Creating SDDC in VMware Cloud on AWS

Deploying an SDDC to host your workloads in the cloud provides a simple Control Plane for IT.  You can manage, govern and secure applications running in private and public clouds. VMware Cloud on AWS centralizes management, provides comprehensive visibility to your SDDC, and enterprise-class security.

When you deploy an SDDC on VMware Cloud on AWS, it is created within an AWS VPC dedicated to your organization. VMware creates and manages this VPC, and you have no direct access to it.

Deploying a Software-Defined Data Center (SDDC) is the first step in making use of the VMware Cloud on AWS service. After you deploy the SDDC, you can view information about it and perform management tasks.

When you deploy an SDDC on VMware Cloud on AWS, it is created within an AWS account and VPC dedicated to your organization and managed by VMware. You must also connect the SDDC to an AWS account belonging to you, referred to as the customer AWS account. This connection allows your SDDC to access AWS services belonging to your customer account.


Once you click CREATE SDDC, you would be asked to enter the AWS region where you want to create your SDDC , provide a name for your SDDC and number of hosts you want to deploy.

The next step is to enter the network details like CIDR range for your management network. The address may denote a single, distinct interface address or the beginning address of an entire network. The maximum size of the network is given by the number of addresses that are possible with the remaining, least-significant bits below the prefix. The aggregation of these bits is often called the host identifier.



Few things to remember for entering CIDR Block :

  • You can’t change the values specified for the management network after the SDDC has been created.
  • If you plan to connect your SDDC to an on-premises data center, the IP addresses you choose must be different from the ones in your on-premises data center, to avoid IP address conflict.
  • The maximum number of hosts your SDDC can contain depends on the size of the CIDR block you specify. In order to accommodate more than four hosts, you must specify a /16 or /20 CIDR block.

One the details are entered, click DEPLOY SDDC and within few minutes the SDDC is ready for you showing number of hosts, CPU, Memory and strorage.


  1. Summary – this is the default management page for your SDDC.  View CPU, Memory and Storage metrics, Network configuration, Connection Info and Support as well as Actions that control your SDDC.  You can also directly open your vCenters from your VMware Cloud on AWS console for ease of management, VM Migrations, Content migration and much more!
  2. Network – Provides a full diagram of the Management and Compute Gateways.  This is where you can view which VPNs are configured and Firewall Rules.  We will cover this in more detail later.
  3. Connection Info – gives you access to your vSphere Web Client, vCenter Server, vCenter Server API and reviews your Authentication information.
  4. Support – you can contact Support with your SDDC ID, Org ID, vCenter Private and Public IPs and the date of your SDDC Deployment.
  5. Actions Menu – This will contain any actions available for your SDDC including deletion of the environment.
  6. Open vCenter – you can directly access your Private SDDC through this option.  Before you can login to your vCenter, you must open network access to vCenter through the management gateway. Choose an option for opening network access by creating a Firewall Rule and setting up your VPN access.

Switching to the dark theme now !!!

The next steps is to configure your network details for your management network. By default, the firewall for the management gateway is set to deny all inbound and outbound traffic. You may add additional firewall rules to allow traffic as needed. So here we are creating FW rules to allow vCenter access throught the port 443.


Creating a management VPN allows you to securely access the vCenter Server system and Content Library deployed in your SDDC. Configure an IPsec VPN between your on-premises data center and cloud SDDC to allow easier and more secure communication. You don’t have to set up a VPN connection, but transferring virtual machine templates and disk images into your SDDC in the cloud is easier and more secure if the connectivity is complete.

So the next step is to configure a VPN to your on-premises cloud and here are the simple steps you need to following :

Configuring a management VPN requires the following steps:

  • An on-premises router or firewall capable of terminating an IPsec VPN, such as Cisco ISR, Cisco ASA, CheckPoint Firewall, Juniper SRX, NSX Edge, or any other device capable of IPsec tunneling.
  • The router or firewall should be configured with cryptography settings as described in Recommended Cryptography Settings in the VMware Cloud on AWS documentation.

If your on-premises gateway is behind another firewall, allow IPsec VPN traffic to pass through the firewall to reach your device by doing the following:

  • Open UDP port 500 to allow Internet Security Association and Key Management Protocol (ISAKMP) traffic to be forwarded through the firewall.
  • Set UDP port 4500 for Internet Key Exchange (IKE) (required only if NAT is used) to the list of firewall ports
  • Set IP protocol ID 50 to allow IPsec Encapsulating Security Protocol (ESP) traffic to be forwarded through the firewall.
  • Set IP protocol ID 51 to allow Authentication Header (AH) traffic to be forwarded through the firewall.


When the VPN tunnel is configured in the private cloud, you should be able to verify connectivity in both the VMware Cloud on AWS Console and by accessing the vCenter Server deployed in your environment with a Web browser. After you have saved the configuration, the VPN should now show as connected in the console diagram and the VPN settings.

The below steps would now connect to the on-premises by adding DNS from your SDDC . In the image below, I did not have a connection maintained hence you see a yellow warning , else it would be green,

In my next blog I will be writing how to setup a compute network in SDDC and what will happen once you have a VM deployed in your SDDC.


You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *