAN.
Can only one vNIC of a virtual machine be selected as part of the port mirror session?
Yes, a single vNIC can be configured in a port mirroring source group.
What are DNS Zones?
DNS Zones allows users to specify different DNS servers based on different domains (FQDN).
How many DNS Zones are supported?
5 zones are supported.
How would I forward requests to DNS servers deployed in VMware Cloud on AWS as well as on-premises DNS servers?
You can configure up to 5 DNS zones. Out of those, one should be with on-premises domain (FQDN) pointing to on-premises DNS server. And the other should be with AWS domain (FQDN) pointing to the DNS server in AWS.
Does VMware Cloud on AWS provide DHCP Relay functionality?
Yes, VMware Cloud on AWS provides both native DHCP capabilities and DHCP Relay.
How can I configure DHCP Relay?
This can be configured under Networking & Security tab under System→DHCP.
Can I use both DHCP Server for some Logical segments and DHCP Relay for other Logical segments?
No, either native DHCP capabilities can be used or DHCP Relay. Users will not be able to use DHCP Relay if there are any network segments using native DHCP capabilities; the respective network segments will have to be deleted first.
Are all VMware NSX APIs in VMware Cloud on AWS available under Developer Center?
Yes, you can find all available VMware NSX APIs for VMware Cloud on AWS in API Explorer.
What is the difference between "VMware NSX VMware Cloud Policy" API and "VMware NSX VMware Cloud AWS Integration" API?
VMware NSX VMware Cloud Policy API includes all the VMware NSX Networking and Security APIs for the VMware NSX capabilities within the SDDC. VMware NSX VMware Cloud AWS Integration API includes APIs that are specific to AWS like Direct Connect.
What is the benefit of using API Explorer for VMware NSX APIs?
VMware NSX APIs can easily be found and used within the VMware Cloud on AWS SDDC’s API Explorer. Furthermore, customers can even perform a search on keywords. Customers can easily lookup and test VMware NSX APIs directly from API Explorer before including them in larger scripts or applications.
How can I use API Explorer with VMware NSX APIs?
Go to API Explorer, which can be found under the Developer Center. From API Explorer, select your Organization and SDDC, and you will see both "VMware NSX VMware Cloud Policy" API and "VMware NSX VMware Cloud AWS Integration" API. Click on the one you would like to use. You will see a list of relevant VMware NSX APIs. You can put in the requested information and click the Execute button to execute the API.
How can I request approval for penetration testing applications and systems in my SDDC?
VMware has a comprehensive vulnerability management program that includes third-party vulnerability scanning and penetration testing. VMware conducts regular security assessments to maintain VMware Cloud on AWS compliance programs and continuously improve cloud platform security controls and processes. While the requirements to conduct penetration testing vary by industry compliance regulations, customer environments benefit greatly with penetration testing to measure the security effectiveness within their virtual infrastructure (SDDCs) and applications. To notify VMware that you plan to conduct penetration testing, please use this Request Form to provide us relevant information about your test plans. VMware will respond with an approval by email. Penetration testing must be conducted in accordance with our Penetration Testing Rules of Engagement.
How can I utilize Jumbo Frames on Direct Connect Network?
VMware Cloud on AWS supports Jumbo Frames for networking traffic on Direct Connect. To fully benefit from Jumbo Frames and avoid fragmentation, you must ensure that the Direct Connect interface MTU is set equal to the end to end path MTU from your SDDC to your Data Center over Direct Connect. On the AWS Account, the Direct Connect private VIF must be created with this MTU size. On the SDDC, the Intranet uplink MTU must be set to 8900.
Can I use Jumbo Frames over VPN?
No, only traffic over Direct Connect, VMware Transit Connect, or across the Connected VPC can leverage Jumbo Frames.
What is the maximum value for the Jumbo frame with VMware Cloud on AWS SDDC?
See the VMware Cloud on AWS configuration maximums page for details.
VMware SD-WAN Integration
What is the integration between VMware Cloud on AWS and VMware SD-WAN about?
The integrated solution is about providing Policy-Based IPsec VPN connectivity between SD-WAN enabled branches and application workloads that reside in VMware Cloud on AWS. The solution leverages the VMware SD-WAN Gateways, as an on-ramp mechanism to VMware SDDC deployed on AWS. The SD-WAN Gateway is the peer end of the tunnel that is set up on the VMware SDDC T0 Gateway. The SD-WAN solution has a feature called “Non-VeloCloud-Site,” which allows SD-WAN Gateways to set up IPsec tunnels to non-SD-WAN locations.
What is VMware SD-WAN by VeloCloud?
VMware SD-WAN by VeloCloud is a global service that delivers high-performance, reliable branch access to cloud services, private data centers, and SaaS-based enterprise applications. SD-WAN increases bandwidth economically by aggregating WAN circuits of any type, providing faster response even for single application flows. Data plane function and orchestration are delivered in the cloud to provide direct and optimized access to cloud as well as on-premises resources. You can deploy a branch in minutes with VMware SD-WAN Edge activation from the cloud. Automatic WAN circuit discovery and monitoring eliminate link-by-link and branch-by-branch configuration.
Why does VMware SD-WAN solution matter to me?
VMware provides hybrid and multi-cloud capacity while VMware SD-WAN provides the fabric between clouds. As customers leverage more of VMware Cloud on AWS, SD-WAN will offer the optimal connectivity VMware Cloud on AWS.
Does VMware SD-WAN support data center migration?
VMware SD-WAN focuses on WAN connection between branches and VMware Cloud on AWS for workload or application access. See the section on Workload Migration.
Does VMware SD-WAN currently work with VMware Cloud on AWS GovCloud (US)?
VMware SD-WAN currently does not support VMware Cloud on AWS GovCloud (US)
What do I need to get started with VMware SD-WAN?
To get started with VMware SD-WAN, customers will need to have an SD-WAN subscription with the Premium license (which provides access to SD-WAN Gateways, and Non-VeloCloud-Site capabilities) or Enterprise License (which needs Non-VeloCloud-Site capability via Gateway add-on option). Customers should also have access to the VMware SD-WAN Orchestrator to have the capability to create a Non-VeloCloud Site Network Service. Customers will also need to have at least a single-host VMware Cloud on AWS environment with access to manage Networking and Security.
How do I set up VMware SD-WAN?
Are there any special considerations when setting up VMware SD-WAN?
Yes, you must call into VMware GSS and mention this KB article. This KB article discusses that the SD-WAN Gateway private IP must be obtained for the configuration of the VMware Cloud on AWS side, and this information can only be gained from Support. Additionally, while this integration with VMware SD-WAN will provide the capability for branches to communicate with VMware Cloud on AWS workloads, this integration is not recommended to be used for migration of workloads from the data center to cloud using IPsec VPN.
Are there any limitations of VMware SD-WAN?
At this time, there is only a singular non-redundant tunnel that is instantiated. This limitation will be addressed in future releases of VMware Cloud on AWS and SD-WAN integration.
Where can I go to get support for VMware SD-WAN?
When encountering issues with the integration of VMware SD-WAN with VMware Cloud on AWS, please contact VMware Global Support Services (GSS), and they will work with you to reach a resolution and engage the appropriate resources.
Networking - Advanced
What is Multi Compute Gateways (Multi CGW)?
Multi-CGW enables customers to create additional CGWs (T1s) and manage the lifecycle for those CGWs.
Which use cases are enabled by the Multi-CGW?
Multi-CGW will enable the following use cases:
· Multi-tenancy within an SDDC
· Overlapping IPv4 address space across CGWs
· Support for static routes on customer managed CGW
· Deployment of Isolated test 'segments’ for Disaster Recovery (DR) testing or “sandbox” environments.
What are the different types of Multi-CGWs (MCGW) supported?
Three types of MCGWs are supported:
· Routed – Segments behind a routed CGW are part of the SDDC’s routing table
· NATted – Segments behind a NATted CGW are reachable only via NAT configuration and are not part of the SDDC’s routing table.
· Isolated – Segments behind an Isolated CGW are not available to the rest of the SDDC.
Can the Multi-CGW type be changed after creation?
Yes, Multi-CGW configuration can be changed to meet customer network requirements.
Does each Multi-CGW have a gateway firewall?
Yes. Each Multi-CGW has its own gateway firewall.
Which NAT options does the Multi-CGW feature support?
Multi-CGW supports multiple NAT options
- Source NAT (SNAT) – Changes Source IP
- Destination NAT (DNAT) – Changes Destination IP
- Reflexive NAT – Stateless NAT
- No SNAT
- No DNAT
Can VPNs be terminated directly on the Multi-CGWs?
Yes. IPsec policy and route-based VPNs as well as L2 VPN are supported on the Multi-CGWs.
Is Route Aggregation necessary for Multi-CGW feature?
For any Multi-CGW connected segment to communicate with Direct Connect, VMware Transit Connect, or the VMware ESXi management network, Route Aggregation must be configured. Route aggregation is not required for Internet via the SDDC’s Internet Gateway.
Which route types are supported on the Multi-CGWs?
Static routes can be configured on the Multi-CGWs. Non-default static routes can be configured on any type of Multi-CGW (Routed, NATted, or Isolated). The default route (0.0.0.0/0) can only be configured on Isolated Multi-CGWs.
How do I configure default drop firewall rule in the Multi-CGW gateway firewall?
In SDDC version 1.18, you cannot change the default firewall from Allow to Drop or Reject. You can add a rule to drop all traffic before the default rule of Allow.
What version of SDDC do I need to use Multi-CGW feature?
The minimum SDDC version required to use Multi-CGW feature is 1.18.
Are additional licenses required to use Multi-CGW feature?
No additional licenses are required to use the Multi-CGW feature.
How many CGWs are supported in Multi-CGW feature?
What is Route Aggregation feature and why do we need it?
Route Aggregation summarizes individual CIDRs into a smaller number of advertisements. This is useful to address scale issues caused by the default underlay constraints in the cloud. Route Aggregation can also help improve convergence as fewer API calls are needed to program tables during network changes.
Route Aggregation is also required for Multi-CGW. For any multi-CGW connected segment to communicate with Direct Connect, VMware Transit Connect, the Connected VPC or the VMware ESXi management network.
Is the AWS Managed Prefix List Mode required for the Route Aggregation feature?
Route Aggregation for Connected VPC can’t be used without enabling AWS Managed Prefix List Mode.
What does enabling AWS Managed Prefix List Mode do?
When AWS Managed Prefix List Mode is enabled, a VMware managed prefix list is created and maintained by the SDDC and shared to the Connected VPC’s AWS account. This simplifies customer routing configuration and improves network convergence. Additionally, it enables the ability for customers to use the prefix list to support multiple route tables and prefix list based AWS Security Groups in the Connected VPC.
Is an aggregate route suppressed when there are no member routes?
No. Aggregate route will be advertised even if there are no member routes.
Will the prefix for a segment be advertised if there is no aggregate route that covers that segment?
For any segment behind a Multi-CGW, there must be an aggregate route that covers that segment. Otherwise, that segment will not be reachable. For any segment behind the default CGW, If there is no aggregate route that covers that segment, that individual prefix will be advertised.
Is the management CIDR suppressed if an aggregate route covers the management CIDR?
If an aggregate route includes the management CIDR, the management CIDR will still be advertised as a discrete CIDR.
What happens if an inaccurate CIDR is configured?
When an incorrect CIDR is configured due to typos or incorrect subnetting, system will normalize inaccurate CIDRs before applying the aggregate prefix. Please check if the applied configuration meets your expectation.
What are the additional considerations when using the Route Aggregation feature?
Here are few additional things to remember when using the Route Aggregation feature:
- Incorrect aggregation can impact reachability to networks on-premises or in other SDDCs
- NAT CIDRs need to be included in the aggregation if you want them to be reachable
- Creation of multiple aggregations is possible for non-contiguous networks
What version of SDDC do I need to use Route Aggregation feature?
The minimum SDDC version required to use Route Aggregation feature is 1.18.
Are additional licenses required to use Route Aggregation feature?
No additional licenses are required to use the Route Aggregation feature.
Networking - Firewall
Will my security policy and services migrate when the VM is migrated to the VMware Cloud on AWS SDDC?
No. You are responsible for moving the security policy and services.
What is Distributed Firewall?
The VMware NSX Distributed Firewall enables micro-segmentation (granular control over East-West traffic) for application workloads running in the VMware Cloud on AWS SDDC.
What is the default Distributed Firewall policy?
The default distributed firewall security policy is allow all. Users can create deny polices as part of the different sections created by default.
How many default sections are created in the DFW?
There are 5 default sections: Ethernet, Emergency, Infrastructure, Environment, and Application.
What is Inventory and why is it used with DFW policies?
Inventory provides the list of VMs deployed in the VMware vCenter Server. It allows users to create security polices using VM context instead of IP address and these policies are easy to configure and manage.
What is Grouping?
Grouping construct enables users to create identifiable group of objects and create security policies using those objects. For example, you can create group of VMs named "web" and "app" and "db" and then use those objects to create FW policy between Web and App and App and DB layers.
What is Tagging?
Tagging allows user to assign tags to virtual machines. These tagged virtual machines can be automatically made part of a group that is used for firewall policies.
What is Firewall Logging?
Firewall Logging enables customers to log packets for specific firewall rules. The captured packet logs help in troubleshooting or security monitoring activities.
Where do the Packet Logs forward?
Packet Logs are forwarded to the Log Intelligence service.
Do I have to purchase the vRealize Log Insight Cloud service to see the packet logs?
Yes. Customers will get a free 60 day trial for checking packet logs, but then they have to purchase the service to continue to have access to the packet logs
Can I enable FW logging for Compute Gateway, Management Gateway, and Distributed Firewall?
Yes. You can enable logging for Compute and Management gateway, and DFW rules.
What information is available on firewall statistics?
Administrators can access firewall statistics directly from the Networking and Security console. When the user clicks on the graph icon on the right-hand side of the rule, he/she can see: Hit Count Packet Count Session Count Byte Count Popularity Index Max Popularity Index Max Session Count Total Session Count
Can the default Distributed Firewall policy be changed?
Users can change the default DFW behavior from its default permit model (allowing all the traffic through and denying specific traffic with the security rules) to drop model (only allowing specific traffic through the security rules and dropping everything else).
Can I limit the scope of a Firewall rule?
The Firewall or Distributed Firewall scope can now more specific with the "Applied-To" feature. Users can now apply a security rule to a specific group instead of across all the workloads.
What is the DFW Exclusion List?
The DFW Exclusion List keeps a list of virtual machines excluded from consideration from the Distributed Firewall. This is to ensure administrators don't block access to key management platforms by applying a strict security policy. By default, VMware vCenter Server, VMware NSX Manager, and VMware NSX Controllers are on the Exclusion List, but this option now adds the ability to add more VMs to it.
How can I use Groups?
Inventory Groups make it easier to create and apply security policies. Users can create Groups using Virtual Machine name, tag, OS name, logical segment and IP set as membership criteria. It's particularly useful for customers that need the ability to dynamically micro-segment virtual machines based on these criteria. Nesting of Groups is supported - users can now create groups nested inside other groups (also called 'nested groups'). This gives users the ability to apply security policies encompassing wider groups but also more granular rules. This enables administrators to have security policies as close as business and compliance policies. Refer to the VMware Cloud on AWS ConfigMax page for specific scale attributes.
Do I need to modify firewall policy to allow SDDCs that are a member of a SDDC Group to communicate?
Yes, firewall policy must be updated to allow SDDCs that are in a group to communicate. The SDDC Grouping construct enables network connectivity but does not dictate security policy. The SDDC group does automatically create groups that can be used to simplify the definition of security policy.
Networking - Direct Connect
What is AWS Direct Connect?
AWS Direct Connect makes it easy to establish a dedicated network connection from your premises to AWS. Using AWS Direct Connect (Direct Connect), you can establish private connectivity between AWS and your data center, office, or colocation environment, which in many cases can reduce your network costs, increase bandwidth throughput and provide a more consistent network experience than Internet-based connections.
What is required while establishing an AWS Direct Connect connection?
You must create an AWS virtual interface (VIF) to begin using your AWS Direct Connect connection. There are two types of virtual interfaces. You can create a Private Virtual Interface to connect to a VPC, or you can create a Public Virtual Interface to connect to AWS public services. The Public Virtual Interface also allows VPN traffic to travel over your Direct Connect.
What are the pre-requisites for connecting to your VMware Cloud on AWS SDDCs with AWS Direct Connect using a private VIF?
You must have established AWS Direct Connect link from on-premises data center to an AWS region. Then create a private VIF and assign the ownership to your VMware Cloud on AWS SDDC. Accept the attachment to the private VIF through the VMware Cloud on AWS Console.
What are the pre-requisites for connecting to your VMware Cloud on AWS SDDCs with AWS Direct Connect using a public VIF?
You must have established AWS Direct Connect link from an on-premises data center to an AWS region. You need to create a public VIF and must establish IPsec VPN tunnel to the SDDC over the public VIF. There is no configuration required on the VMware Cloud on AWS Console. You need to ensure that you can route your IPsec VPN gateway traffic over the public VIF.
How are the traffic charges handled when a Private VIF is connected to VMware Cloud on AWS SDDC?
AWS Direct Connect traffic charges will be applied to the VMware Cloud on AWS account. You will see those charges on your VMware Cloud on AWS bill.
Can I attach multiple private VIFs to a VMware Cloud on AWS SDDC?
Yes. You can attach multiple private VIFs to provide redundancy and higher throughput.
How is the Direct Connect Integration with VMware NSX SDDC?
Direct connect integration with VMware NSX allows all traffic from VMware Cloud on AWS to on-premises over the Private VIF.
Does Direct Connect support management and workload traffic?
Yes. With VMware NSX, SDDCs management appliances and workload traffic is carried over Direct Connect Private VIF. Management appliances and workload network routes are published to on-premises over existing BGP sessions. As long as the BGP configuration on the on-premises router allows these new routes, you will have the connectivity for these traffic types.
What routes are advertised from the SDDC over Direct Connect Private VIF?
Management Appliance CIDR, ESX CIDR, Logical segments CIDRs. Refer to the VMware Cloud on AWS ConfigMax page for specific scale attributes.
Do you support Private or Public ASN with Direct Connect Private VIF?
By default, public ASN is used. However, if you need to utilize private ASN, you can work with the support team for that configuration.
What is BGP ASN (Autonomous System Number) and do I need one to use AWS Direct Connect?
Autonomous System numbers are used to identify networks that present a clearly defined external routing policy to the Internet. AWS Direct Connect requires an ASN to create a public or private virtual interface.
Which ASN can be used for Private VIF connection to VMware Cloud on AWS SDDC?
You can pick any private ASN number between 64512 to 65535 range
Is the ASN common to all Private VIF attached to VMware Cloud on AWS SDDC?
Yes, the ASN is common to all the Private VIFs attached to the SDDC.
Can I change the ASN after the Private VIFs are attached to SDDC?
You have to delete all connected Private VIFs before you can change the ASN
What BGP Local ASN Configuration do I need with AWS Direct Connect Private VIF?
Direct Connect connection to SDDC now uses BGP Local ASN as 64512. This BGP local ASN is editable and any private ASN from the range 64512 – 65534 can be used.
Can I use Public ASN with a new Direct Connect Private VIF connection?
No, you cannot use Public ASN value while configuring the BGP Local ASN on VMware Cloud on AWS SDDC.
Will you continue to support existing Direct Connect Private VIF configuration that uses Public ASN?
Yes. We will continue to support existing Direct Connect configurations.
What do I need to do if I want to change existing Direct Connect Private VIF configuration from Public to Private ASN ?
You have to first delete the Direct Connect Private VIF connection with public ASN. Then you can choose a Private ASN number from the range 64512-65534 and enter it in the BGP Local ASN field in VMware Cloud on AWS. After that, take the configured Private ASN number and AWS account ID and go to AWS account to create a new Hosted Private VIF with these values.
Networking - VPN
What is VMware NSX L2 VPN?
VMware NSX L2 VPN is a tunnel that enables extending layer 2 networks across geographic sites. Extended layer 2 networks enable virtual machines to move across sites (vMotion) while keeping their IP addresses the same. L2 VPN allows enterprises to seamlessly migrate workloads backed by VLAN or VXLAN between on-premises and VMware Cloud on AWS.
Do I need VMware NSX on-premises to use VMware NSX L2 VPN between on-premises and VMware Cloud on AWS?
No. You do not need VMware NSX on-premises to use L2 VPN. There are two components of L2 VPN - a client side component and a server side component – with the server side running in VMware Cloud on AWS. In order to configure an L2 VPN between on-premises and VMware Cloud on AWS, you must configure the client side component on-premises. If you do not have VMware NSX on-premises , you can download a standalone VMware NSX edge and configure the client side of L2VPN.
Will VMware NSX L2 VPN layer 2 network extension work with any other vendor device?
No. You need an VMware NSX standalone edge that you can download separately or have VMware NSX on-premises.
What are the key use cases VMware NSX L2 VPN enables?
One-time migration of applications from on-premises to VMware Cloud on AWS • Workload migration between on-premises and VMware Cloud on AWS • Keeping the IP address same during Disaster Recovery
How many networks can you extend over one VMware NSX L2 VPN tunnel?
Refer to the VMware Cloud on AWS ConfigMax page for specific scale attributes.
What are the bandwidth considerations across the VMware NSX L2 VPN tunnel?
Maximum bandwidth supported across an VMware NSX L2 VPN tunnel is 750 Mbps.
What is the download config link in Layer 3 IPsec VPN set up?
You can download the IPsec VPN configuration for VMware Cloud on AWS. The downloaded file captures all the key parameters that need to be configured on the Peer IPsec VPN device. This is a generic parameter file that will expedite the configuration on the remote side by providing all the key parameters in a single file.
How do you achieve resilience for the L2 VPN Client?
Users can choose to deploy two standalone edge devices and configure them as active and standby for resilience.
What failure scenarios does Active-Standby client deployment protects from?
This protects from the edge failure scenario. If the active edge fails, the standby will take over the tunnel traffic.
How Many L2 VPN tunnels you can create through VMware Cloud on AWS console?
You can create only one L2 VPN tunnel.
Does vMotion traffic flow over L2 VPN tunnel?
No. vMotion traffic doesn't flow through L2 VPN tunnel. This tunnel is for the VMware Cloud on AWS VMs to communicate to on-premises resources. vMotion traffic flows through the AWS Direct Connect (Private VIF).
What is Tunnel Status Monitor?
Tunnel status monitor allows you to see granular information about the traffic through the tunnel with any errors. This information is useful while troubleshooting or monitoring IPsec and L2 VPN tunnels.
What information is available on the tunnel statistics?
You will be able to see packets in/out and bytes in/out per tunnel as well as error counts per tunnel.
How do I find IPsec and VPN tunnel configuration errors when i use the tunnel status monitor?
The tunnel status color (green, yellow, red) will indicate the health of the tunnel and when you click on the information you will see the pop up with the details.
What is route-based VPN?
Route Based VPN provides the ability to dynamically publish networks across the VPN tunnel using the BGP protocol. It simplifies the deployment for customers compared to the manual and static policy-based VPN.
What protocol is supported for Route Based VPN?
Standard eBGP protocol is supported.
What routes are advertised from the VMware Cloud on AWS SDDC?
Management Infrastructure and Logical segment CIDRs are advertised to the on-premises BGP Peer.
With VMware NSX, do I only have to establish one VPN tunnel for management and workload traffic?
Yes. With VMware NSX, user needs to establish just one tunnel.
If two tunnels are established, can traffic flow through both tunnels?
Yes, if multiple tunnels are configured between the SDDC and the same remote VPN endpoint, Equal Cost Multipath (ECMP) routing will be used.
Does VMware NSX support redundant tunnels?
Yes. There is support for redundant tunnels. User can establish these tunnels across the different endpoint devices on-premises.
How many VPN tunnels are supported?
Refer to the VMware Cloud on AWS ConfigMax page for specific scale attributes.
How is traffic flow controlled over the tunnel?
Traffic flow is controlled through the BGP parameters on the remote endpoint devices. The example for the BGP parameters include: AS Path, BGP weights, MED.
Does VMware Cloud on AWS support two different endpoints in the SDDC?
No. Support is only available for one endpoint in active-standby mode.
For Policy based VPN, can I create just one tunnel to carry all traffic?
Yes, you may create one tunnel for all traffic. All management and workload subnets must be advertised.
Does VMware NSX support IKEv2?
Yes, it supports both IKEv1 and IKEv2.
Will I be able to see the BGP routes advertised from on-premises over VPN?
Yes. In the Route based VPN tab, users can now click on "View Routes" to see the advertised networks from on-premises. Users also have choice to "download routes."
What is Source NAT public IP in the Networking Security Topology view?
Any internet facing communication from the SDDC requires a public IP. By default, a public IP is provisioned and Source NAT configuration is done for such communication. Topology view now shows that public IP. This will be useful during any troubleshooting exercise.
Can IPsec VPN be used as backup to Direct Connect Private VIF?
Yes, this is supported with Route Based IPsec VPN.
How do I enable Route Based IPsec VPN as back-up to Direct Connect?
This can be enabled under Networking & Security tab under System→Direct Connect by enabling the option "Use VPN as backup to Direct Connect."
What happens if "Use VPN as backup to Direct Connect" is enabled but no VPN is configured?
The traffic will go over Direct Connect as usual. There will not be any VPN backup to Direct Connect until a route based IPSEC VPN is configured.
Does Route Based IPsec VPN support ECMP?
Yes, Route Based IPSEC VPN supports both Active/Standby and ECMP.
How do I configure ECMP with IPsec VPN?
There is no ECMP setting to enable. If there are multiple VPN tunnels, all VPNs tunnels will be used. Whether a tunnel is active/standby for routes is controlled via BGP metric from on-premises or the other side.
Networking - VMware Transit Connect
What is VMware Transit Connect?
VMware Transit Connect is a high bandwidth, low latency connectivity feature for SDDC Groups. It provides network-level connectivity among SDDC Group members by leveraging an AWS Transit Gateway (TGW) in the AWS region. It also enables network connectivity to AWS VPCs and on-premises/colo data centers (via a Direct Connect Gateway).
Can I utilize AWS Transit Gateway in VMware Cloud on AWS?
VMware Transit Connect establishes network connectivity among SDDCs by leveraging an AWS Transit Gateway. It creates a VMware Managed Transit Gateway (VTGW) for SDDC Group Communication.
What connectivity models are supported with Transit Connect?
VMware Transit Connect supports SDDC to SDDC communications within the same region and across regions, SDDC to Native customer-owned AWS VPC communications within the same region, and SDDC to on-premises networks using an AWS Direct Connect Gateway.
Can my Connected VPC that is part of my SDDC also connect to the VTGW?
Yes, Connected VPC can utilize VTGW for communication. The Connected VPC will use the VPC attachment for communications to the SDDC it is associated to. The Connected VPC would use the VTGW attachment to communicate with other SDDCs in the SDDC Group.
I have connected my native AWS VPC to a VTGW. Do I need to make any changes to enable communication?
Yes, you must add routes to the AWS VPC to the CIDRs in the SDDC(s) to use the VTGW through the AWS console.
Can I connect a VPN to the VTGW instead of a Direct Connect Gateway for my on-premises environment?
No, you cannot use a VPN to connect to the VTGW.
I am using VPNs for SDDC-to-SDDC connectivity today. Can I use Transit Connect to interconnect them?
Yes, you can use Transit Connect to replace your VPN connection and get higher performance connectivity.
What is an SDDC Group?
An SDDC Group is a set of SDDC organized together for a common purpose. It is a logical grouping meant to simplify SDDC operations at scale. SDDC Groups provide customers with the ability to logically organize a set of SDDCs to simplify management at scale, as customers deploy multiple SDDCs within VMware Cloud on AWS. With an SDDC group, customers can manage multiple SDDCs as a single logical entity.
Do the automatically created groups get updated as networks are added or removed from my SDDCs?
Yes, the automatically created groups reflect the current state of networks.
Networking - Multi Edge SDDC
What is Multi Edge SDDC?
Multi Edge SDDC is a feature that enhances the overall network capacity of the SDDC by provisioning additional edge resources in the SDDC. Users can utilize this feature by configuring Traffic Groups and mapping specific network traffic to utilize additional resources assigned to the group.
What are the primary use cases for Multi Edge SDDC?
The primary use cases for Multi Edge SDDC are for traffic flows between the SDDC and destinations connected to a VMware Transit Connect network such as another SDDC, native AWS VPCs and on-premises. Additionally, services in the Connected VPC can take advantage of Multi Edge SDDC’s increased capacity.
What type of traffic should be considered a good use case for Multi Edge SDDC?
While Multi Edge SDDC works with many different types of traffic, we’ve found that services like data backup, database synchronization and file storage are well suited for mapping into a Traffic Group and taking advantage of the increased network capacity.
What do I need to do to enable Multi Edge SDDC?
Multi Edge SDDC requires large-sized SDDC appliances.
Does Multi Edge SDDC require additional compute resources?
Yes, each Traffic Group configured will require 2 additional hosts in the VMware Cloud Management cluster to dedicate to the networking services.
How do I configure my SDDC’s traffic to use Multi Edge SDDC?
Multi Edge SDDC uses Source Based Routing to network traffic flows. To identify traffic, configure a prefix-list of subnets or IP addresses to use the Traffic Group and then associate the prefix-list to the Traffic Group.
Does Multi Edge SDDC work with all of my SDDC’s traffic?
While Multi Edge SDDC works with all types of IP traffic from workloads, there are some specific flows that are not able to take advantage of Multi Edge SDDC. These specific flows are flows that use Network Address Translation (NAT) including S3, VPN traffic and traffic using an AWS Direct Connect. Management VMs and VMware ESXi hosts are not able to take advantage of Multi Edge SDDC. All of these flows will continue to traverse the default edge.
Can I use Multi Edge SDDC with a 2-Host SDDC?
Due to the host requirements for Multi Edge SDDC, 2 node SDDCs are not capable of supporting Multi Edge SDDC and in most cases, don’t generate enough traffic to really need it.
What is a Traffic Group?
A Traffic Group is a new VMware Cloud construct that creates additional network capacity resources in the form of VMware NSX Edge routers.
What is an IP Prefix List?
An IP Prefix List is how customers define the source IP addresses of traffic that will utilize the new network capacity created by the Traffic Group.
What is an Association Map?
An Association Map is the construct used to bind an IP Prefix List to a Traffic Group.
How many Traffic Groups can I have in my SDDC?
Refer to the VMware Cloud on AWS ConfigMax page for specific scale attributes.
Can I reconfigure the Traffic Group/Prefix List/Association Map?
Reconfiguration of the prefix list being used by an association map is not possible. We recommend customers either create a new prefix list with the changes required and apply it in place of the current one, or remove the association map, update the prefix list and re-apply the association map.
Networking - Advanced Firewall
What is the Advanced Firewall Add-On?
The Advanced Firewall Add-On is a new set of capabilities enhancing the security offerings for VMware Cloud on AWS. It features Layer 7 Distributed Firewalling, Fully Qualified Domain Name (FQDN) Filter List, Distributed Intrusion Detection/Prevention Services (D-IDS/IPS), and Active Directory Based Identity Firewalling.
Is the Advanced Firewall Add-On part of the base VMware Cloud on AWS offering?
The Advanced Firewall Add-On is an additional service that needs to be enabled per SDDC to begin using the additional features. Pricing and billing information can be found on the VMware Cloud on AWS pricing page here.
Does the Advanced Firewall Add-On protect East-West and North-South traffic?
Yes, the Advanced Firewall Add-On protects both East-West and North-South traffic based on the user configured policy.
Are the Advanced Firewall Add-On features available for PCI-compliant SDDCs?
No, the Advanced Firewall Add-On features are not available in PCI-compliant SDDCs.
Does the Advanced Firewall Add-On protect against malware?
Yes, the Distributed IDS/IPS feature can protect against malware that matches the curated signatures configured.
In which AWS regions are the Advanced Firewall Add-On available?
The Advanced Firewall Add-On is available in all AWS commercial regions where VMware Cloud is available.
What are the scale attributes for the Advanced Firewall Add-On features?
Please refer to VMware Cloud ConfigMax for current scale attributes.
What level of feature enablement is available for the Distributed IDS/IPS?
The Distributed IDS/IPS is enabled or disabled on a per VMware vCenter Server cluster basis.
Where do I download signatures for Distributed IDS/IPS?
Updated signatures for the Distributed IDS/IPS are obtained from the VMware NSX Threat Intelligence Cloud (NTIC) service. This can be configured for automatic updates to streamline administration and ensure the most current signatures are in place.
What is VMware NSX Threat Intelligence Cloud services?
VMware NSX Threat Intelligence Cloud service is a VMware managed repository of IDS/IPS signatures. It is a cloud based offering hosted in multiple regions across the globe.
Does the ability to perform an offline update of the Distributed IDS/IPS signatures exist?
For customers with isolated SDDCs that cannot automatically update through NTIC, an offline download and upload option exists using APIs.
Where are Distributed IDS/IPS signatures stored?
The signatures for Distributed IDS/IPS are initially downloaded to VMware NSX Manager inside the SDDC, and then automatically placed on each host in a cluster that is configured to use Distributed IDS/IPS.
Can I run the Distributed IDS/IPS in detect only mode?
Yes, when a policy is configured for the Distributed IDS/IPS it can be configured for detect only (IDS) or detect and prevent (IPS) actions.
What is the use case for Identity Firewall (IDFW)?
The primary use case for IDFW is for granular, per user session based firewall policy in Virtual Desktop Infrastructure (VDI) environments.
Does Identity Firewall (IDFW) support Remote Desktop Session Host (RDSH)?
The IDFW supports both VDI and RDSH methods for remote access.
What level of feature enablement is available for the Identity Firewall (IDFW)?
The IDFW is enabled or disabled on a per VMware vCenter Server cluster basis.
Is Guest Introspection required to use the Identity Firewall (IDFW) feature?
Guest Introspection is used by the IDFW feature.
Does Guest Introspection require a dedicated VM to operate?
VMware Cloud on AWS uses a kernel based Guest Introspection engine that does not require a dedicated VM to operation.
Is VMTools required for Identity Firewall (IDFW)?
The IDFW feature requires VMTools 11.x or higher to be installed on the guest VMs.
What are the use cases for Layer 7 Firewalling?
The common use case for Layer 7 Firewalling is to allow granular inspection of traffic inside a given port or protocol. This is frequently used to detect and prevent unauthorized traffic from using commonly allowed ports and protocols. It is also used to ensure specific encryption protocols are used for secure traffic.
Does the Layer 7 Firewalling feature have pre-configured application definitions?
The Layer 7 Firewalling feature has more than 70 pre-configured application definitions based on commonly used enterprise applications, enabling fast deployment of the feature.
Is it possible to define a custom application in the Layer 7 Firewall?
The Layer 7 Firewall uses Context Profiles to define applications. The ability to add custom profiles is available.
What are the use cases for Fully Qualified Domain Name (FQDN) filtering?
The common use cases for FQDN filtering include restricting access to unauthorized URLs or conversely restricting access to specific authorized URLs.
Does the Fully Qualified Domain Name (FQDN) filtering feature require DNS Snooping?
The FQDN Filtering feature uses DNS Snooping on the Distributed Firewall (DFW) to observe and track the DNS requests from guests.
Is it possible to deactivate the Advanced Firewall Add-On?
The Advanced Firewall Add-On can be enabled or disabled by the user at any time.
What happens if I disable the Advanced Firewall Add-On?
If the Advanced Firewall Add-On is disabled, additional policy for Distributed IDS/IPS, FQDN Filtering, IDFW or Layer 7 firewalling cannot be added, and existing policy cannot be edited. Previously configured policy will still be enforced and is retained until deleted by the administrator.
What happens if I re-enable the Advanced Firewall Add-On?
If the Advanced Firewall Add-On is re-enabled, existing policy will become configurable.
Networking - SDDC Group Connectivity to Transit VPC
What is SDDC Group Connectivity to Transit VPC?
SDDC Group Connectivity to Transit VPC designs enable customers to take advantage of additional flexibility in VMware Cloud on AWS network topologies by providing the ability to configure static routes to control network traffic to external destinations.
What are the use cases for connecting a SDDC Group to a Transit VPC design?
Some common use cases for a Transit VPC design include:
- Security VPC where all traffic must be inspected before being routed to the Internet or on-premises
- Interconnecting different SDDC groups in the same region in either the same VMware Cloud Organization or different ones
- A temporary workaround for intra-region Transit Connect to AWS TGW peering
What are the requirements to use SDDC Group Connectivity to a Transit VPC?
The requirements to use SDDC Group Connectivity to a Transit VPC are:
- SDDC version 1.12(M12) or higher
- VMware Transit Connect
Are additional licenses required to use SDDC Group Connectivity to a Transit VPC?
No additional licenses are required.
Are there charges or fees to use SDDC Group Connectivity to a Transit VPC?
The normal VMware Transit Connect fee structure still applies, but there is no incremental cost to use SDDC Group Connectivity to a Transit VPC. Pricing information can be found on the VMware Cloud on AWS pricing page here.
How do I configure SDDC Group Connectivity to a Transit VPC?
The configuration for SDDC Group Connectivity to a Transit VPC is performed at the SDDC Group level on a per-VPC attachment basis through a static route.
How many static routes can be configured on a VPC attachment?
100 static routes can be configured per VPC attachment. Please refer to VMware Cloud ConfigMax for current scale attributes here.
Is it possible to configure a default route (0.0.0.0/0) as the static route?
Yes, a default route can be configured but should be done with a complete understanding of the connectivity to and from the SDDC as all traffic, including VMware ESXi host traffic, will follow the default route unless a more specific route exists.
Networking - Transit Connect Inter-Region
What is Transit Connect Inter-Region Support?
Transit Connect Inter-Region support enables customers to simply make VMware Cloud on AWS SDDCs in different regions members of an SDDC Group. This provides a consistent and simplified network topology while broadening the high speed, resilient interconnectivity between regions.
What are the use cases for Transit Connect Inter-Region?
Some common use cases for Transit Connect Inter-Region include:
• Inter-Region disaster recovery
Are additional licenses required to use Transit Connect Inter-Region?
No additional licenses are required to use the Transit Connect Inter-Region feature.
Are there charges or fees to use Transit Connect Inter-Region?
The normal VMware Transit Connect fee structure still applies, but there is no incremental cost to use Transit Connect Inter-Region. Pricing information can be found on the VMware Cloud on AWS pricing page here.
Is Transit Connect Inter-Region available in all commercial regions?
Yes, Transit Connect Inter-Region is available in all AWS commercial regions where VMware Cloud is available.
Can I connect my customer-managed AWS Transit Gateway to the SDDC Group?
It is not possible to connect a customer-managed AWS Transit Gateway to the SDDC Group at this time.
Do all SDDCs that are members of the group need to be in the same VMware Cloud Organization?
Yes, all SDDCs that are members of the group need to be in the same VMware Cloud Cloud Organization.