VMware Cloud On AWS - Fundamentals

MODULE 1 - SET UP THE SDDC
To begin, we will create a new VPC via the AWS console:
Create your native AWS VPC
1. Click on the AWS bookmark
2. Click the IAM user name field
3. Type [email protected]
4. Click the Password field
5. Type VMware1!
6. Click Sign In
7. Click the Find Services search box
8. Type vpc
9. Click VPC
10. Click the VPCs link
11. Click Create VPC in the top menu bar
12. Click the Name tag field
13. Type VSLAB-VPC
14. Click the IPv4 CIDR block field
15. Type 172.20.0.0/16
16. Click Create
17. Click Close
After the VPC is created, we need to create one or more subnets in

order to provide a range of IP addresses that will be assigned to the
VPC. We navigate to the Subnets section of AWS to do this.
We will be creating 3 separate subnets that will be assigned to three

Availability Zones (AZs) in the US-West-2 AWS Region.
Notice that the subnets are a subset of the VPC CIDR block.
Create Subnets
1. Click Subnets on the left-hand menu

2. Click Create subnet on the top menu bar
3. Click the Name tag field and
4. Type 172.20.1.0-US-WEST-2A
5. Click the VPC dropdown listbox
6. Click the VSLAB-VPC entry
7. Click the Availability Zone dropdown listbox
8. Click us-west-2a
10. Type 172.20.1.0/24
11. Click Create
12. Click Close
13. Click Create subnet
15. Type 172.20.2.0-US-WEST-2B
19. Click us-west-2b
21. Type 172.20.2.0/24
22. Click Create
23. Click Close
24. Click Create subnet
26. Type 172.20.3.0-US-WEST-2C
30. Click us-west-2c
32. Type 172.20.3.0/24
33. Click Create
34. Click Close
The next step is to create an Internet Gateway. This VPC

component allows communication between instances in your VPC
and the internet.
It provides a target in the VPC route tables for internet-routable

traffic, it also performs network address translation or NAT for virtual
machines that don't have a public IP address assigned.
After its creation, we will attach it to the VPC
Create Internet Gateway
1. Click Internet Gateways on the left-hand menu

2. Click Create Internet gateway on the top menu bar
4. Type VSLAB-IGW
5. Click Create
6. Click Close
7. Click the Actions dropdown
8. Click Attach to VPC
11. Click Attach
Endpoints - A VPC Endpoint enables us to privately and securely

connect the VPC to AWS services without going over the internet.
Create Endpoint
1. Click Endpoints on the left-hand menu

2. Click Create Endpoint on the top menu bar
3. Click the scrollbar
4. Click the radio button next to com.amazonaws.us-west-2.s3
9. Click the checkbox next to rtb.08836df7e3546a692
11. Click Create endpoint
12. Click Close
Next, we will associate the three Subnets previously created with the
VPC's Main Route Table. The Route Table contains a set of rules,
called routes that are used to determine where the network traffic is
directed.
We will also add a custom route table with destination

of 0.0.0.0/0 and set its target it to the Internet Gateway created in a
prior step. This effectively makes these subnets public.
Associate Subnets to Route Table
1. Click Route Tables on the left-hand menu

2. Click on the right-most icon on the Route Table summary
3. Click the Subnet Associations tab
4. Click Edit subnet associations
5. Click the topmost checkbox to select all three subnets
6. Click Save
7. Click Add route
8. Click the Destination field
9. Type 0.0.0.0/0
10. Click on the Target dropdown listbox
11. Click Internet Gateway
12. Click the VSLAB-IGW entry
13. Click Save routes
14. Click Close
15. Click Your VPCs on the left-hand menu
Now that the AWS VPC and all other required components and
configurations are finished, we will sign in to the VMware Cloud
Services console to deploy our SDDC.
Steps 19 through 24 below, will be back on the AWS Console to

make the required permissions changes.
Create a SDDC on VMware Cloud on AWS
1. Click the + to open a new browser tab

2. Click the VMware Cloud Services | Discovery bookmark
3. Click the X to close the VPC Management Console
4. Click the Email address field
6. Click NEXT
8. Type VMware1!
9. Click SIGN IN
10. Click on the X to close the chat window
11. Click VMware Cloud on AWS
12. Click on the X to close the chat window
13. Click CREATE SDDC
14. Click the AWS radio button
15. Click the AWS Region dropdown
16. Click US West (Oregon)
17. Click the Multi-Host radio button
18. Click the SDDC Name field
19. Type VSLAB-SDDC
20. Click the Number of Hosts dropdown listbox
21. Click 3
22. Click NEXT
23. Click OPEN AWS CONSOLE WITH CLOUDFORMATION
TEMPLATE
25. Click the checkbox next to I acknowledge that AWS
CloudFormation might create IAM resources
27. Click Create
28. Click the X to close the tab after the status changes
to CREATE_COMPLETE,
30. Click NEXT
31. Click NEXT
32. Click the Choose a VPC dropdown listbox
33. Click vpc-088b7b1ae219fe46b (172.20.0.0/16)
34. Click the Choose a subnet dropdown listbox
35. Click 172.20.1.0-US-WEST-2A (172.20.1.0/24, us-west-2a)
36. Click NEXT
37. Click the Management Subnet field
38. Type 10.2.0.0/16
39. Click NEXT
40. Click the checkbox to acknowledge when charges begin
41. Click the checkbox to acknowledge the per-host pricing
42. Click DEPLOY SDDC
At this point, we have our first 3-Node SDDC in the US-West-

2 Region.
We will now proceed to add a couple of users to the environment and

assign them with permissions.
Add Users
1. Click the icon in the top right corner

2. Click Identity & Access Management
3. Click ADD USERS
4. Click the entry field under Email Addresses
5. Type [email protected], and jim_gutierezz@vm
ware.com
7. Click the Assign Organization Roles dropdown listbox
8. Click Organization Owner
10. Click Add Service Access
11. Click the with roles dropdown listbox
12. Click the checkbox next to Administrator (Delete
Restricted)
13. Click the checkbox next to Administrator to deselect it
14. Select the checkbox next to NSX Cloud Admin
15. Select the checkbox next to NSX Cloud Auditor
16. Click DONE (3)
17. Click ADD
Lastly, we will add a host to our existing SDDC to increase capacity.
Add a Host to the SDDC
1. Click Services
2. Click VMware Cloud on AWS
3. Click VSLAB-SDDC
4. Click ADD HOST
5. Click the Number of Hosts to Add dropdown listbox
6. Click 1
8. Click ADD HOSTS
9. Click the browser refresh button and note the Successfully
added host(s) message in the top right
To return to the lab, click the link in the top right corner or close this
browser tab.
MODULE 2 - CONFIGURE SDDC NETWORKING
AND SECURITY
The orange boxes show where to click, and the left and right arrow keys can
also be used to move through the simulation in either direction.
Create Network Segments for the SDDC

Network segments are logical networks for use by workload VMs in the
SDDC.
VMware Cloud on AWS supports three types of logical network segments:

routed, extended and disconnected.
 A routed network segment (the default type) has connectivity to other

logical networks in the SDDC and, through the SDDC firewall, to
external networks.
 An extended network segment extends an existing L2VPN tunnel,
providing a single IP address space that spans the SDDC and an on-
premises network.
 A disconnected network segment has no uplink and provides an
isolated network accessible only to VMs connected to it.
We will create three routed network segments for our Web Tier, App Tier, and
Database Tier.
1. Click on VSLAB-SDDC to view the details for the SDDC.

2. Click Networking & Security
3. Click Segments
4. Click ADD SEGMENTS
5. Click the Name field
6. Type WEB-172-18-200
7. Click the Gateway/Prefix Length field
8. Type 172.18.200.1/24
9. Click SAVE
12. Type APP-172-18-201
14. Type 172.18.201.1/24
15. Click SAVE
18. Type DB-172-18-202
20. Type 172.18.202.1/24
21. Click SAVE
22. Click Overview in the left-hand menu
Create a Policy Based IPsec VPN

A policy-based VPN creates an IPsec tunnel and a policy that specifies how
traffic uses it. When you use a policy-based VPN, you must update the routing
tables on both ends of the network when new routes are added.
A route-based VPN creates an IPsec tunnel interface and routes traffic

through it as dictated by the SDDC routing table. A route-based VPN provides
resilient, secure access to multiple subnets. When you use a route-based
VPN, new routes are added automatically when new networks are created.
1. Click the arrow next to VPN in the left-hand menu

2. Click Policy Based
3. Click ADD VPN
5. Type VSLAB-VPN
6. Click the Remote Public IP field
7. Type 66.170.110.67
8. Click the Remote Private IP field
9. Type 66.170.110.67
10. Click the Remote Networks field
11. Type 172.16.0.0/16
12. Click the Local Networks field
13. Click the scroll bar
14. Click the Infrastructure Subnet
15. Click the outer vertical scroll bar
16. Click the Tunnel Digest Algorithm dropdown listbox
17. Click SHA 1
18. Click the IKE Digest Algorithm dropdown listbox
19. Click SHA 1
20. Click the IKE Type dropdown listbox
21. Click IKE V1
22. Click the Preshared Key field
23. Type 4P6zKzoDRon
24. Click the horizontal scroll bar
25. Click the inner vertical scroll bar
26. Click SAVE
27. Click the Refresh icon to see the Status change to Up
29. Click Overview in the left-hand menu and note the newly created VPN
Configure Direct Connect

If traffic between your on-premises network and your SDDC requires higher
speeds and lower latency than you can achieve with a connection over the
public Internet, you can configure VMware Cloud on AWS to use AWS Direct
Connect.
AWS Direct Connect (DX) provides a dedicated network connection between

your on-premises network infrastructure and a virtual interface (VIF) your
AWS VPC. DX supports two kinds of virtual interfaces:
A private VIF enables access to your AWS Virtual Private Cloud (VPC).
A public VIF enables access to services such as Amazon EC2 and S3.
Configure DX over a private VIF to carry workload and management traffic,

including VPN and vMotion, between your on-premises data center and your
connected VPC. Configure DX over a public VIF if you need to connect to
AWS public endpoints such as EC2 and S3. You can route VPN traffic over
either kind of VIF to provide additional data security.
Private and Public VIFs
A DX connection over a private VIF can be used for all traffic between your
on-premises data center and your SDDC. It terminates in your connected
Amazon VPC, provides a private IP address space, and uses BGP to
advertise routes in your SDDC and learn routes in your on-premise data
center.
A DX connection over a public VIF is typically used only for traffic between
your on-premises data center and public AWS services, which you cannot
access over a private VIF. It terminates at the AWS region level in the region
occupied by your connected Amazon VPC, and uses BGP to advertise AWS
global routes.
1. Click the vertical scroll bar in the left-hand menu tree

2. Click Direct Connect
3. Click the inner vertical scroll bar
5. Click ATTACH next to the VSLAB-SDDC-VIF01 Virtual Interface
6. Click the checkbox next to the data transfer charges acknowledgment
7. Click SAVE
8. Click ATTACH next to the VSLAB-SDDC-VIF02 Virtual Interface
9. Click the checkbox next to the data transfer charges acknowledgment
10. Click SAVE
12. Click the vertical scroll bar in the left-hand menu tree and note that
the Overview shows that 1 VPN and 2 Direct Connect VIFs have been
configured
Disable the IPsec VPN

Because we have configured Direct Connect, we can disable the IPsec VPN
that we created earlier since we will use DX for all traffic.
1. Click the arrow next to VPN in the left-hand menu

2. Click Policy Based
3. Click the vertical ellipsis next to VSLAB-VPN
4. Click Disable VPN and note the Status changes to Disabled
Create Management Gateway Firewall Rule for

vCenter
By default, all communication into the VMware Cloud on AWS SDDC is
blocked. We will create a firewall rule to allow access to the vCenter for the
SDDC.
1. Click Gateway Firewall

2. Click ADD NEW RULE to add a Management Gateway firewall rule
4. Type vCenter Inbound Rule
5. Click Set Source
6. Click SAVE to accept the default of Any
7. Click Set Destination
8. Click the radio button next to vCenter
9. Click the vertical scroll bar
10. Click SAVE
11. Click the Services field
12. Click HTTPS
13. Click SSO
14. Click ICMP
15. Click PUBLISH
Create a Management Group

Inventory groups categorize VMs based on VM names, IP addresses, and
matching criteria of VM name and tag. You use inventory groups to specify
sources and destinations when you create firewall rules, and to simplify
managing workload VMs that require similar configurations.
VMC Networking & Security inventory groups, like AWS Security Groups,
give you a way to create named groups of management or workload VMs that
you can reference in firewall rules.
Management groups contain VMs on the Management Network. Workload

groups contain VMs on the Compute network. We will create a management
group for our on-prem VMs.
1. Click Groups
2. Click Management Groups
3. Click ADD GROUP
5. Type On-Prem
6. Click the Members field
7. Type 172.16.0.0/16
8. Click SAVE
Create Management Gateway Firewall Rules

By default, the management gateway blocks traffic to all destinations from all
sources. Management Gateway firewall rules must be created to allow traffic.
We will create management gateway firewall rules to allow traffic from on-
prem to the SDDC's ESXi management, NSX-T, and vCenter Server.

2. Click ADD NEW RULE to add a Management Gateway firewall rule
4. Type Prem-to-NSX
5. Click Set Source
6. Click the radio button next to User Defined Groups
7. Click the check box next to On-Prem
9. Click SAVE
11. Click the radio button next to NSX Manager
12. Click the outer vertical scroll bar
13. Click SAVE
15. Click HTTPS
16. Click ADD NEW RULE
18. Type Prem-to-ESXi
19. Click Set Source
23. Click SAVE
25. Click the radio button next to ESXi
26. Click the outer scroll bar
27. Click SAVE
29. Click Provisioning and Remote Console
30. Click vMotion
31. Click HTTPS
32. Click ICMP
35. Type Prem-to-vCenter
40. Click SAVE
42. Click the radio button next to vCenter
44. Click SAVE
46. Click HTTPS
47. Click SSO
48. Click ICMP
49. Click PUBLISH
Create Compute Gateway Firewall Rules

By default, the compute gateway blocks traffic to all uplinks. Compute
Gateway firewall rules must be created to allow traffic. Compute Gateway
firewall rules require named inventory groups for Source and Destination
values.
We will create a compute gateway firewall rule to allow traffic over AWS Direct
Connect (private VIF).
1. Click Compute Gateway

4. Type DX-to-Compute
5. Click Set Source
7. Click the checkbox next to DirectConnect Prefixes
9. Click SAVE
11. Click the checkbox next to Any
13. Click SAVE
14. Click the Set Service field
15. Click the checkbox next to Any
17. Click SAVE
18. Click PUBLISH
L2VPN Setup and Configuration
A VMware Cloud on AWS extended network uses a layer 2 Virtual Private
Network (L2VPN) to extend an on-premises network to multiple VLAN based
networks that can be extended with different tunnel IDs on the same L2VPN
tunnel. This extended network is a single subnet with a single broadcast
domain, so you can migrate VMs to and from your cloud SDDC without having
to change their IP addresses.
An L2VPN on the Compute Gateway can extend up to 100 of your on-

premises networks. VMware Cloud on AWS uses NSX-T to provide the
L2VPN server in your cloud SDDC. L2VPN client functions can be provided
by a standalone NSX Edge that you download and deploy into your on-
premises data center.
The VMware Cloud on AWS L2VPN feature supports extending VLAN

networks. The L2VPN connection to the NSX-T server uses an IPsec tunnel.
The L2VPN extended network is used to extend Virtual Machine networks and
carries only workload traffic. It is independent of the VMkernel networks used
for migration traffic (ESXi management or vMotion), which use either a
separate IPsec VPN or a Direct Connect connection.
Configure vDS Port Groups

We will add a distributed uplink port group to the vSphere Distributed Switch
and add a distributed trunk port group to the vSphere Distributed Switch
For detailed instructions see: Download and Configure the Standalone NSX

Edge
1. Click to continue
2. Click the network icon
3. Click vDS-Mgmt
4. Click ACTIONS
5. Click Distributed Port Group
6. Click New Distributed Port Group
8. Hit Enter to paste VSLAB-L2VPN-PublicPG
9. Click NEXT
10. Click the VLSAN type dropdown listbox
11. Click VLAN
12. Click the VLAN ID field
13. Type 1631
14. Click NEXT
15. Click FINISH
16. Click ACTIONS
17. Click Distributed Port Group
18. Click New Distributed Port Group
20. Hit Enter to paste VSLAB-L2VPN-TrunkPG
21. Click NEXT
22. Click the VLAN type dropdown listbox
23. Click VLAN trunking
24. Click the VLAN trunk range field
25. Type 1606
26. Click the checkbox next to Customize default policies
configuration
27. Click NEXT
28. Click the Forged transmits dropdown listbox
29. Click Accept
30. Click NEXT
31. Click NEXT
32. Click NEXT
33. Click NEXT
34. Click NEXT
35. Click NEXT
36. Click FINISH
38. Click the scroll bar to expand it
39. Click VSLAB-L2VPN-TrunkPG01
40. Click the scroll bar on the Ports table
41. Click the ellipsis under Name to see the details about the port group
If a standalone edge trunk vNIC is connected to a vSphere Distributed

Switch, either promiscuous mode or a sink port is required for L2 VPN
function. Using promiscuous mode can cause duplicate pings and duplicate
responses. For this reason, use sink port mode in the L2 VPN standalone
NSX Edge configuration.
It is also required to configure a sink port in the distributed trunk port group
you created above. This has already been completed. For detailed
instructions see: Configure a Sink Port
Configure Layer 2 VPN to Extend On-Premises

Networks
A VMware Cloud on AWS extended network uses a layer 2 Virtual Private
Network (L2VPN) to extend an on-premises network to multiple VLAN based
networks that can be extended with different tunnel IDs on the same L2VPN
tunnel. This extended network is a single subnet with a single broadcast
domain, so you can migrate VMs to and from your cloud SDDC without having
to change their IP addresses.
In addition to data center migration, you can use an extended L2VPN network
for disaster recovery, or for dynamic access to cloud computing resources as
needed (often referred to as "cloud bursting).
An L2VPN on the Compute Gateway can extend up to 100 of your on-
premises networks. VMware Cloud on AWS uses NSX-T to provide the
L2VPN server in your cloud SDDC. L2VPN client functions can be provided
by a standalone NSX Edge that you download and deploy into your on-
premises data center.
The VMware Cloud on AWS L2VPN feature supports extending VLAN

networks. The L2VPN connection to the NSX-T server uses an IPsec tunnel.
The L2VPN extended network is used to extend Virtual Machine networks and
carries only workload traffic. It is independent of the VMkernel networks used
for migration traffic (ESXi management or vMotion), which use either a
separate IPsec VPN or a Direct Connect connection.
We will create a layer 2 VPN, add an extended segment and install and
configure the NSX standalone edge.
2. Click VIEW DETAILS
3. Click Networking & Security
4. Click the arrow next to VPN
5. Click Layer 2
6. Click ADD VPN TUNNEL
7. Click the Local IP Address dropdown listbox
8. Click Private IP1 (10.2.192.13)
9. Click the Remote Public IP field
10. Hit Enter to paste 172.16.31.199
11. Click SAVE
12. Click standalone edge
13. Click Copy link address
14. Click OK
15. Click the inner scroll bar
16. Click ADD EXTENDED SEGMENT
17. Click the Segment Name field
18. Type VLAN-1606
19. Click the Tunnel ID field
20. Type 1606
21. Click SAVE
22. Click DOWNLOAD CONFIG
23. Click YES
24. Click the L2Vpn_L2VPN_config.txt downloaded file
25. Click Format
26. Click Word Wrap
27. Click the text to highlight all of the text that needs to be copied (this
will be copied to the clipboard)
28. Click the minimize button
29. Click the + to open a new browser window
30. Click the address bar
31. Hit Enter
33. Click Download Now to download the NSX Standalone Edge Client
34. Click the X to close the browser window
35. Click File Explorer on the taskbar
36. Click Downloads folder
37. Click nsx-l2vpn-client-ovf-13281489.tar.gz to copy the NSX
standalone edge client to VMC folder
38. Click New Volume (E:)
39. Click VMC
40. Click to paste the nsx-l2vpn-client-ovf-13281489.tar.gz file
41. Click nsx-l2vpn-client-ovf-13281489.tar.gz to open the NSX
standalone edge client we downloaded
42. Click 7-Zip
43. Click Open archive
44. Click nsx-l2vpn-client-ovf-13...
45. Click on the selected files
46. Click Extract
47. Click the Copy to: field
48. Type L2VPN-Edge-Client
49. Click OK
50. Click the X to close 7-Zip
51. Click L2VPN-Edge-Client
52. Click the empty space to paste the files
53. Click New
54. Click Folder
55. Type NSX-l2t-client-xlarge and hit Enter
56. Click on the selected files to copy them
57. Click NSX-l2t-client-xlarge
59. Click L2VPN-Edge-Client
60. Click the selected files
63. Click the + to open a new browser window
64. Click the address bar
65. Type sc2vc01
66. Click s2vc01.vslab.local
67. Click vSphere Client (HTML5) - partial functionality
68. Click the User name field
71. Type VMware1!
72. Click Login
73. Click the double down arrows to close the Recent Tasks
74. Click the arrow next to SC2
75. Click the arrow next to Management
76. Click Management
77. Click ACTIONS
78. Click Deploy OVF Template...
79. Click the radio button next to Local file
80. Click Choose Files
82. Click the selected files
83. Click Open
84. Click NEXT
85. Click the Virtual machine name field
86. Type VSLAB-SDDC-L2VPN-Client
87. Click NEXT
88. Click the arrow next to Management
89. Click NSX
90. Click NEXT
92. Click NEXT
93. Click SC2MGMT03
94. Click NEXT
95. Click the Trunk dropdown listbox
96. Click VSLAB-L2VPN-TrunkPG
97. Click the Public dropdown listbox
98. Click VSLAB-L2VPN-PublicPG
99. Click NEXT
100. Click the CLI "admin" User Password field
101. Hit Enter to paste the password
102. Click the CLI "admin" User Confirm Password field
104. Click the CLI "enable" User Password field
106. Click the CLI "enable" User Confirm Password field
108. Click the CLI "root" User Password field
110. Click the CLI "root" User Confirm Password field
113. Click the IP Address field
114. Type 172.16.31.199
115. Click the Prefix Length field
116. Type 24
117. Click the Default Gateway field
118. Type 172.16.31.1
120. Click the DNS IP Address field
121. Type 172.16.31.6
123. Click the Egress Optimized IP Address field
124. Type 172.16.6.1
125. Click the Peer Address field
126. Hit enter to paste 10.2.192.13
127. Click the Peer Code field
128. Click the Notepad on the taskbar
129. Click the selected text
130. Click Copy
131. Click the minimize button
132. Click the Peer Code field
133. Hit Enter to paste the text
135. Click the Sub Interfaces VLAN (Tunnel ID) field a
136. Type 1606(1606)
138. Click the HA Index dropdown listbox
139. Click 0
141. Click NEXT
142. Click FINISH
143. Click the double up arrows to open the Recent Tasks
144. Click the double down arrows to close the Recent Tasks
145. Click the arrow next to NSX
146. Click VSLAB-SDDC...
147. Click Power
148. Click Power On
149. Click the VMware Cloud on AWS SDDC browser tab
150. Click the Refresh button to see the Status change to Up
151. Click the Information button
152. Click the vSphere - VSLAB-SDDC-L2VPN browser tab
153. Click Launch Web Console
154. Click the login field
155. Type admin and hit enter
156. Hit enter again
157. Type in command prompt show service l2vpn and hit enter
158. Type in command prompt enable and hit enter
159. Hit enter again
160. Type in command prompt conf t and hit enter
161. Type in command prompt l2vpn and hit enter
162. Type in command prompt show sub-interface and hit enter
163. Type in command prompt show configuration l2vpn and hit enter
164. Type in command prompt quit and hit enter
165. Type in command prompt quit and hit enter
166. Hit enter
168. Click VIEW STATISTICS to view traffic statistics for the L2 VPN
169. Click the X to close the window
To return to the lab, click the link in the top right corner or close this browser
tab.
MODULE 3 - DEPLOY A PRODUCTION VM
Log In to the SDDC vCenter

1. Click Settings
2. Click Default vCenter User Account
3. Click the icon to copy the cloudadmin password
4. Click vSphere Client (HTML5)
5. Click the URL for the SDDC vCenter
6. Click the User ID field
9. Hit Enter to paste the password you copied
10. Click LOGIN
11. Click the double down arrows to close the Recent Tasks window
Deploy a VM from a Template

Management and compute workloads use the resources of the SDDC. These
workloads are separated into two different resource pools. All compute
workload VMs must be created in the Compute Resource Pool and on the
Workload Datastore.
1. Click SDDC-Datacenter
2. Click Cluster-1
3. Click Compute-ResourcePool
4. Click Deploy OVF Template
5. Click the radio button next to Local file
6. Click Choose Files
7. Click This PC
9. Click the Data drive under Network locations
10. Click the VMs folder
11. Click the FIN-WEB-01 folder
12. Click to select all four files
13. Click Open
14. Click NEXT
15. Click NEXT to create the VM in the Workloads folder
16. Click NEXT to create the VM in the Compute-ResourcePool
17. Click NEXT
18. Click the Select virtual disk format dropdown listbox
19. Click Thin Provision
20. Click WorkloadDatastore
21. Click NEXT
22. Click the Destination Network field
23. Click WEB-172-18-200
24. Click NEXT
25. Click FINISH
27. Click the double up arrows to open the Recent Tasks window and
note the Deploy OVF Template task executing
Create a vSAN Storage Policy

vSAN storage policies define storage requirements for your virtual machines.
These policies guarantee the required level of service for your VMs because
they determine how storage is allocated to the VM.
VMware Cloud on AWS includes two vSAN datastores, one for the
management VMs (vsanDatastore) and one for the workload VMs
(WorkloadDatastore). Both datastores share the same underlying storage
devices and consume from the same pool of free space.
Each virtual machine deployed to a vSAN datastore is assigned at least one

virtual machine storage policy. You can assign storage policies when you
create or edit virtual machines. For further documentation about storage
policies in VMware Cloud on AWS, see vSAN Policies.
We will create a RAID 5 storage policy for our database VMs.
2. Click Menu
3. Click Policies and Profiles
4. Click VM Storage Policies
5. Click Create VM Storage Policy
6. Click the Name field and
7. Type Compute - DB - RAID 5
8. Click NEXT
9. Click the checkbox next to Enable rules for "vSAN" storage
10. Click NEXT
11. Click the dropdown list box for Failures to tolerate
12. Click 1 failure - RAID-5 (Erasure Coding)
13. Click Advanced Policy Rules
14. Click the dropdown list box for Number of disk stripes per object
15. Click 2
16. Click NEXT
17. Click NEXT
18. Click FINISH
Assign a Storage Policy to a VM

We will assign the storage policy we created to our two database VMs.
1. Click vSphere Client

2. Click Hosts and Clusters
3. Click FIN-DB-01
4. Click VM Policies
5. Click Edit VM Storage Policies
6. Click the dropdown list box for VM storage policy
7. Click Compute - DB - RAID 5
8. Click OK
9. Click SHAREPOINT-DB-01
10. Click VM Policies
11. Click Edit VM Storage Policies
12. Click the dropdown list box for VM storage policy
13. Click Compute - DB - RAID 5
14. Click OK
Create Categories and Tags

Tags and attributes allow you to attach metadata to objects in the vSphere
inventory to make it easier to sort and search for these objects. A tag is a
label that you can apply to objects in the vSphere inventory. When you create
a tag, you assign that tag to a category. Categories allow you to group related
tags together.
For vSphere Tags and Attributes, VMware Cloud on AWS supports the same
set of tasks as an on-premises SDDC. Tags and categories can span multiple
vCenter Server instances. When you use Hybrid Linked Mode, tags and tag
categories are maintained across your linked domain. That means the on-
premises SDDC and the VMware Cloud on AWS SDDC share tags and tag
attributes.
We will create two categories and tags for each category. The categories will
be used for assigning affinity and anti-affinity compute policies.
1. Click Menu
2. Click Tags & Custom Attributes
3. Click CATEGORIES
4. Click NEW
5. Click the Category Name field
6. Type Affinity
7. Click the check box next to All objects
8. Click the check box next to Virtual Machine
9. Click OK
10. Click NEW
11. Click the Category Name field
12. Type AntiAffinity
13. Click the check box next to All objects
14. Click the check box next to Virtual Machine
15. Click OK
16. Click TAGS
17. Click NEW
19. Type Finance - note the Category field is set to Affinity
20. Click OK
21. Click NEW
23. Type Sharepoint - note the Category field is set to Affinity
24. Click OK
25. Click NEW
27. Type Database
28. Click the dropdown list box for Category
29. Click AntiAffinity
30. Click OK
31. Click NEW
33. Type Sharepoint-Web
36. Click OK
Assign Tags to VMs

After you have created tags, you can apply or remove them as metadata to
objects in the vCenter Server inventory. We will assign the tags we created to
our Finance and Sharepoint VMs.
1. Click Menu
2. Click Hosts and Clusters
3. Click FIN-APP-01
5. Click Assign Tag
6. Click the check box next to the Finance Affinity tag
7. Click ASSIGN
8. Click FIN-DB-01
10. Click Assign Tag
11. Click the check box next to the Finance Affinity tag
12. Click ASSIGN
13. Click SHAREPOINT-APP-01
16. Click the check box next to the Sharepoint Affinity tag
17. Click ASSIGN
21. Click the check box next to the Sharepoint Affinity tag
22. Click ASSIGN
23. Click SHAREPOINT-WEB-01A
26. Click the check box next to the Sharepoint-Web AntiAffinity tag
27. Click ASSIGN
28. Click SHAREPOINT-WEB-01B
31. Click the check box next to the Sharepoint-Web AntiAffinity tag
32. Click ASSIGN
33. Click FIN-DB-01
36. Click the check box next to the Database AntiAffinity tag
37. Click ASSIGN
41. Click the check box next to the Database AntiAffinity tag
42. Click ASSIGN
Create Compute Policies

A CloudAdmin user can establish policies and profiles in the SDDC that
govern the placement of workload VMs.
Affinity policies in your VMware Cloud on AWS SDDC are not the same as
the vSphere DRS affinity rules you can create on premises. They can be used
in many of the same ways, but have significant operational differences. A
compute policy applies to all hosts in an SDDC, and cannot typically be
enforced in the same way that a DRS "must" policy is enforced. The policy
create/delete pages have more information about operational details for each
policy type.
We will create compute policies for the categories and tags we created to
either enforce that VMs run on the same hosts (affinity) or on different hosts
(anti-affinity).
1. Click Menu
2. Click Policies and Profiles
3. Click Compute Policies
4. Click ADD
5. Click the dropdown list box for Policy type
6. Click VM - VM affinity
8. Type Finance-App-DB
10. Click Affinity
11. Click CREATE
12. Click ADD
14. Click VM - VM affinity
16. Type SHAREPOINT-APP-DB
18. Click Affinity
19. Click the dropdown list box for Tag
20. Click Sharepoint
21. Click CREATE
22. Click ADD
24. Click VM - VM anti affinity
26. Type DB-Separation
29. Click CREATE
30. Click VIEW AS TABLE
31. Click ADD
33. Click VM - VM anti affinity
35. Type Sharepoint-Web-Servers
38. Click the dropdown list box for Tag
39. Click Sharepoint-Web
40. Click CREATE
Create Workload Groups

Inventory groups categorize VMs based on VM names, IP addresses, and
matching criteria of VM name and tag. You use inventory groups to specify
sources and destinations when you create firewall rules and to simplify
managing workload VMs that require similar configurations.
We will create several workload groups for our workload VMs to be used with
a distributed firewall.
1. Click the open VMware Cloud on AWS SDDC tab in the browser

2. Click Groups
3. Click ADD GROUP
5. Type Web Servers
6. Click Set VMs
7. Click the Select VMs field and
8. Type web and hit ENTER
9. Click the check box next to FIN-WEB-01
10. Click the check box next to SHAREPOINT-WEB-01A (the first
SHAREPOINT-WEB entry)
11. Click the check box next to SHAREPOINT-WEB-01B (the second
13. Click SAVE
14. Click SAVE
15. Click ADD GROUP
17. Type Fin-Web-Server
18. Click Set VMs
19. Click the check box next to FIN-WEB-01
21. Click SAVE
22. Click SAVE
23. Click ADD GROUP
25. Type Fin-App-Server
26. Click Set VMs
27. Click the check box next to FIN-APP-01
29. Click SAVE
30. Click SAVE
31. Click ADD GROUP
33. Type Fin-DB-Server
34. Click Set VMs
35. Click the check box next to FIN-DB-01
37. Click SAVE
38. Click SAVE
39. Click ADD GROUP
41. Type Sharepoint-Web-Servers
42. Click Set VMs
44. Click the check box next to SHAREPOINT-WEB-01A (the first
45. Click the check box next to SHAREPOINT-WEB-01B (the second
47. Click SAVE
48. Click SAVE
49. Click ADD GROUP
51. Type Sharepoint-App-Server
52. Click Set VMs
53. Click the check box next to SHAREPOINT-APP-...
55. Click SAVE
56. Click SAVE
57. Click ADD GROUP
59. Type Sharepoint-DB-Server
60. Click Set VMs
61. Click the check box next to SHAREPOINT-DB-0...
63. Click SAVE
64. Click SAVE
Create Distributed Firewall Rules to Drop All

Traffic
We will create distributed firewall rules that will drop all traffic to any of the
Finance or Sharepoint workload VMs.
1. Click the open vSphere Client tab in the browser

2. Click the console for the FIN-WEB-01 VM
3. Click OK to launch the Web Console
5. Click FIN-APP-01 and note the IP address
6. Click the FIN-WEB-01 tab
7. Click in the console window and
8. Type ping 172.18.201.10 and hit ENTER
10. Click SHAREPOINT-WEB-01A
11. Click the FIN-WEB-01 tab and note the IP address
12. Type ping 172.18.200.20 and hit ENTER
14. Click Distributed Firewall
15. Click ADD NEW SECTION
17. Type Finance
18. Click ADD NEW SECTION
20. Type Sharepoint
21. Click PUBLISH
24. Type Drop All
25. Click Any under Destinations
27. Click the check box next to Sharepoint-All
29. Click SAVE
30. Click the dropdown list box under Action
31. Click Drop
34. Type Drop All
37. Click the check box next to Fin-All
39. Click SAVE
40. Click the dropdown list box under Action
41. Click Drop
42. Click PUBLISH
44. Hit the UP arrow to rerun the last command and hit ENTER and note
that the ping fails
45. Hit the UP arrow twice and hit ENTER, and note that the ping fails
Create Distributed Firewall Rules to Allow

Traffic
We will create distributed firewall rules to allow traffic between specific VMs
for the Finance application.

2. Click ADD NEW RULE to create a rule under the Finance section
4. Type Fin-Web-Inbound
7. Click the check box next to Fin-Web-Server
9. Click SAVE
10. Click Any under Services
11. Click the Select Services field
12. Type http
15. Click the check box next to HTTPS
17. Click the check box next to HTTP
18. Click SAVE
21. Type Fin-Web-To-App
22. Click Any under Sources
24. Click the check box next to Fin-Web-Server
26. Click SAVE
29. Click the check box next to Fin-App-Server
31. Click SAVE
34. Type fin and hit ENTER
35. Click the check box next to Finance App
37. Type icmp and hit ENTER
38. Click the check box next to ICMPv4-ALL
39. Click SAVE
42. Type Fin-App-To-DB
45. Click the check box next to Fin-App-Server
46. Click SAVE
49. Click the check box next to Fin-DB-Server
50. Click SAVE
53. Type MyS
54. Click the check box next to MySQL
56. Click SAVE
57. Click PUBLISH
59. Hit the UP arrow to rerun last command and hit ENTER
We will create distributed firewall rules to allow traffic between specific VMs
for the Sharepoint application.

2. Click ADD NEW RULE to create a rule under the Sharepoint section
4. Type Sharepoint-Web-Inbound
7. Click the check box next to Sharepoint-Web-Servers
9. Click SAVE
12. Type http
15. Click the check box next to HTTPS
18. Click SAVE
21. Type Sharepoint-Web-To-App
24. Click the check box next to Sharepoint-Web-Servers
26. Click SAVE
29. Click the check box next to Sharepoint-App-Server
31. Click SAVE
34. Type Sharep
35. Click the check box next to SharePoint 2010
37. Click SAVE
40. Type Sharepoint-App-To-DB
43. Click the check box next to Sharepoint-App-Server
45. Click SAVE
48. Click the check box next to Sharepoint-DB-Server
50. Click SAVE
53. Type SQL
54. Click the check box next to Microsoft SQL Server
56. Click SAVE
58. Click PUBLISH
Request a Public IP for the Web Server

You can request public IP addresses to assign to workload VMs to allow
access to these VMs from the internet. VMware Cloud on AWS provisions
the IP address from AWS.
Inbound Network Address Translation (NAT) allows you to map internet traffic
to a public-facing IP address and port to a private IP address and port inside
your SDDC's compute network.
We will request a public IP for Finance web server and create a NAT rule and
a compute gateway firewall rule to allow traffic to the webserver.
1. Click the vertical scroll bar by the left-hand navigation menu

2. Click Public IPs
3. Click REQUEST NEW IP
4. Click the Notes field
5. Type FIN-WEB-01
6. Click SAVE
8. Click NAT
9. Click ADD RULE
11. Type FIN-WEB-01-NAT
12. Click All Traffic in the Service field to remove
13. Type http
15. Click HTTP
16. Click the Internal IP field
17. Type 172.18.200.10
18. Click SAVE
20. Click Compute Gateway
23. Type Web-Servers-Inbound
25. Click the check box next to Any
27. Click SAVE
30. Click the check box next to Web Servers
32. Click SAVE
33. Click Set Service
35. Type http
39. Click SAVE
40. Click PUBLISH
42. Click Public IPs
43. Click 52.38.151.137 to copy it to the clipboard
44. Click + to open a new tab
45. Click the browser to enter the Public IP
46. Click the Public IP 52.38.151.137
Log Intelligence
The VMware Log Intelligence Service enables you to collect and analyze logs
generated in your SDDC.
A trial version of the VMware Log Intelligence Service is enabled by default in

a new SDDC. The trial period begins when a user in your organization
accesses the Log Intelligence add-on and expires in thirty days. After the trial
period, you can choose to subscribe to this service or continue to use a
subset of service features at no additional cost.
For more information about using VMware Log Intelligence, see the VMware
Log Intelligence Documentation.
2. Click VMware Log Intelligence
3. Click the double arrows on the left-hand navigation menu
4. Click Log Management
5. Click NSXT
6. Click the switch next to Enable NSX-T firewall logs
7. Click SAVE
8. Click Home
9. Click Explore Logs
10. Click Home
tab.
MODULE 4 - SET UP THE HYBRID CLOUD WITH

HYBRID LINKED MODE
Configure DNS
Domain Name System (DNS) planning is critical for any cloud environment,
and it is important for management and compute workloads in VMware Cloud
on AWS to function properly. Google DNS servers are set up initially when
the SDDC is first deployed.
DNS servers configured under Management Gateway (MGW) will be used by

the management components such as vCenter to resolve the on-prem
FQDNs. Without setting this up, features such as HLM or Site Recovery may
not work as the management VMs cannot resolve the on-prem resources.
1. Click DNS in the left-hand navigation menu

2. Click the vertical ellipsis next to DNS Server 1
3. Click Edit
4. Click in the DNS Server 1 field and
5. Type 172.16.31.6
6. Click in the DNS Server 2 field and enter 172.16.31.7
7. Click SAVE
8. Click Troubleshooting
10. Click in the On-prem Primary DNS Server field
11. Type 172.16.31.6
12. Click in the On-prem Secondary DNS Server field
13. Type 172.16.31.7
14. Click in the On-prem vCenter field
15. Type sc2vc03.vslab.local
16. Click to copy
17. Click in the On-prem PSC FQDN field to paste
18. Click in the On-prem Active Directory field
19. Type 172.16.31.6
20. Click in the On-prem ESX field
21. Type sc2esx28.vslab.local
22. Click RUN ALL TESTS
23. Click the arrow next to the On-prem Primary DNS Server
24. Click the arrow next to the On-prem Secondary DNS Server
26. Click the arrow next to the On-prem vCenter
27. Click the arrow next to the On-prem PSC FQDN
28. Click the arrow next to the On-prem Secondary Active Directory
29. Click the arrow next to the On-prem ESX
30. Click Summary
Subscribe to an Existing Content Library

Content libraries are container objects for VM and vApp templates and other
types of files, such as ISO images, text files, and so on. You can use the
templates in the library to deploy virtual machines and vApps in the vSphere
inventory. You can also use content libraries to share content across vCenter
Server instances in the same or different locations. Sharing templates and
files result in consistency, compliance, efficiency, and automation in deploying
workloads at scale.
We will subscribe to a published content library.
1. Click the open vSphere browser tab

2. Click Menu
3. Click Content Libraries
4. Click the + sign
5. Click in the Name field
6. Type Subscribed-CL
7. Click NEXT
8. Click the radio button next to Subscribed content library
9. Click in the Subscription URL field to paste the URL
10. Click NEXT
11. Click YES
12. Click Workload Datastore
13. Click NEXT
14. Click FINISH
15. Click Subscribed-CL
16. Click Templates
17. Click vSphere Client
Deploy vCenter Cloud Gateway On-Prem

Hybrid Linked Mode allows you to link your VMware Cloud on AWS vCenter
Server instance with an on-premises vCenter Single Sign-On domain. If you
link your cloud vCenter Server to a domain that contains multiple vCenter
Server instances linked using Enhanced Linked Mode, all of those instances
are linked to your cloud SDDC.
Using Hybrid Linked Mode, you can:
 View and manage the inventories of both your on-premises and

VMware Cloud on AWS data centers from a single vSphere Client
interface, accessed using your on-premises credentials.
 Migrate workloads between your on-premises data center and cloud
SDDC.
 Share tags and tag categories from your vCenter Server instance to
your cloud SDDC.
We will install the vCenter Cloud Gateway Appliance and use it to link from
the on-premises data center to the cloud SDDC. In this case, Active Directory
groups are mapped from the on-premises environment to the cloud, and it is
not required to add Active Directory as an identity source in your cloud
vCenter Server.
2. Click ui-installer
3. Click win32
5. Click installer.exe
6. Click GET STARTED
7. Click START
8. Click the check box next to I accept the terms of the license
agreement
9. Click NEXT
10. Click in the Password field
11. Type VMware1!
12. Click NEXT
13. Click YES
14. Click the arrow next to SC2
15. Click John-Taylor
16. Click the down arrow next to sc2vc03.vslab.local
17. Click NEXT
18. Click BCA2
19. Click NEXT
20. Click in the VM name field
21. Type vslab-addc-gw01
22. Click in the Set root password field
23. Type VMware1!
24. Click in the Confirm root password field
25. Type VMware1!
26. Click NEXT
28. Click NEXT
30. Click in the Network field
31. Select vDS-1631
32. Click NEXT
33. Click NEXT
34. Click in the Single Sign-On password field
35. Type VMware1!
36. Click NEXT
37. Click YES
38. Click FINISH
Configure Hybrid Linked Mode

1. Click START
2. Click NEXT
3. Click the Google Chrome icon in the task bar
4. Click Settings
5. Click Default vCenter User Account
6. Click the icon to copy the password
7. Click the vCenter Cloud Gateway Appliance installer icon in
the task bar
8. Click in the Password field to paste the cloudadmin password
9. Click the dropdown list box next to Identity Source
10. Click vslab.local
12. Click FINISH
13. Click YES
14. Click LAUNCH VSPHERE CLIENT
15. Click in the User Name field
17. Click in the Password field
18. Type VMware1!
19. Click LOGIN
20. Click sc2vc03.vslab.local
21. Click SC2
22. Click BCA2
24. Click vcenter-sddc-34.210-230-88.v..
25. Click SDDC-Datacenter
26. Click Cluster-1
29. Click vcenter-sddc-34.210-230-88.v..
31. Click BCA2
32. Click SC2
33. Click sc2vc03.vslab.local
Cold Migrate VM to VMware Cloud on AWS

Cold migration is moving a powered-off virtual machine from one host and/or
datastore to another. Cold migration is a good option when you can tolerate
some virtual machine downtime during the migration process.
For additional information about the types of supported migrations

see Migrating Virtual Machines
We will cold migrate a powered off virtual machine to VMware Cloud on AWS
and power it on there.
1. Click the arrow next to sc2vc03.vslab.local
3. Click JT_UBUNTU_01
4. Click Migrate...
5. Click the radio button next to Change both compute resource and
storage
6. Click NEXT
7. Click vcenter-sddc-34-210-230-88.vmwarevmc.com
8. Click the arrow next to SDDC-Datacenter
9. Click the arrow next to Cluster-1
12. Click NEXT
14. Click NEXT
15. Click Workloads
16. Click NEXT
17. Click the dropdown list box under Destination Network
18. Click VLAN-1606
19. Click NEXT
20. Click FINISH
21. Click in the Search in all environments field
22. Type JT_
25. Click Summary
27. Click Power
28. Click Power On
Live vMotion a VM to VMware Cloud on AWS

Migration with vMotion allows moving a powered on virtual machine from one
host and/or datastore to another. Migration with vMotion is also referred to as
"hot migration" or "live migration". Migration with vMotion is the best option for
migrating small workloads without any downtime during migration.
We will live vMotion a powered on VM to VMware Cloud on AWS.
1. Click JT_WEB_01
2. Click Migrate...
3. Click the radio button next to Change both compute resource and
storage
4. Click NEXT
5. Click the arrow next to vcenter-sddc-34-210-230-
88.vmwarevmc.com
6. Click the arrow next to SDDC-Datacenter
7. Click the arrow next to Cluster-1
9. Click NEXT
11. Click NEXT
12. Click Workloads
13. Click NEXT
14. Click the dropdown list box under Destination Network
15. Click VLAN-1606
16. Click NEXT
17. Click NEXT
18. Click FINISH
Edit Elastic DRS Settings

Elastic DRS allows you to scale your cluster in response to demand, or lack of
demand, by adding or removing hosts automatically based on specific policies
that are configured. The eDRS algorithm runs every 5 minutes and looks at
predefined resource thresholds for CPU, memory, and storage. The
thresholds cannot be changed by the user and differ based on the policy
configured. While the algorithm runs every 5 minutes, the scaling decisions
also take into account trends that are tracked over time. If ANY of the
resources consistently remain above the defined threshold, a scale-up
recommendation alert is generated, and a host is added to the cluster.
Conversely, a scale-down recommendation alert is only generated
when ALL resources are consistently below the threshold, triggering the
removal of a host.
We will modify one of the settings for Elastic DRS in our VMware Cloud on
AWS SDDC.

2. Click EDIT EDRS SETTINGS
3. Click Optimize for Best Performance
4. Click the dropdown list box next to Maximum cluster size
5. Click 5
6. Click SAVE
tab.

VMware Cloud On AWS - Fundamentals

Uploaded by

Copyright:

Available Formats

VMware Cloud On AWS - Fundamentals

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

VMware Cloud On AWS - Fundamentals

Uploaded by

Copyright:

Available Formats

MODULE 1 - SET UP THE SDDC

To begin, we will create a new VPC via the AWS console:

Create your native AWS VPC

After the VPC is created, we need to create one or more subnets in

We will be creating 3 separate subnets that will be assigned to three

1. Click Subnets on the left-hand menu

The next step is to create an Internet Gateway. This VPC

It provides a target in the VPC route tables for internet-routable

After its creation, we will attach it to the VPC

Create Internet Gateway

1. Click Internet Gateways on the left-hand menu

Endpoints - A VPC Endpoint enables us to privately and securely

1. Click Endpoints on the left-hand menu

We will also add a custom route table with destination

Associate Subnets to Route Table

1. Click Route Tables on the left-hand menu

Steps 19 through 24 below, will be back on the AWS Console to

Create a SDDC on VMware Cloud on AWS

1. Click the + to open a new browser tab

At this point, we have our first 3-Node SDDC in the US-West-

We will now proceed to add a couple of users to the environment and

1. Click the icon in the top right corner

Lastly, we will add a host to our existing SDDC to increase capacity.

Add a Host to the SDDC

Create Network Segments for the SDDC

VMware Cloud on AWS supports three types of logical network segments:

 A routed network segment (the default type) has connectivity to other

1. Click on VSLAB-SDDC to view the details for the SDDC.

Create a Policy Based IPsec VPN

A route-based VPN creates an IPsec tunnel interface and routes traffic

1. Click the arrow next to VPN in the left-hand menu

Configure Direct Connect

AWS Direct Connect (DX) provides a dedicated network connection between

A private VIF enables access to your AWS Virtual Private Cloud (VPC).

A public VIF enables access to services such as Amazon EC2 and S3.

Configure DX over a private VIF to carry workload and management traffic,

Private and Public VIFs

1. Click the vertical scroll bar in the left-hand menu tree

Disable the IPsec VPN

1. Click the arrow next to VPN in the left-hand menu

Create Management Gateway Firewall Rule for

1. Click Gateway Firewall

Create a Management Group

Management groups contain VMs on the Management Network. Workload

Create Management Gateway Firewall Rules

1. Click Gateway Firewall

Create Compute Gateway Firewall Rules

1. Click Compute Gateway

An L2VPN on the Compute Gateway can extend up to 100 of your on-

The VMware Cloud on AWS L2VPN feature supports extending VLAN

Configure vDS Port Groups

For detailed instructions see: Download and Configure the Standalone NSX

If a standalone edge trunk vNIC is connected to a vSphere Distributed

Configure Layer 2 VPN to Extend On-Premises

The VMware Cloud on AWS L2VPN feature supports extending VLAN

MODULE 3 - DEPLOY A PRODUCTION VM

Log In to the SDDC vCenter

Deploy a VM from a Template

Create a vSAN Storage Policy