VMware Cloud on AWS Networking and Security 08 January 2023 SDDC Version 1.20 VMware Cloud on AWSYou can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com Copyright © 2017-2023 VMware, Inc. All rights reserved. Copyright and trademark information.VMware Cloud on AWS Networking and Security VMware, Inc. 2Contents About VMware Cloud on AWS Networking and Security 5 1NSX Networking Concepts 6 Features Supported with NSX 12 2Configuring VMware Cloud on AWS Networking and Security Using NSX 14 Assign NSX Service Roles to Organization Members 15 SDDC Network Administration with NSX Manager 16 Open NSX Manager 18 Configure AWS Direct Connect Between Your SDDC and On-Premises Data Center 21 Set Up an AWS Direct Connect Connection 22 Configure Direct Connect to a Private Virtual Interface for SDDC Management and Compute Network Traffic 22 Configure Direct Connect to a Public Virtual Interface for Access to AWS Services 26 Specify the Direct Connect MTU 27 Configure a VPN Connection Between Your SDDC and On-Premises Data Center 28 Create a Route-Based VPN 29 Create a Policy-Based VPN 33 Configure a Layer 2 VPN and Extended Network Segment 38 View VPN Tunnel Status and Statistics 42 IPsec VPN Settings Reference 43 Configure Management Gateway Networking and Security 45 Set vCenter Server FQDN Resolution Address 45 Set HCX FQDN Resolution Address 46 Add or Modify Management Gateway Firewall Rules 46 Configure Compute Gateway Networking and Security 51 Create or Modify a Network Segment 51 Add or Modify Compute Gateway Firewall Rules 56 Add or Modify Distributed Firewall Rules 59 Configure DNS Services 65 View Routes Learned and Advertised over VMware Transit Connect 67 View Statistics and Manage Settings for Uplinks 68 Add a Tier-1 Gateway 69 Connect a VPN to a Tier-1 Gateway 70 Configure a Multi-Edge SDDC With Traffic Groups 74 Enable AWS Managed Prefix List Mode for the Connected Amazon VPC 79 Working With Inventory Groups 81 Add a Management Group 81 VMware, Inc. 3Add or Modify a Compute Group 82 Add a Custom Service 83 View Virtual Machine Inventory 84 About Context Profiles 85 Managing Workload Connections 85 Attach a VM to or Detach a Workload VM from a Compute Network Segment 86 Request or Release a Public IP Address 87 Create or Modify NAT Rules 87 Creating Firewall Rules to Manage Traffic Between the Compute and Management Networks 91 3Configure Monitoring and Troubleshooting Features 93 Configure IPFIX 93 Configure Port Mirroring 94 View Connected VPC Information and Troubleshoot Problems With the Connected VPC 95 4About NSX Advanced Firewall Features 98VMware Cloud on AWS Networking and Security VMware, Inc. 4About VMware Cloud on AWS Networking and Security The VMware Cloud on AWS Networking and Security guide provides information about configuring NSX networking and security for VMware Cloud on AWS . Intended Audience This information is intended for anyone who wants to use VMware Cloud on AWS to create an SDDC that has the networking and security infrastructure necessary to migrate workloads off premises and run them securely in the cloud. It was written for readers who have used vSphere in an on-premises environment and are familiar with the fundamentals of IP networking using NSX or another networking solution. In-depth knowledge of vSphere or Amazon Web Services is not required. VMware, Inc. 5NSX Networking Concepts1 VMware Cloud on AWS uses NSX to create and manage SDDC networks. NSX provides an agile software-defined infrastructure to build cloud-native application environments. The VMware Cloud on AWS Networking and Security explains how to use the VMware Cloud Console Networking & Security tab to manage your SDDC networks. Beginning with SDDC version 1.16, you also can use the NSX Manager Web UI to manage these networks. NSX Manager supports a superset of the features found o