Transit Connect – Understanding Networking and Security Configurations
VMware Transit Connect is a VMware Managed Transit Gateway (vTGW), which enables complex network topology, including inter- and intra-Region SDDC connectivity, AWS VPC connection, and much more.
You deploy vTGW from the SDDC console through the SDDC groups feature, which lets customers manage multiple SDDCs and external AWS connectivity from one logical entity. SDDC groups are required to enable VMware Transit Connect. You can add just a single SDDC to a group – this action will trigger the creation of a vTGW.
To configure SDDC groups in the SDDC console, click on CREATE GROUP, as seen in the following screenshot:
Figure 6.47 – Creating a new SDDC group
Customers can select the SDDCs that need to be a part of the SDDC group in the wizard. In our example, we’ll provide the group with a descriptive name, add Enterprise-Customer-A and Enterprise-Customer-B SDDCs into the group, acknowledge the additional attachment and data transfer costs, and click on CREATE GROUP to continue with the group creation, as seen in the following screenshot:
Figure 6.48 – New SDDC group configuration
Information
All SDDCs must have non-overlapping management subnets to form an SDDC group. SDDCs can be located in different regions or in the same region when leveraging SDDC groups. For further details on data transfer costs and attachment costs, see https://aws.amazon.com/transit-gateway/pricing/.
After the provisioning process is completed, Connectivity Status will show CONNECTED, as seen in the following screenshot:
Figure 6.49 – SDDC group configuration
Now the two SDDCs can route to one another through vTGW. You can view the routing table, including advertised and learned routes, in the Transit Connect section of the Networking tab:
Figure 6.50 – Transit Connect routing table
After the configuration has been done, routing between the SDDC subnets will automatically propagate through vTGW. However, firewall rules need to be opened to allow communication.
VMware Transit Connect has additional capabilities, such as connectivity to AWS VPC, TGW, and Direct Connect attachments; however, they are beyond the scope of this chapter.
Information
You can find further technical information on the VMware Cloud Tech Zone at https://vmc.techzone.vmware.com/resource/introduction-vmware-transit-gateway-vmware-cloud-aws#sddc-to-on-premises-alternate-design.
NSX security basic configuration
The NSX Edge firewall, also known as the Gateway Firewall in VMware Cloud on AWS, provides security for North/South traffic. There are two default Edge firewalls: the MGW firewall, and the CGW firewall. In addition, as we have seen in this chapter, each Tier-1 gateway manages its own firewall rules.