AWS Integration
Understanding Integrations with AWS Services
As the above diagram illustrates, the VMware stack not only sits next to the AWS services, but is tightly integrated with these services. This introduces a new way of thinking about how to design and leverage AWS services with your VMware SDDC. Some integrations our customers are using include:
- VMware front-end and RDS backend
- VMware back-end and EC2 front-end
- AWS Application Load Balancer (ELBv2) with VMware front-end (pointing to private IPs)
- Lambda, Simple Queueing Service (SQS), Simple Notification Service (SNS), S3, Route53, and Cognito
- AWS Lex, and Alexa with the VMware Cloud APIs
These are only a few of the integrations we’ve seen. There are many different services that can be integrated into your environment. In this exercise we’ll be exploring integrations with both AWS Simple Storage Service (S3) and AWS Relational Database Service (RDS).
{% capture notice-2 %} Note: There is a requirement in this lab to have completed the steps in the Working with your SDDC Lab concerning Content Library creation, Network creation, and Firewall Rule creation. {% endcapture %}
How these integrations are possible
In addition to sitting within the AWS Infrastructure, there is an Elastic Network Interface (ENI) connecting VMware Cloud on AWS and the customer’s Virtual Private Cloud (VPC), providing a high-bandwidth, low latency connection between the VPC and the SDDC. This is where the traffic flows between the two technologies (VMware and AWS). There are no EGRESS charges across the ENI within the same Availability Zone and there are firewalls on both ends of this connection for security purposes.
How is traffic secured across the ENI?
From the VMware side (see image below), the ENI comes into the SDDC at the Compute Gateway (NSX Edge). This means, on this end of the technology we allow and disallow traffic from the ENI with NSX Firewall rules. By default, no ENI traffic can enter the SDDC. Think of this as a security gate blocking traffic to and from AWS Services on the ENI until the rules are modified.
On the AWS Services side (see image below), Security Groups are utilized. For those who are not familiar with Security Groups, they act as a virtual firewall for different services (VPCs, Databases, EC2 Instances, etc). This should be configured to deny traffic to and from the VMware SDDC unless otherwise configured.
In this exercise, everything has been configured on the AWS side for you. You will however walk through how to open AWS traffic to come in and out of your VMware Cloud on AWS SDDC.
Compute Gateway Firewall Rules for Native AWS Services
- In the VMware Cloud on AWS portal click the Networking & Security tab
- Click Groups in the left pane
- Click ADD GROUP
Name Workload Group
- Type PhotoAppVM for the Name
- Leave Virtual Machine select for Member Type
- Click Set VMs under Members
Select VMs - Workload Group
- Click to select Webserver01
- Click SAVE
Save Group - Workload Group
- Click SAVE
Firewall Rules
- Click Networking & Security tab in your VMware Cloud on AWS Portal
- Click Gateway Firewall in the left pane
- Click and select Compute Gateway
- Click ADD NEW RULE
Add New Rule - AWS Inbound
- Name your new rule AWS Inbound
- Click on Set Source
Select Source - AWS Inbound
- Click to select Connected VPC Prefixes
- Click SAVE
Set Destination - AWS Inbound
- Click on Set Destination
Select Destination - AWS Inbound (Continued)
- Click to select PhotoAppVM
- Click SAVE
Set Service - AWS Inbound
- Click on Set Service
Set Service - AWS Inbound (Continued)
- Click to select Any
- Click SAVE
Publish - AWS Inbound
- Click on PUBLISH
Note: Make sure to leave All Uplinks in the Applied To section.
Add New Rule - AWS Outbound
- Click ADD NEW RULE
- Name your new rule AWS Outbound
- Click on Set Source
Select Source - AWS Outbound
- Click to Select PhotoAppVM
- Click SAVE
Set Destination - AWS Outbound
- Click on Set Destination
Select Destination - AWS Outbound
- Click to select Connected VPC Prefixes
- Click SAVE
Set Service - AWS Outbound
- Click on Set Service
Set Service - AWS Outbound (Continued)
- Under Select Services type 3306
- Select MySQL checkbox
- Click SAVE
Publish - AWS Outbound
- Click PUBLISH
Note: Make sure to leave All Uplinks in the Applied To section.
Add New Rule - Public In
- Click on ADD NEW RULE
Add New Rule - Public In (Continued)
- Type Public In for Name
- Click on Set Source
Select Source - Public In
- Click to select Any
- Click SAVE
Set Destination - Public In
- Click on Set Destination
Select Destination - Public In
- Click to select PhotoAppVM
- Click SAVE
Set Service - Public In
- Click Set Service
Set Service - Public In (Continued)
- Type HTTP 80 under Select Services
- Click to Select HTTP
- Click SAVE
Publish - Public In
- Click PUBLISH
Note: Make sure to leave All Uplinks in the Applied To section.
AWS Relational Database Service (RDS) Integration
Amazon RDS makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost- efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching and backups. It frees you to focus on your applications so you can give them the fast performance, high availability, security and compatibility they need.
In this exercise, you will be able to integrate a VMware Cloud on AWS virtual machine to work in conjunction with a relational database running in Amazon Web Services (AWS) that has been previously setup on your behalf.
Make Note of Webserver01 IP Address
You will be using the VM created in the previous module in order to complete this exercise.
- In your vCenter interface for VMware Cloud on AWS, find your Webserver01 VM you deployed, and ensure it has been assigned an IP address as shown in the graphic.
Assign Public IP
- Go back your VMware Cloud on AWS portal and click on the Networking & Security tab in order to request a Public IP address
- Click Public IPs in the left pane
- Click on REQUEST NEW IP
- In the notes area type PhotoAppIP
- Click SAVE
Note New Public IP
Take note of your newly created Public IP.
Create a NAT Rule
- Click NAT in the left pane
- Click ADD NAT RULE
- Type PhotoApp NAT for Name
- Ensure the Public IP you requested in the previous step appears under Public IP
- Leave All Traffic (no change)
- Type the IP address of your Webserver01 VM you noted at the beginning of this exercise
- Click SAVE
AWS Relational Database Service (RDS) Integration Exercise
On your browser, open a new tab and go to: https://vmcworkshop.signin.aws.amazon.com/console
- Account ID or alias - Please refer to the information on the card provided to you for Account ID information
- IAM user name - Student# (where # is the number assigned to you)
- Password - VMCworkshop1211
- Click Sign In
Please note you might get either of the 2 sign on screens above. If you get the one on the right, enter Account ID and click Next
RDS Information
- You are now signed in to the AWS console. Make sure the region selected is Oregon
- Click on the RDS service (You may need to expand All services)
RDS Instance
- In the left pane click on Databases
- Click on the RDS instance that corresponds to designated number
{% capture notice-2 %} Note: Be aware that you may need to look on Page 2 of this view to find your DB {% endcapture %}
Navigate to Security Groups
- Scroll down to the Details area and under Connectivity & security notice that the RDS instance is not publicly accessible, meaning this instance can only be accessed from within AWS
- Click in the blue hyperlink under Security groups
Security Groups
- Choose the Student##-RDS-Inbound RDS Security group corresponding to you (may not match your student number)
- After highlighting the appropriate security group click on the Inbound tab below
{% capture notice-2 %} Note: VMware Cloud on AWS establishes routing in the default VPC Security Group, only RDS can leverage this or create its own {% endcapture %}
Outbound Traffic
- Click Outbound tab
- You can see All traffic (internal to AWS) allowed, this includes your VMware Cloud on AWS SDDC logical networks.
Elastic Network Interface (ENI)
AWS Relational Database Service (RDS), also creates its own Elastic Network Interface (ENI) for access which is separate from the ENI created by VMware Cloud on AWS.
- Click on Services to go back to the Main Console
- Click on EC2
ENI (Continued)
- In the EC2 Dashboard click Network Interfaces in the left panel
- All Student environments belong to the same AWS account, therefore, hundreds of ENI’s may exist. In order to minimize the view type RDS in the search area and press Enter to add a filter
Highlight your Student##-RDS-Inbound security group corresponding to your student number based on the second octect of the CIDR block in the last column.
In this example the CIDR block is 172.6.8.187, this would correspond to student 6
Make note of the Primary private IPv4 IP address for the next step
Photo App
- On your smart phone (tablet or personal computer), open up a browser and type your public IP address you requested in the VMware Cloud on AWS portal in the browser address bar followed by /Lychee (case sensitive) ie: 1.2.3.4/Lychee
Enter the database connection information below (case sensitive), using the IP address you noted in the previous step from the RDS ENI:
Database Host: x.x.x.x:3306 Database Username: student# (where # is the number assigned to you) Database Password: VMware1!
Click Connect
Enter Login Information
- Type student# (where # is the number assigned to you) for user name and VMware1! for password.
- Click Sign In
Photo Albums
Congratulations, you have successfully logged in to the photo app!
OPTIONAL: Feel free to take a picture of the room with your smart phone and upload it to the Public folder.
In summary, the front end (web server) is running in VMware Cloud on AWS as a VM, the back end which is a MySQL database is running in AWS Relational Database Service (RDS) and communicating through the Elastic Network Interface (ENI) that gets established upon the creation of the SDDC.
You have completed the AWS Integraton Lab.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.