HCX Service Mesh and Route Based VPN with default route advertised

I've been asked a few times around whether or not HCX can be used if the customer has a route-based VPN into VMware Cloud on AWS and is advertising the default route 0.0.0.0/0 into the SDDC. The short answer is Yes, this is supported and works.

The long answer as to why this question comes up is that when we advertise the default route of 0.0.0.0/0 into the SDDC then all traffic from the SDDC will flow via on-premises, this includes traffic destined for the internet. Some customers prefer to do this to ensure all outbound internet traffic routes via their perimeter firewall so they can ensure that all security and logging policies are applied. The confusion comes around HCX. Since HCX is unable to use an existing IPSEC VPN tunnel to send traffic from on-premises into the SDDC as per the KB article it needs to establish its own. The HCX-IX Interconnect and HCX Network Extension Appliances both establish an IPSEC VPN tunnel from on-premises to their peer appliances in the SDDC using UDP/4500. So the question is, if we are advertising 0.0.0.0/0 into the SDDC so all traffic traverses the IPSEC VPN tunnel back to on-premises, then how can the HCX-IX Interconnect and HCX Network Extension Appliances communicate?

HCX Mobility Optimized Networking Policy Routes

With the R145 release of HCX on 30th October 2020, VMware Cloud on AWS customers were treated to some great new functionality at no additional cost. New features such as Replication Assisted vMotion, Application Path Resiliency, TCP Flow Conditioning, Mobility Groups and my personal favourite, Mobility Optimized Networking. I'm not going to go into too much detail around Mobility Optimized Network (MON) since Patrick Kremer (Blog | Twitter) has covered it extensively here.

On an internal slack channel the following question was asked:

When we migrate a VM from on-premises into VMC that resides on a stretched layer 2 network without enabling MON, any traffic that needs to egress that network either destined to VMs on-premises, within VMC or out to the internet

Migrating back from Amazon FSx to on-premises file servers

In a previous article, I showed how AWS DataSync could be used to copy data from an on-premises file server (Either physical or virtual) into an Amazon FSx Windows file server. Amazon FSx is a fully managed, highly reliable, and scalable file storage that is accessible over the industry-standard Service Message Block (SMB) protocol. This is ideal for customers who are looking to migrate workloads to VMware Cloud on AWS and start taking advantage of native cloud services to improve resiliency and cost. When it comes to customers who want to utilise VMware Cloud Disaster Recovery to failover their environment into VMware Cloud on AWS but then failback to on-premises once the on-premises environment has been recovered things start to get a little tricky. AWS DataSync does not support copying data back from AWS (FSx, EFS or S3) to on-premises so this has to be performed manually. This post will showcase the steps required to copy the data back from Amazon FSx to on-premises which can be incorporated into your failback process to ensure that there is no data loss.

We first need to ensure we change the existing AWS DataSync task to either run manually or delete it completely to avoid having old data copied (If available) back into FSx which could potentially cause some inconsistencies. Navigate to the AWS DataSync service and either delete the task:

Or change the task schedule to Not Scheduled which means you have to start it manually:

Typically I would recommend stopping the share to 100% confirm

AWS DataSync via VPC Endpoints instead of Public Endpoints

In my previous article, I walked through the steps of replicating an on-premises file server into Amazon FSx using the AWS DataSync service. Since I didn't have a VPN between my on-premises and the VPC where the FSx service was deployed to I had to use the public endpoint whereby all communication from the DataSync agent to AWS occurs over the public internet. Within this article, I'm just going to quickly show you the process of setting this up using VPC Endpoints so communication goes over a VPN or Direct Connect directly into the VPC. This will allow for reverse replication which will be a topic for a future article. 

I currently the AWS DataSync agent deployed with a routable static IP address on-premises and a VPN established into my VPC. I first need to create a VPC endpoint in my VPC for the AWS DataSync Service. Ensure you are in the correct region and navigate to the VPC service. From within there, you will see the option to add Endpoints:

Search for the AWS DataSync service and ensure you select the correct VPC it needs to be created in. I've left the default options to

Utilising AWS DataSync and AWS Cloud Native Storage to migrate file servers to support workloads running in VMware Cloud on AWS

Whilst working with customers on the technical aspects of migrating their applications from on-premises into VMware Cloud on AWS most often the topic of file servers comes up. If the customer currently has their file servers running as virtual machines on top of ESXi then it's very straight forward, they can use HCX to migrate the workload. Depending on the size of the file server the customer may not want to do this due to potentially increasing the host count of the cluster and instead use some native AWS storage services such as FSx, EFS or even S3. Another scenario I have come across is customers having physical file servers running on storage arrays such as NetApp etc. 

During my investigation, I can across AWS DataSync which automates and accelerates the moving of data from on-premises into AWS storage services as well as between AWS storage services.

As of writing this article, the following services/protocols are supported:

• Amazon EFS file system (Source and Target)
• Amazon FSx for Windows File Server (Source and Target)
• Amazon S3 (Source and Target)
• Network File System (NFS) (Source Only)
• Object storage (Source Only)
• Server Message Block (SMB) (Source Only)

As an example, DataSync can be used to move data from an on-premises Windows file server into AWS FSx for Windows or from Amazon EFS into...

VMware Cloud on AWS Online vExperience Days

Are you interested in some free technical on-demand VMware Cloud on AWS training videos? If so, then the EMEA Solution Architects team have produced nine videos to guide ranging from introducing you to the service all the way through to automation and cloud economics:

1. Introduction to VMware Cloud on AWS and Use Cases

2. Deploy Your First VMware Cloud on AWS SDDC

3. Accelerate Your Cloud Application Migration with VMware HCX

4. Protect Your Data, Minimize Downtime and Reduce Costs with Optimized Disaster Recovery

5. Create Hybrid Applications with VMware Cloud on AWS and Native AWS Services

6. Day-2 Operations: Managing Your VMware Cloud on AWS Platform

7. Deploy and Configure Your Entire VMware Cloud on AWS with Automation

8. Application Modernization with VMware Cloud on AWS and Kubernetes

9. Cloud Economics: What is it and How it Can Help You to Accelerate Your Journey to the Cloud

Click on the link below to register and get started. 

Feel free to provide any feedback or if there is any additional content you would like to see.