VMware Cloud on AWS

Introducing VPC Peering for External Storage 

It’s been a year since External Storage for VMware Cloud on AWS was introduced. In that time, we’ve seen strong adoption as customers work to right-size their storage-bound SDDCs. While we continue to see strong demand, a common complaint has been the requirement to use SDDC Groups to connect an FSx for NetApp ONTAP Datastore. To resolve this tension and help further reduce costs for customers, we’re adding support for VPC Peering. 

What is VPC Peering? 

VPC Peering is an AWS technology that allows customers to route traffic between two Virtual Private Clouds (VPC). While this is inappropriate for most traffic types within the SDDC, VPC Peering is the ideal solution to connect external storage to any Single-AZ SDDC. This is because it allows a direct connection between two VPCs to allow traffic to pass without the need to traverse a routed connection like Transit Gateway. Since the NFS Datastore connection bypasses Transit Connect and is between ESXi and the NFS Storage, this connection is exactly what our customers have been asking for.

How does it work? 

To configure a VPC Peering connection, customers will contact their VMware Customer Success or Account representative and request to initiate a VPC Peering request. Once the request is accepted and a peering connection exists, The customer will inform VMware they have accepted the connection, and VMware will program the SDDC to route traffic over the new Peered VPC. The customer must also configure a corresponding return route to use the VPC Peering connection. Once routes have been programmed on both sides, NFS traffic will automatically prefer the VPC Peering connection. 

What is required?  

To configure a VPC Peering connection, the SDDC must be running at least SDDCv 1.20 or newer and be a Single-AZ SDDC. The VPC peered with the SDDC cannot overlap with the existing SDDC CIDR and must be within the same Region as the SDDC.    

What can I use this connection for?  

VPC Peering is being introduced exclusively for the use of NFS Datastore traffic. Any other traffic has been explicitly blocked and is not supported.   

Does VPC peering expose my SDDC? 

Peering is configured between the peered VPC and the SDDC, but traffic is restricted to the management subnet, and only NFS traffic is allowed. Traffic between the SDDC and the storage service will use instance-to-instance encryption when available on the instance.   

What kind of performance can I expect over a peered connection? 

VPC Peering creates a line-rate connection between VPCs. This allows direct ENI to ENI communication with sub-millisecond latency between the peered VPCs.  

What is the cost of VPC Peering? 

As long as the storage is deployed in the same AZ as the SDDC, there are no charges associated with VPC Peering. Cross-AZ data transfer charges apply if the storage is deployed in a different AZ.  

Can I use VPC peering with VMware Cloud Flex Storage? 

VMware Cloud Flex Storage already uses an ENI connection into the SDDC. VPC Peering is not needed in this use case. However, you can configure VPC Peering on an SDDC using VMware Cloud Flex Storage. 

Can I migrate from SDDC Groups to VPC Peering?  

An in-place migration can be performed to transition from SDDC Groups to VPC Peering without tearing down the datastore connection.  

Can I use VPC Peering with a Multi-AZ FSx for NetApp filesystem?  

No, Multi-AZ FSx for NetApp deployments require Transit Gateway and must continue to use SDDC Groups to connect to the SDDC.  

I have a Stretched Cluster deployment? Can I deploy an NFS datastore across multiple AZs and use VPC peering? 

No, External Datastores are not supported on Stretched Clusters.  Amazon FSx for NetApp ONTAP does support Multi-AZ deployments but they are not supported with the use of a Stretched SDDC. Support for External datastores for Stretched clusters are targeted for a future date.  

Summary 

With the release of VPC Peering support later this year, customers can take full advantage of FSx for NetApp ONTAP without incurring the additional cost of Transit Gateway data processing fees. This will allow customers to reduce costs further and increase capabilities when operating within VMware Cloud on AWS.