VMware Cloud Director service - Managed Service Provider
This reference architecture details how a Managed Service Provider can deploy VMware Cloud Director service with VMware Cloud on AWS to host multi-tenant workloads. All of the networking information depicted is provided as generic examples and can be customized for the provider’s need.
Provider connectivity is touched on but will be covered more extensively in the asset heavy reference architecture. While provider use of IPsec VPN (preferably route-based) is shown, Amazon Direct Connect can also be used between Provider on-prem datacenter and VMC on AWS. When using policy-based VPN, subnets must be declared on both sides during the setup.
One tunnel is created per subnet. It is recommended to use large subnets. When using route-based VPN, subnets are automatically advertised through BGP. BGP configuration is mandatory, no static route can be configured on VMC side.
Tenant connectivity for workload access takes a bit more setup since the NSX-T environment used in VMware Cloud on AWS does not include an SSL VPN feature like NSX-V did. A provider will need to deploy a VPN server in the tenant Org and configure it for tenant access by assigning a public IP in VMC. Otherwise, the tenant access to workloads will be limited to the tenant portal VM console.
Internet connectivity for workload and tenant access is enabled when the provider creates allow rules on the Compute Gateway to allow inbound and outbound traffic from Tier-1 Gateways. Once that is open, the Tier-1 Gateway firewall rules will govern access to tenant workloads. NAT Rules for required for inbound workload and tenant access. The provider will allocate public IPs in VMC console and NAT to the external network IP of the tenant. The Tier-1 Gateway will then provide NAT of the external IP to the internal IP of the tenant segment.
The VPC connectivity feature of VMware Cloud on AWS allows the provider to expose services leveraging Amazon Native Services (EC2 & RDS Instances, S3 Buckets, EFS, etc.) to tenants. The provider allows access to and from VPC subnets and External Network segments in the Compute Gateway and through Security Groups in the connected VPC. An example is provided where Tenant A’s web service can access a provider hosted RDS instance.
Any infrastructure VMs that the provider needs to host in the VMware Cloud on AWS SDDC instance are deployed behind the Compute Gateway which allows the provider to control access to the services provided. Deploying infrastructure VMs inside VMC is recommended to provide reliability and performance to application workloads.
Usual infrastructure services include Active Directory, DNS and Backup.
Speaking of DNS services, tenant workloads should be configured to use the Tier-1 Gateway DNS. A provider can configure Tier-1 Gateway DNS forwarder to use a custom DNS server.