Similiar to an on-premises vSphere deployment, VMware Cloud on AWS follows good security practices by isolating and preventing access to the SDDC Management Network including Virtual Machines running in the Compute Network. With that said, the SDDC can be configured to enable access to the SDDC Management Network for either all or subset of workloads running in the Compute Network.
I have seen this request come up a few times, usually around proof of concepts, lack of on-premises infrastructure or wanting to run completely isolated within VMC for Dev/Test purposes. Below are the step by step instruction on setting this up for both an NSX-V and NSX-T based SDDC. Once enabled, customers can access the vCenter vSphere UI from within the specified Virtual Machine(s) including using tools like OVFTool or PowerCLI for importing new or existing workloads.
Note: Please refer to this blog post here to determine if you are running an NSX-V or NSX-T based SDDC.
In the example below, I have both an NSX-V and NSX-T based SDDC deployed with a Windows 10 Virtual Machine running in Compute Workload Network (sddc-cgw-network-1). I then want to be able to use OVFTool from within the VM to import an OVA directly into my SDDC.
NSX-V SDDC
In an NSX-V based SDDC, an IPsec VPN must be configured between the Management Gateway (MGW) and Compute Gateway (CGW) before network communication can be enabled.
Step 1 - Start off by setting up the VPN for the Management Gateway by clicking on the "Add VPN" button and entering the required information (Remote Gateway Public IP, Remote Networks and Pre-shared keys) which should be referencing the Compute Gateway configuration, the rest of the settings can be left as default. Next, setup the VPN for the Compute Gateway by performing the exact same steps by now providing the Management Gateway configuration. Once both VPN settings have been saved, the Status field may show up as "Partially Connected". Simply right click on Actions text and select Edit and save the settings once more on both gateways and the Status field should show Connected before moving on to the next step.
Step 2 - We now need to configure the Compute Gateway Firewall to allow Outbound connectivity to the SDDC Management Network on Port 443 for our specific VM(s) as that is the only port required for vSphere UI and OVFTool/PowerCLI access. In this environment, my Windows VM has an IP Address of 192.168.1.4 and we want to allow it to communicate to 10.2.0.0/16 network on port 443 as shown in the screenshot below.
Step 3 - Next, we need to configure the Management Gateway Firewall to allow Inbound connectivity to both vCenter Server and ESXi hosts on Port 443 from our specific VM(s) network. Again, our Windows VM has IP Address of 192.168.1.4 and we need to create two inbound rules to allow it to communicate to vCenter Server and ESXi on Port 443 as shown in the screenshot below.
Step 4 - At this point, we can now login to the Windows VM and use OVFTool to import and/or export a VM to our SDDC. For more details on using OVFTool and VMC, please refer to this blog post here.
NSX-T SDDC
In an NSX-T based SDDC, a VPN is NOT required as the routing functionality is provided by the T0 Router and both the Management and Compute Networks are connected to the T0. However, an additional pre-requisite step is still required to open the appropriate firewall rules. In NSX-T, Inventory Groups are used to allow customers to easily group a set of VM(s) and/or IP Address/Network(s) which can then be referenced when creating new Firewall Policies.
Step 1 - We need to create two Inventory Groups for our Compute Group, one for our VM and one to represent the VMC SDDC Management Network. To do so, navigate to Groups on the left hand side and select "Workload Groups" and create the following two groups:
- Windows10 with a Member Type of Virtual Machine and specify the VM in your vSphere Inventory
- VMC Management Network with a Member Type of IP Address and specify the network range of 10.2.0.0/16
Step 2 - Next, we need to create one Inventory Group for our Management Group to represent the VM we want to enable access. To do so, navigate to Groups on the left hand side and select "Management Groups" and create the following group:
- Windows10 Private IP with a Member Type of IP Address and specify the private IP Address of the VM, which in my example is 192.168.1.2
Note: Make sure to click on the Publish button to create and save the Firewall rule
Step 3 - Now, we need to create a Firewall rule in the Compute Gateway to allow Outbound connectivity to the SDDC Management Network on Port 443 for our specific VM(s) as that is the only port required for vSphere UI and OVFTool/PowerCLI access. Navigate to Gateway Firewall on the left hand side and select "Compute Gateway" and create a new firewall rule which references both the Windows10 group as our Source and VMC Management Network group Destination and HTTPS as the service.
Note: Make sure to click on the Publish button to create and save the Firewall rule
Step 4 - Lastly, we need to create Firewall rules in the Management Gateway to allow Inbound connectivity to both vCenter Server and ESXi hosts on Port 443 from our specific VM(s) network. Navigate to Gateway Firewall on the left hand side and select "Management Gateway" and create a new firewall rule which references both the Windows10 group as our Source and the default vCenter and ESXi group Destination and HTTPS as the service.
Step 5 - At this point, we can now login to the Windows VM and use OVFTool to import and/or export a VM to our SDDC. For more details on using OVFTool and VMC, please refer to this blog post here.
If everything was configured correctly, you should now be able to access both the vCenter Server's vSphere UI via the browser as well as using OVFTool to import a VM into the SDDC as shown in the screenshot below.
Thanks for the comment!