network optical fiber cables and hub
VMware Cloud on AWS

VMware Explore 2022 and The Latest Networking and Security for VMware Cloud on AWS

VMware Explore 2022 is in the books! You can still catch up on the major announcements and recordings from the VMware Explore Video Library. View the customer success stories for Advanced Networking and Security for VMware Cloud on AWS (NETB2287US) and

Secure your vSphere workloads in VMware Cloud (SECB2377US).

The key announcements from the NSX team for VMware Cloud on AWS were around Networking and Security capabilities being delivered in SDDC version 1.20.

VMware Cloud on AWS SDDC version 1.20 is now available, and it is packed with more Networking and Security features. For most customers, 1.20 is the next essential release after 1.18, combining the optional 1.19 and 1.20 into a single SDDC upgrade.

In this latest release, we added:

  1. Advanced Routing: Route Filtering for CGW segments communicating over Transit Connect/ Direct Connect/ Connected VPC.

This feature allows customers to filter their default CGW routes from advertisement for external communication. Since SDDC Version 1.18, customers have the capability to advertise aggregated route prefixes over Transit Connect/ Direct Connect/ Connected VPC.

Customers can configure route filtering on Transit Connect/ Direct Connect (Intranet endpoint) or Connected VPC (Services end point) separately. Together these features enable customers to optimize their route advertisements and scale their networks beyond some limits imposed by AWS. For a deeper look into advanced routing, please refer to this Techzone article.

Figure 1 Route Filtering for the CGW
  1. Transit Connect: Shared Prefix Lists for SDDC Groups to customer AWS accounts.

This simplifies configuration for customers with Transit Connect external attachments to AWS Transit Gateway and VPCs. Customers can now create a prefix list populated with SDDC Group routes per region, and share it with their AWS accounts. This enables SDDC route changes to be automatically updated on attached TGW/ VPC Route Tables/ Security Groups, ensuring smoother communication across the customers’ VMware Cloud on AWS environment and AWS VPC. This feature is immediately available to all VMware Cloud on AWS SDDCs. For a deep dive, please at a look at Techzone.

Figure 2 SDDC Groups Shared Prefix List to AWS

VMware Cloud on AWS SDDC version 1.19 introduced NSX 4.0.

In this release we added significant new capabilities to the NSX Advanced Firewall:

  1. The NSX Distributed IDS/IPS signature set incorporates a refreshed ruleset curated by VMware. The ruleset combines Trustwave signatures with VMware developed signatures optimized to minimize false positives on NSX IDS/IPS.
  2. We have added 700+ new Application IDs for common enterprise application protocols to the Layer 7 Distributed Firewall.
  3. The NSX Identity Firewall now supports selective sync with Active Directory (AD). Customers can now choose to sync specific Organizational Units (OUs) rather than the entire AD database and thus avoid running into AD sync limits.
Figure 3 VMware Curated Signatures for the NSX Distributed IDS/ IPS

The VMware VPN Crypto Module 2.0 ships with VMware Cloud on AWS 1.19 and above. This version, which is available for VMware NSX 3.2 and higher versions, is an approved FIPS 140-2 standard. It is listed on CMVP with NIST.

Live Traffic Analysis

In 1.16, VMware Cloud on AWS introduced NSX Traceflow, a tool for network visibility and self-service troubleshooting. Traceflow empowers customers to view the path of traffic from source to destination in the SDDC by creating a synthetic packet.

To complement this tool, we have introduced Live Traffic Analysis (LTA), a self-service tool to monitor traffic from source to destination in the SDDC. LTA enables packet capture, which can help with debugging traffic issues.

Figure 4 NSX Live Traffic Analysis for Troubleshooting

IPv6 Early Access

At VMware Explore, we also announced Early Access for IPv6 for VMware Cloud on AWS workloads. Customers can begin validating IPv6 addressed workloads inside the SDDC on version 1.20. To do this, customers can start by creating additional Tier-1 Gateways with dual stack IPv4/v6 enabled. NSX provides distributed routing for IPv6 inside the SDDC, enabling IPv6 VM to VM communication on the same or different subnets in the SDDC.

Figure 5 IPv6 inside the SDDC

The Early Access program gives select customers an opportunity to beta test new features during development, prior to general release. To participate, please reach out to your account team.

NSX Manager UI

Finally, a reminder to our users to take advantage of the NSX Manager UI for these features. The NSX Manager UI, which has been available since version 1.16, provides a streamlined user interface with an expanded feature set. Users can access this UI directly from their on-prem environments (over Direct Connect/ Transit Connect) or over the Internet. This is particularly helpful for users in different GEOs, who can avoid long round-trip times by connecting directly.  New features are available only in the NSX Manager UI.

Please note: The current VMware Cloud Networking & Security tab view is slated to be deprecated in 1 year.

VMware Explore Europe

VMware Explore Europe is around the corner: November 7-10 2022 in Barcelona. We are looking forward to meeting our EMEA customers in person. And we will present the latest on Networking and Security for VMware Cloud at the Secure Your vSphere Workloads in VMware Cloud (CEIB1446EUR) session on November 10 2022.

Sandeep Sharma

Sandeep is a Sr. Product Manager for Networking and Security on VMware Cloud on AWS. In this role, he helps enterprise customers run mission critical applications using hybrid cloud connectivity…

Related Articles