{"id":174,"date":"2026-04-13T02:09:01","date_gmt":"2026-04-13T02:09:01","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/aws-vmware-cloud-on-aws-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-compute\/"},"modified":"2026-04-13T02:09:01","modified_gmt":"2026-04-13T02:09:01","slug":"aws-vmware-cloud-on-aws-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-compute","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/aws-vmware-cloud-on-aws-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-compute\/","title":{"rendered":"AWS VMware Cloud on AWS Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Compute"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Category<\/h2>\n\n\n\n<p>Compute<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Introduction<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">What this service is<\/h3>\n\n\n\n<p>VMware Cloud on AWS is a jointly delivered, managed VMware Software-Defined Data Center (SDDC) service that runs VMware\u2019s enterprise virtualization stack on dedicated AWS infrastructure. It lets you run vSphere-based workloads on AWS with familiar VMware tools while gaining proximity to native AWS services.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">One-paragraph simple explanation<\/h3>\n\n\n\n<p>If you already run VMware on-premises and want to move or extend those workloads into AWS without rewriting them, VMware Cloud on AWS provides a managed VMware environment (vSphere, vSAN, and NSX) hosted on AWS. You can lift-and-shift many virtual machines (VMs), keep operational processes similar to what your team already knows, and connect the environment to AWS networking and services.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">One-paragraph technical explanation<\/h3>\n\n\n\n<p>Technically, VMware Cloud on AWS provisions a dedicated VMware SDDC (vCenter Server, ESXi hosts, vSAN storage, NSX networking\/security) on AWS bare-metal infrastructure and manages much of the underlying lifecycle (hardware operations and core SDDC management plane). You administer workloads using VMware tooling (vSphere Client, NSX policies, VMware HCX for migrations), while integrating with AWS constructs such as VPC networking (via connected VPC\/ENI-based connectivity), IAM for account linking, and optional consumption of AWS services in the same region.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">What problem it solves<\/h3>\n\n\n\n<p>VMware Cloud on AWS solves the \u201cVMware-to-cloud\u201d problem: how to migrate or burst VMware workloads to AWS quickly while minimizing refactoring, preserving VMware operational models, and enabling hybrid architectures (on-prem + cloud) with controlled networking, security, and governance.<\/p>\n\n\n\n<blockquote>\n<p>Service name note: The official service name is <strong>VMware Cloud on AWS<\/strong>. VMware and AWS occasionally update console experiences and feature names; verify the latest UI labels and requirements in official documentation.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">2. What is VMware Cloud on AWS?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Official purpose<\/h3>\n\n\n\n<p>VMware Cloud on AWS is designed to run VMware\u2019s SDDC stack on AWS infrastructure as a managed service, enabling:\n&#8211; Migration and modernization paths for VMware workloads\n&#8211; Hybrid cloud operation (on-premises VMware + cloud VMware)\n&#8211; Disaster recovery and elastic capacity on AWS\n&#8211; Data-center extension into AWS with VMware-grade networking and security controls<\/p>\n\n\n\n<p>Official AWS product page: https:\/\/aws.amazon.com\/vmware\/<br\/>\nOfficial VMware documentation landing page (verify latest): https:\/\/docs.vmware.com\/en\/VMware-Cloud-on-AWS\/<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Core capabilities<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Run vSphere workloads on AWS<\/strong> without converting VMs to cloud-native instances.<\/li>\n<li><strong>Managed SDDC<\/strong> operations for core components while you manage guest OS and applications.<\/li>\n<li><strong>VMware networking and security (NSX)<\/strong> for microsegmentation, routing, and firewalling.<\/li>\n<li><strong>vSAN-backed storage<\/strong> for VM datastores with policy-based management.<\/li>\n<li><strong>Hybrid migration tooling (VMware HCX)<\/strong> for bulk migration and network extension (availability depends on edition\/entitlements\u2014verify).<\/li>\n<li><strong>Connectivity to AWS<\/strong> for adjacent consumption of AWS services and networking integration.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Major components<\/h3>\n\n\n\n<p>While exact packaging can vary by offering\/subscription, the typical VMware Cloud on AWS SDDC includes:\n&#8211; <strong>vCenter Server<\/strong> (management plane for vSphere)\n&#8211; <strong>ESXi hosts<\/strong> on dedicated AWS bare-metal infrastructure\n&#8211; <strong>vSAN datastore<\/strong> for shared storage\n&#8211; <strong>NSX<\/strong> (commonly NSX-T-based architecture) for logical networking and distributed firewalling\n&#8211; <strong>NSX Edge<\/strong> services for north-south routing, NAT, VPN, and gateways (exact features depend on configuration)\n&#8211; <strong>VMware Cloud Console<\/strong> for org\/subscription\/SDDC lifecycle, account linking, and operational views<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Service type<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Managed service<\/strong> jointly delivered by VMware and AWS.<\/li>\n<li>You typically consume it via a <strong>VMware Cloud organization<\/strong> with SDDCs deployed into an AWS region.<\/li>\n<li>Underlying physical infrastructure is dedicated to your SDDC cluster(s), but the management and provisioning are handled through VMware\u2019s service.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scope: regional \/ account-scoped \/ subscription-scoped<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Regional<\/strong>: SDDCs are deployed into a specific <strong>AWS region<\/strong>. Many integrations (latency-sensitive connectivity, access to AWS services, and connected VPC patterns) are region-aligned.<\/li>\n<li><strong>Subscription\/Organization scoped<\/strong>: Access and administration is organized under a <strong>VMware Cloud Organization<\/strong> (org) with roles and permissions.<\/li>\n<li><strong>AWS account integration<\/strong>: You can link one or more <strong>AWS accounts<\/strong> to enable connectivity and some integrations (the service uses a cross-account IAM role you create in your AWS account; details are guided by the console).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How it fits into the AWS ecosystem (Compute context)<\/h3>\n\n\n\n<p>From an AWS \u201cCompute\u201d perspective, VMware Cloud on AWS is an alternative compute substrate: instead of running workloads on EC2 instances directly, you run them as VMware VMs on ESXi hosts deployed on AWS bare metal. You still use AWS networking, security, and services around it:\n&#8211; <strong>VPC connectivity<\/strong> to integrate with AWS-native applications\/services\n&#8211; <strong>Direct Connect \/ VPN<\/strong> patterns for hybrid connectivity (verify current supported options and architectures)\n&#8211; <strong>CloudWatch and AWS-native observability<\/strong> for the AWS side (VPC Flow Logs, Transit Gateway metrics, etc.)\n&#8211; <strong>AWS services consumption<\/strong> (S3, RDS, DynamoDB, etc.) by applications running inside VMware VMs, usually within the same region to minimize latency and data transfer complexity<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">3. Why use VMware Cloud on AWS?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Business reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Faster cloud adoption for VMware estates<\/strong>: Move workloads without rewriting.<\/li>\n<li><strong>Data center exit<\/strong>: Replace colocation\/on-prem refresh cycles with a managed cloud SDDC.<\/li>\n<li><strong>M&amp;A \/ divestitures<\/strong>: Rapidly consolidate or separate VMware environments with predictable operational tooling.<\/li>\n<li><strong>Time-to-value<\/strong>: Provision capacity faster than procuring physical hardware.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Technical reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>VM compatibility<\/strong>: Runs common VMware workloads with minimal conversion.<\/li>\n<li><strong>Hybrid architectures<\/strong>: Extend existing vSphere operational patterns to AWS.<\/li>\n<li><strong>Network control<\/strong>: NSX-based segmentation and gateway controls help enforce policies similar to on-prem SDDCs.<\/li>\n<li><strong>Low-latency adjacency to AWS services<\/strong>: Apps in VMs can call AWS services over private routing patterns (depending on connectivity configuration).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Familiar tooling<\/strong>: vSphere Client, VMware operational processes, and skills remain relevant.<\/li>\n<li><strong>Managed infrastructure layer<\/strong>: Hardware lifecycle, host provisioning workflow, and core platform availability are handled by the provider (exact division of responsibilities varies\u2014verify your shared responsibility model in official docs).<\/li>\n<li><strong>Standardization<\/strong>: Central org-based governance across multiple SDDCs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/compliance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Segmentation and microsegmentation<\/strong> via NSX policies.<\/li>\n<li><strong>Strong boundary controls<\/strong> between management components and workload networks (management gateway vs compute\/workload gateway concepts).<\/li>\n<li><strong>Auditability<\/strong>: Combine VMware logs\/events with AWS-native audit trails (e.g., CloudTrail for AWS account actions).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scalability\/performance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Add capacity by scaling hosts\/clusters<\/strong>: Expand compute and storage by adding hosts and\/or additional clusters (subject to minimums and host type availability).<\/li>\n<li><strong>Performance predictability<\/strong>: Dedicated bare metal hosts avoid noisy-neighbor issues typical of shared virtualization.<\/li>\n<li><strong>Burst and elasticity<\/strong>: Some offerings support automation\/elastic scaling features (verify current capabilities such as Elastic DRS availability and prerequisites).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should choose it<\/h3>\n\n\n\n<p>Choose VMware Cloud on AWS when:\n&#8211; You have a <strong>large VMware estate<\/strong> and want AWS benefits without immediate refactoring.\n&#8211; You need <strong>hybrid connectivity<\/strong> and consistent operational tooling.\n&#8211; You need <strong>disaster recovery<\/strong> or <strong>temporary capacity<\/strong> (seasonal peaks, migrations, DC exit).\n&#8211; You need to run software that is <strong>tightly coupled to vSphere<\/strong> (appliance-based tools, legacy OS, complex networking).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">When they should not choose it<\/h3>\n\n\n\n<p>Consider alternatives when:\n&#8211; You are building <strong>net-new cloud-native<\/strong> applications that fit well on EC2\/EKS\/Lambda.\n&#8211; Your main goal is <strong>minimum cost<\/strong> for generic compute; VMware Cloud on AWS is typically premium-priced due to dedicated hosts and managed SDDC components.\n&#8211; You need <strong>fine-grained control<\/strong> of the hypervisor or physical layer (you don\u2019t get that in a managed service).\n&#8211; You can\u2019t meet <strong>network\/addressing requirements<\/strong> (e.g., non-overlapping CIDRs) or operational prerequisites.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">4. Where is VMware Cloud on AWS used?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Industries<\/h3>\n\n\n\n<p>Commonly adopted in:\n&#8211; Financial services (regulated workloads, strong segmentation needs)\n&#8211; Healthcare (legacy apps, compliance, migration timelines)\n&#8211; Retail (seasonal scaling, distributed operations)\n&#8211; Manufacturing (OT\/IT integration, legacy Windows stacks)\n&#8211; SaaS and enterprise software companies (support matrices that prefer VMware, partner ecosystems)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Team types<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Infrastructure\/platform engineering teams running vSphere<\/li>\n<li>Cloud Center of Excellence (CCoE) managing migration waves<\/li>\n<li>SRE\/operations teams needing reliable patterns and observability<\/li>\n<li>Security teams enforcing segmentation and policy controls<\/li>\n<li>DevOps teams modernizing CI\/CD while keeping legacy runtime stable<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Workloads<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enterprise Windows and Linux VMs<\/li>\n<li>Commercial off-the-shelf (COTS) apps validated on VMware<\/li>\n<li>Multi-tier apps where a quick replatform is needed<\/li>\n<li>VDI or specialized workloads (availability and fit depend on sizing and licensing\u2014verify)<\/li>\n<li>DR targets for on-prem VMware environments<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Architectures<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Hybrid hub-and-spoke: on-prem SDDC connected to VMware Cloud on AWS SDDC<\/li>\n<li>Migration staging: move apps in phases and modernize later<\/li>\n<li>Split-stack: app servers in VMware Cloud on AWS, data services in AWS managed databases<\/li>\n<li>Active\/standby DR: on-prem active, cloud standby with periodic replication<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Real-world deployment contexts<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Production<\/strong>: steady-state workloads with compliance controls, HA patterns, and operational SLAs<\/li>\n<li><strong>Dev\/Test<\/strong>: ephemeral SDDCs (where supported) or small clusters for integration testing and pre-production staging<\/li>\n<li><strong>Migration factories<\/strong>: temporary capacity used heavily during a migration program, then scaled down<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">5. Top Use Cases and Scenarios<\/h2>\n\n\n\n<p>Below are realistic scenarios where VMware Cloud on AWS is commonly chosen. For each, the \u201cwhy it fits\u201d is about reducing time\/risk compared to refactoring.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1) Lift-and-shift data center workloads to AWS<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: On-prem hardware refresh or colocation exit deadline.<\/li>\n<li><strong>Why this service fits<\/strong>: Move VMs with minimal changes; maintain vSphere operations.<\/li>\n<li><strong>Example<\/strong>: A company migrates 500 Windows Server VMs to VMware Cloud on AWS to meet a lease expiration, then modernizes app-by-app.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) Disaster recovery (DR) for on-prem VMware<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Secondary data center is costly and underutilized.<\/li>\n<li><strong>Why this service fits<\/strong>: Cloud SDDC can serve as DR target with VMware tooling\/ecosystem.<\/li>\n<li><strong>Example<\/strong>: Critical apps replicate to VMware Cloud on AWS; failover drills are executed quarterly.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) Data center extension for low-latency AWS service consumption<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Apps must remain on VMware, but need AWS-native services.<\/li>\n<li><strong>Why this service fits<\/strong>: Keep compute on VMware; integrate with AWS services in-region.<\/li>\n<li><strong>Example<\/strong>: A Java app stays as VMs but uses Amazon S3 for object storage and Amazon SQS for messaging.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) M&amp;A rapid consolidation<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Two companies must merge IT quickly with minimal disruption.<\/li>\n<li><strong>Why this service fits<\/strong>: Creates a common VMware landing zone on AWS.<\/li>\n<li><strong>Example<\/strong>: Both firms migrate into a shared VMware Cloud on AWS org and connect networks via controlled gateways.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) Temporary capacity during migration (\u201cmigration factory\u201d)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Need short-term capacity for parallel run and testing.<\/li>\n<li><strong>Why this service fits<\/strong>: Provision hosts\/clusters for the migration window; decommission later.<\/li>\n<li><strong>Example<\/strong>: A 6-month migration uses extra SDDC clusters for performance testing and rollback safety.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) Running COTS appliances that require VMware<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Vendor only supports VMware deployments.<\/li>\n<li><strong>Why this service fits<\/strong>: Retain supported hypervisor while moving infrastructure to AWS.<\/li>\n<li><strong>Example<\/strong>: Security appliances and management tools validated on vSphere are deployed in VMware Cloud on AWS.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) Consistent segmentation and security policy with NSX<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Need microsegmentation beyond typical cloud security groups.<\/li>\n<li><strong>Why this service fits<\/strong>: NSX distributed firewall and segmentation patterns apply at VM level.<\/li>\n<li><strong>Example<\/strong>: A PCI environment separates app tiers with microsegmentation and tight egress controls.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) Legacy OS \/ application preservation<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Older OS\/app versions are hard to replatform and need more time.<\/li>\n<li><strong>Why this service fits<\/strong>: Supports \u201ckeep it running\u201d while planning modernization.<\/li>\n<li><strong>Example<\/strong>: An ERP system on legacy Windows stays on VMware while database tier is upgraded separately.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9) High-performance predictable compute on dedicated hosts<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Workloads need steady performance and isolation.<\/li>\n<li><strong>Why this service fits<\/strong>: Dedicated bare metal hosts reduce variability.<\/li>\n<li><strong>Example<\/strong>: Licensing or performance-sensitive workloads run with stable CPU\/memory characteristics.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">10) Hybrid operations with centralized vCenter-based management<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Tooling and staff are VMware-centric; cloud skills ramp-up is in progress.<\/li>\n<li><strong>Why this service fits<\/strong>: Familiar management reduces operational change.<\/li>\n<li><strong>Example<\/strong>: Ops team uses vSphere alarms and runbooks while learning AWS over time.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">11) Regional expansion without building a new data center<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Need workloads closer to a new geography quickly.<\/li>\n<li><strong>Why this service fits<\/strong>: Deploy SDDC in an AWS region and extend connectivity.<\/li>\n<li><strong>Example<\/strong>: A company expands into a new region and deploys customer-facing services there.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">12) Security boundary for regulated data with controlled AWS integration<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Need strong segmentation controls and careful AWS service use.<\/li>\n<li><strong>Why this service fits<\/strong>: Combine NSX policies with AWS account governance.<\/li>\n<li><strong>Example<\/strong>: Sensitive workloads run inside SDDC segments; only specific AWS endpoints are allowed.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">6. Core Features<\/h2>\n\n\n\n<blockquote>\n<p>Feature availability can vary by region, host type, subscription, and release train. For any production design, verify in the latest official VMware Cloud on AWS documentation and release notes.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">1) Managed VMware SDDC on AWS bare metal<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Deploys a full VMware SDDC stack on dedicated AWS infrastructure.<\/li>\n<li><strong>Why it matters<\/strong>: You get VMware capabilities without operating the physical layer.<\/li>\n<li><strong>Practical benefit<\/strong>: Faster provisioning, less hardware ops burden.<\/li>\n<li><strong>Caveats<\/strong>: You don\u2019t manage underlying hardware; maintenance windows and provider-managed upgrades can affect operations (plan change management).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) vSphere \/ vCenter Server administration for workloads<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Provides vCenter for VM lifecycle (create, clone, snapshot policies, resource pools, vMotion within the cluster, etc.).<\/li>\n<li><strong>Why it matters<\/strong>: Familiar admin plane for VMware teams.<\/li>\n<li><strong>Practical benefit<\/strong>: Reuse runbooks, monitoring patterns, and skills.<\/li>\n<li><strong>Caveats<\/strong>: Administrative access is controlled; some settings are provider-managed or restricted to protect the service.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) vSAN-based shared datastore with policy-based storage<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Uses vSAN to provide shared storage for VMs, typically with storage policies.<\/li>\n<li><strong>Why it matters<\/strong>: Simplifies storage management and supports HA patterns.<\/li>\n<li><strong>Practical benefit<\/strong>: Scale storage with hosts and policies rather than external SAN management.<\/li>\n<li><strong>Caveats<\/strong>: Storage performance and capacity depend on host type and cluster sizing. Verify max datastore limits and available storage options.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) NSX networking and security (segments, gateways, firewalls)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Provides logical networking, routing, NAT, VPN options, and distributed firewall\/microsegmentation.<\/li>\n<li><strong>Why it matters<\/strong>: Enables strong segmentation and consistent controls across VM workloads.<\/li>\n<li><strong>Practical benefit<\/strong>: Microsegmentation for compliance and reduced blast radius.<\/li>\n<li><strong>Caveats<\/strong>: Requires networking expertise; misconfigurations can cause outages. Plan IP addressing carefully to avoid overlaps.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) Management plane vs workload plane separation (gateway model)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Separates management components (vCenter, NSX managers) from workload networks with distinct gateways\/firewall policies.<\/li>\n<li><strong>Why it matters<\/strong>: Reduces risk of exposing management interfaces.<\/li>\n<li><strong>Practical benefit<\/strong>: More secure administrative access patterns.<\/li>\n<li><strong>Caveats<\/strong>: You must explicitly open needed management access (least privilege), and understand routing\/firewall boundaries.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) Connected VPC integration (private connectivity into your AWS account)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Connects the SDDC to a VPC in your AWS account for private routing between EC2 and VMware workloads (implementation uses AWS networking constructs; the service guides setup).<\/li>\n<li><strong>Why it matters<\/strong>: Enables hybrid application patterns (VMs \u2194 AWS services\/instances).<\/li>\n<li><strong>Practical benefit<\/strong>: Private IP connectivity, lower latency than internet paths.<\/li>\n<li><strong>Caveats<\/strong>: Requires non-overlapping IP ranges and careful route table and security group planning.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) AWS account linking via IAM cross-account role<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Lets VMware Cloud on AWS assume a role in your AWS account to configure required connectivity components.<\/li>\n<li><strong>Why it matters<\/strong>: Enables automation and guided setup while keeping least-privilege in mind.<\/li>\n<li><strong>Practical benefit<\/strong>: Faster setup; repeatable connectivity workflows.<\/li>\n<li><strong>Caveats<\/strong>: Role trust and external ID must match what the console provides; don\u2019t \u201chand craft\u201d policies without verifying the generated requirements.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) Migration tooling (commonly VMware HCX)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Facilitates workload migration from on-prem VMware to cloud SDDC (bulk migration, live migration options, network extension depending on configuration).<\/li>\n<li><strong>Why it matters<\/strong>: Reduces migration downtime and complexity.<\/li>\n<li><strong>Practical benefit<\/strong>: Structured migration waves and rollback options.<\/li>\n<li><strong>Caveats<\/strong>: Licensing\/entitlements and supported versions vary. Verify supported source vSphere versions and network extension constraints.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9) Scaling by adding hosts\/clusters (and automation options)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Adds capacity by scaling hosts and deploying additional clusters; some environments support automated elasticity features (verify).<\/li>\n<li><strong>Why it matters<\/strong>: Align capacity with demand.<\/li>\n<li><strong>Practical benefit<\/strong>: Avoid overprovisioning.<\/li>\n<li><strong>Caveats<\/strong>: Minimum host counts, host type availability, and provisioning time can impact agility.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">10) Operational visibility and integration points<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Exposes health, events, and logs through VMware interfaces; integrates with AWS-side telemetry for networking.<\/li>\n<li><strong>Why it matters<\/strong>: Day-2 operations require clear signals and audit trails.<\/li>\n<li><strong>Practical benefit<\/strong>: Faster troubleshooting across hybrid boundaries.<\/li>\n<li><strong>Caveats<\/strong>: Observability is split: VMware layers vs AWS layers. Ensure you cover both with runbooks.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">7. Architecture and How It Works<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Service architecture at a high level<\/h3>\n\n\n\n<p>A VMware Cloud on AWS deployment typically looks like:\n&#8211; A <strong>VMware Cloud Organization<\/strong> (identity, subscriptions, governance)\n&#8211; One or more <strong>SDDCs<\/strong>, each deployed into a chosen AWS region\n&#8211; Each SDDC contains:\n  &#8211; <strong>Management components<\/strong> (vCenter Server, NSX management components)\n  &#8211; A <strong>cluster<\/strong> of ESXi hosts on AWS bare-metal infrastructure\n  &#8211; <strong>vSAN datastore<\/strong>\n  &#8211; <strong>NSX logical networks<\/strong> (segments) and gateway\/firewall services<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Request \/ data \/ control flow<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Control plane (admin actions)<\/strong>:<\/li>\n<li>Admins authenticate to the <strong>VMware Cloud Console<\/strong> (org-level access).<\/li>\n<li>Admins access <strong>vCenter<\/strong> and NSX management UIs to manage VMs, networks, and policies.<\/li>\n<li><strong>Data plane (application traffic)<\/strong>:<\/li>\n<li>Workload VMs communicate east-west within segments using NSX logical switching and distributed firewall policies.<\/li>\n<li>North-south traffic exits via NSX Edge\/gateway constructs, subject to gateway firewall\/NAT policies.<\/li>\n<li><strong>Hybrid connectivity<\/strong>:<\/li>\n<li>SDDC can connect to:<ul>\n<li>Your <strong>AWS VPC<\/strong> (connected VPC pattern)<\/li>\n<li>On-prem networks via VPN\/Direct Connect patterns (verify supported architectures and requirements)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Integrations with related services (typical)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>AWS VPC<\/strong>: private routing between VMs and EC2\/other resources.<\/li>\n<li><strong>AWS Transit Gateway<\/strong> (optional): hub-and-spoke connectivity across multiple VPCs (supported patterns vary\u2014verify).<\/li>\n<li><strong>AWS Direct Connect<\/strong> (optional): dedicated connectivity from on-prem to AWS and\/or to the SDDC depending on design.<\/li>\n<li><strong>AWS services<\/strong>: apps running in VMs can consume AWS managed services (S3, RDS, etc.) over private routing or endpoints, depending on your VPC design.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Dependency services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>VMware Cloud services backend (org\/identity, provisioning systems)<\/li>\n<li>AWS region infrastructure (physical hosts, networking)<\/li>\n<li>Your AWS account constructs (VPC, subnets, routing, security groups) for integrations<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/authentication model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>VMware Cloud Console<\/strong>: org-level identity and roles (SSO).<\/li>\n<li><strong>vCenter\/NSX<\/strong>: workload administration via accounts\/roles provided by the service (often a default admin user for vCenter is provided; naming and access flows can change\u2014verify in docs).<\/li>\n<li><strong>AWS IAM<\/strong>: cross-account role for AWS account linking and automation.<\/li>\n<li><strong>Network security<\/strong>: NSX distributed firewall, gateway firewalls, AWS security groups\/NACLs on the AWS side.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Networking model<\/h3>\n\n\n\n<p>Key concepts you will encounter:\n&#8211; <strong>Management network<\/strong>: hosts vCenter\/NSX management and requires tightly controlled access.\n&#8211; <strong>Workload networks (segments)<\/strong>: where your VMs live.\n&#8211; <strong>Gateways<\/strong>:\n  &#8211; A <strong>management gateway<\/strong> concept for managing access to management components.\n  &#8211; A <strong>compute\/workload gateway<\/strong> concept for workload ingress\/egress policies.\n&#8211; <strong>Connected VPC<\/strong>: connectivity into your AWS VPC for private routing between environments.\n&#8211; <strong>CIDR planning<\/strong>: avoid overlaps among on-prem, SDDC management, SDDC workload segments, and AWS VPCs.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Monitor at two layers:\n  1. <strong>VMware layer<\/strong>: vCenter alarms, VM performance, vSAN health, NSX events.\n  2. <strong>AWS layer<\/strong>: VPC route tables, security groups, VPC Flow Logs, Direct Connect metrics, Transit Gateway metrics.<\/li>\n<li>Governance:<\/li>\n<li>Standardize naming for SDDCs, clusters, segments, firewall policies.<\/li>\n<li>Control who can create segments\/firewall rules; enforce change review.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Simple architecture diagram (conceptual)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart LR\n  Admin[Admin \/ Ops Team] --&gt;|SSO| VMC[VMware Cloud Console]\n  Admin --&gt;|vSphere Client| VC[vCenter Server]\n  subgraph AWS_Region[AWS Region]\n    subgraph SDDC[VMware Cloud on AWS SDDC]\n      VC\n      NSX[NSX Manager \/ Policies]\n      ESXi[ESXi Hosts]\n      vSAN[vSAN Datastore]\n      Seg[Workload Segments]\n      ESXi --&gt; vSAN\n      Seg --&gt; ESXi\n      NSX --&gt; Seg\n    end\n    VPC[Customer AWS VPC]\n    EC2[EC2 Instances]\n    VPC --&gt; EC2\n  end\n  SDDC &lt;--&gt; |Private connectivity (Connected VPC pattern)| VPC\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Production-style architecture diagram (hybrid + segmentation)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart TB\n  subgraph OnPrem[On-Premises Data Center]\n    OPvC[vCenter \/ vSphere Cluster]\n    AppsOnPrem[VM Workloads]\n    OPvC --&gt; AppsOnPrem\n  end\n\n  subgraph AWS[AWS Region]\n    subgraph VMCSDDC[VMware Cloud on AWS SDDC]\n      Mgmt[Management Network\\n(vCenter\/NSX Mgmt)]\n      CGW[Compute\/Workload Gateway\\n(FW\/NAT\/Routing)]\n      SegA[Segment: App Tier]\n      SegB[Segment: DB Tier]\n      DFW[NSX Distributed Firewall]\n      Hosts[ESXi Hosts + vSAN]\n\n      Mgmt --- CGW\n      CGW --&gt; SegA\n      CGW --&gt; SegB\n      DFW --- SegA\n      DFW --- SegB\n      SegA --&gt; Hosts\n      SegB --&gt; Hosts\n    end\n\n    subgraph CustVPC[Customer AWS VPC]\n      TGW[Transit Gateway (optional)]\n      AppVPC[Shared Services VPC]\n      EC2Bastion[EC2 Bastion \/ Tools]\n      VPCEndpoints[VPC Endpoints (optional)]\n      AppVPC --&gt; EC2Bastion\n      AppVPC --&gt; VPCEndpoints\n      TGW --- AppVPC\n    end\n  end\n\n  OnPrem &lt;--&gt; |DX\/VPN (verify supported patterns)| TGW\n  CustVPC &lt;--&gt; |Connected VPC private routing| CGW\n  AppsOnPrem --&gt;|HCX \/ Migration (verify)| VMCSDDC\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">8. Prerequisites<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Account\/subscription\/tenancy requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>VMware Cloud Organization<\/strong> with entitlement\/subscription for <strong>VMware Cloud on AWS<\/strong>.<\/li>\n<li>Ability to create an <strong>SDDC<\/strong> in your chosen AWS region.<\/li>\n<li>A <strong>customer-managed AWS account<\/strong> to link (for connected VPC and related integrations).<\/li>\n<\/ul>\n\n\n\n<blockquote>\n<p>If you don\u2019t have a subscription, check options on the AWS VMware page and VMware sales\/trials. Trial availability changes\u2014verify in official sources.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Permissions \/ IAM roles<\/h3>\n\n\n\n<p>You typically need:\n&#8211; <strong>VMware Cloud Console<\/strong> role that allows SDDC creation and configuration (org admin or equivalent).\n&#8211; <strong>AWS IAM permissions<\/strong> to:\n  &#8211; Create an IAM role with a trust policy for VMware Cloud on AWS (cross-account).\n  &#8211; Create\/modify VPC route tables, security groups, and possibly ENIs\/resources used for connectivity (exact required permissions are provided by the VMware Cloud console workflow).<\/p>\n\n\n\n<p>A practical approach:\n&#8211; Use a dedicated AWS IAM admin role for initial setup.\n&#8211; After setup, narrow privileges and separate duties (network vs security vs virtualization admins).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Billing requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A payment method\/subscription arrangement for VMware Cloud on AWS.<\/li>\n<li>Possibly AWS Marketplace-based procurement depending on your org\u2019s purchase path (this varies\u2014verify your commercial model).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">CLI\/SDK\/tools needed<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Web browser for:<\/li>\n<li>VMware Cloud Console<\/li>\n<li>AWS Management Console<\/li>\n<li>Optional (recommended) tools:<\/li>\n<li><strong>AWS CLI v2<\/strong> for verifying routes, instances, and security groups<\/li>\n<li>SSH client for Linux instances (OpenSSH)<\/li>\n<li>vSphere Client access (browser-based via vCenter URL)<\/li>\n<li>Optional network tools:<\/li>\n<li><code>traceroute<\/code>, <code>mtr<\/code>, <code>dig\/nslookup<\/code>, <code>tcpdump<\/code> (inside VMs\/instances)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Region availability<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>VMware Cloud on AWS is available in specific AWS regions and has region-dependent host types and features.<\/li>\n<li>Verify region availability and host options in official documentation and ordering pages before design.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas\/limits<\/h3>\n\n\n\n<p>Common constraint categories:\n&#8211; Minimum\/maximum hosts per cluster\n&#8211; Maximum number of clusters per SDDC (or per org)\n&#8211; Network segment limits, firewall rule limits\n&#8211; Connected VPC limits (number of connections)<br\/>\nThese can change\u2014verify current limits in official docs.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Prerequisite services<\/h3>\n\n\n\n<p>For the hands-on lab in this article:\n&#8211; An existing <strong>AWS VPC<\/strong> with at least one subnet for an EC2 test instance\n&#8211; A <strong>VMware Cloud on AWS SDDC<\/strong> (either pre-existing or created during the lab)\n&#8211; Non-overlapping CIDR blocks between:\n  &#8211; AWS VPC CIDR\n  &#8211; VMware SDDC management CIDR(s)\n  &#8211; VMware workload segments CIDR(s)\n  &#8211; On-prem networks (if connected)<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">9. Pricing \/ Cost<\/h2>\n\n\n\n<blockquote>\n<p>Do not treat this section as a quote. VMware Cloud on AWS pricing varies by region, host type, term\/commitment, and commercial agreement. Always confirm with the official pricing page and, if applicable, your VMware\/AWS account team.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Current pricing model (high level)<\/h3>\n\n\n\n<p>VMware Cloud on AWS pricing is primarily driven by <strong>SDDC host consumption<\/strong>:\n&#8211; Hosts are billed based on:\n  &#8211; <strong>Host type<\/strong> (varies by region and generation)\n  &#8211; <strong>Number of hosts<\/strong>\n  &#8211; <strong>Term<\/strong> (on-demand vs 1-year\/3-year commitments or other offerings)\n&#8211; Some features\/add-ons may have additional costs depending on your contract (verify in official docs\/commercial terms).<\/p>\n\n\n\n<p>Official AWS pricing page: https:\/\/aws.amazon.com\/vmware\/pricing\/<br\/>\n(Also check VMware\u2019s VMware Cloud on AWS pricing pages within VMware\u2019s site for your commercial path.)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing dimensions to understand<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Compute hosts<\/strong>: The main line item (dedicated bare-metal ESXi hosts).<\/li>\n<li><strong>Storage<\/strong>: vSAN capacity is tied to host type and host count; additional storage options may exist (verify).<\/li>\n<li><strong>Networking<\/strong>:\n   &#8211; Data transfer between VMware Cloud on AWS and AWS services (in-region vs cross-region)\n   &#8211; Internet egress from workloads\n   &#8211; Direct Connect costs (if used) are separate AWS charges<\/li>\n<li><strong>Support<\/strong>: Support level may be included or priced depending on plan (verify).<\/li>\n<li><strong>Add-ons\/integrations<\/strong>: DR products, advanced networking, or management packs may be separate (verify).<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Free tier<\/h3>\n\n\n\n<p>There is <strong>no typical AWS Free Tier<\/strong> for VMware Cloud on AWS because it uses dedicated hosts and managed SDDC resources. If a trial exists, it\u2019s time-limited and offer-dependent\u2014verify.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Cost drivers (direct and indirect)<\/h3>\n\n\n\n<p><strong>Direct cost drivers<\/strong>\n&#8211; Number of hosts and chosen host type\n&#8211; Commitment term and payment model\n&#8211; Number of SDDCs and clusters<\/p>\n\n\n\n<p><strong>Indirect\/hidden cost drivers<\/strong>\n&#8211; <strong>Data egress<\/strong> to the internet (often a major recurring cost)\n&#8211; <strong>Cross-AZ\/cross-region<\/strong> data transfer (depends on architecture)\n&#8211; <strong>Direct Connect<\/strong> port-hours and data transfer (AWS pricing)\n&#8211; <strong>Operational tooling<\/strong>: third-party monitoring, backup, SIEM ingestion\n&#8211; <strong>VM licensing<\/strong>: OS\/app licensing may change when moving to cloud; confirm vendor licensing terms\n&#8211; <strong>Backups<\/strong>: if using backup software, storage targets (S3, backup appliances) add cost<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Network\/data transfer implications<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Traffic between the SDDC and AWS services inside the same region may be cheaper and lower latency than cross-region patterns, but charges depend on the network path and AWS pricing rules.<\/li>\n<li>Internet egress from VMs is charged similarly to other AWS-hosted workloads once traffic leaves AWS.<\/li>\n<li>Connectivity designs (Transit Gateway, Direct Connect, NAT, load balancers) have their own AWS charges.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How to optimize cost (practical strategies)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Right-size the cluster: avoid overprovisioning hosts.<\/li>\n<li>Use commitment terms for steady-state production (if your procurement model supports it).<\/li>\n<li>Keep high-traffic dependencies in the same region.<\/li>\n<li>Reduce egress:<\/li>\n<li>Use CloudFront where applicable<\/li>\n<li>Use VPC endpoints\/private access for AWS services (where supported by your design)<\/li>\n<li>Establish lifecycle policies: scale down or delete temporary SDDCs after migration phases.<\/li>\n<li>Use tagging and cost allocation for AWS-side resources; track VMware-side consumption via org reports.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Example low-cost starter estimate (conceptual, not a quote)<\/h3>\n\n\n\n<p>A \u201cstarter\u201d environment is usually constrained by minimum host requirements and the fact that this is dedicated infrastructure. Even a small SDDC can be a significant monthly expense. To estimate:\n1. Pick region and host type on the official pricing page.\n2. Choose the minimum supported host count for your use case (dev\/test vs production).\n3. Add AWS-side costs:\n   &#8211; EC2 bastion or test instances\n   &#8211; NAT Gateway (if used)\n   &#8211; Data transfer and logging<\/p>\n\n\n\n<p>Because host hourly rates and minimums change, <strong>use the official pricing calculator and pricing page<\/strong> rather than copying numbers from blogs.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Example production cost considerations<\/h3>\n\n\n\n<p>For production, consider:\n&#8211; Multiple clusters and growth buffer\n&#8211; DR strategy costs (standby capacity, replication tooling)\n&#8211; Direct Connect for predictable connectivity\n&#8211; Enterprise backup and security tooling\n&#8211; Staffing\/operations: even managed services require day-2 expertise<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n<p>This lab focuses on a common first milestone: <strong>connect an AWS VPC to a VMware Cloud on AWS SDDC<\/strong> and validate private IP connectivity between an EC2 instance and a VM network segment.<\/p>\n\n\n\n<p>Because VMware Cloud on AWS is a paid managed service, this lab is \u201clow-risk\u201d but not necessarily \u201clow-cost\u201d if you create a new SDDC. Where possible, reuse an existing SDDC provided by your organization. If you don\u2019t have one, consider VMware Hands-on Labs for concept practice (free) and then apply the steps in a paid environment.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Objective<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Link an AWS account to VMware Cloud on AWS<\/li>\n<li>Create a <strong>Connected VPC<\/strong> to your SDDC<\/li>\n<li>Create\/verify routing and firewall rules<\/li>\n<li>Validate connectivity: <strong>EC2 \u2192 VM in SDDC segment<\/strong> (ICMP\/SSH)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Lab Overview<\/h3>\n\n\n\n<p>You will:\n1. Confirm IP plan and prerequisites\n2. (Optional) Create or select an existing SDDC\n3. Link your AWS account in VMware Cloud Console (IAM cross-account role)\n4. Attach a connected VPC to the SDDC\n5. Create a workload segment and a test VM (or use an existing VM)\n6. Launch an EC2 instance in the connected VPC\n7. Validate connectivity and troubleshoot if needed\n8. Clean up resources<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Plan IP addressing (avoid overlaps)<\/h3>\n\n\n\n<p><strong>Goal<\/strong>: Ensure AWS VPC CIDR does not overlap with SDDC management\/workload networks.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p>In AWS, note your VPC CIDR:\n   &#8211; AWS Console \u2192 <strong>VPC<\/strong> \u2192 <strong>Your VPCs<\/strong> \u2192 select VPC \u2192 note IPv4 CIDR (e.g., <code>10.20.0.0\/16<\/code>)<\/p>\n<\/li>\n<li>\n<p>In VMware Cloud on AWS, note:\n   &#8211; SDDC management CIDR(s) (as displayed in SDDC networking settings)\n   &#8211; Existing workload segment CIDRs (if any)<\/p>\n<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; You can confirm there is <strong>no overlapping CIDR<\/strong> between AWS VPC and VMware SDDC networks.<\/p>\n\n\n\n<p><strong>Verification<\/strong>\n&#8211; If there is overlap, stop and choose a different VPC or redesign CIDRs. Overlaps are a common cause of failed connectivity.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Select (or create) an SDDC in VMware Cloud on AWS<\/h3>\n\n\n\n<p><strong>Goal<\/strong>: Have an SDDC ready to connect to your AWS VPC.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Open the <strong>VMware Cloud Console<\/strong>.<\/li>\n<li>Navigate to <strong>VMware Cloud on AWS<\/strong> \u2192 <strong>SDDCs<\/strong>.<\/li>\n<li>Either:\n   &#8211; Select an existing SDDC for your lab, or\n   &#8211; Create a new SDDC (this is the expensive step):<ul>\n<li>Choose AWS region<\/li>\n<li>Choose host type and host count (minimum depends on offering\u2014verify in console)<\/li>\n<li>Provide SDDC name<\/li>\n<li>Complete provisioning<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; SDDC shows status <strong>READY\/ACTIVE<\/strong> (wording varies) and you can view networking settings.<\/p>\n\n\n\n<p><strong>Verification<\/strong>\n&#8211; From the SDDC summary page, confirm you can open:\n  &#8211; <strong>vCenter URL<\/strong> (administrative access requires correct firewall rules)\n  &#8211; Networking and gateway settings<\/p>\n\n\n\n<p><strong>Common error<\/strong>\n&#8211; Provisioning fails due to capacity constraints in a region\/host type. Try a different host type\/region (if allowed) or request capacity\u2014verify guidance in official docs.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Link your AWS account (create IAM cross-account role)<\/h3>\n\n\n\n<p><strong>Goal<\/strong>: Allow VMware Cloud on AWS to configure required AWS-side connectivity components in your AWS account.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p>In VMware Cloud Console:\n   &#8211; Go to <strong>Account linking \/ AWS accounts<\/strong> (label varies)\n   &#8211; Choose <strong>Add \/ Link AWS Account<\/strong>\n   &#8211; The console typically provides:<\/p>\n<ul>\n<li>A <strong>Role name<\/strong> recommendation<\/li>\n<li>A <strong>Trust policy<\/strong> with VMware\u2019s account principal<\/li>\n<li>An <strong>External ID<\/strong> (important for secure cross-account access)<\/li>\n<li>A required <strong>permissions policy<\/strong> (or a managed policy reference)<\/li>\n<\/ul>\n<\/li>\n<li>\n<p>In AWS Console:\n   &#8211; Go to <strong>IAM<\/strong> \u2192 <strong>Roles<\/strong> \u2192 <strong>Create role<\/strong>\n   &#8211; Select <strong>Another AWS account<\/strong>\n   &#8211; Enter the AWS Account ID provided by VMware Cloud on AWS (from console instructions)\n   &#8211; Require external ID and paste the <strong>External ID<\/strong> from the VMware console\n   &#8211; Attach the required permissions policy as instructed by the VMware console workflow\n   &#8211; Create the role<\/p>\n<\/li>\n<li>\n<p>Back in VMware Cloud Console:\n   &#8211; Provide the <strong>Role ARN<\/strong> and confirm account linking<\/p>\n<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; AWS account shows as <strong>Linked<\/strong> in VMware Cloud Console.<\/p>\n\n\n\n<p><strong>Verification<\/strong>\n&#8211; In VMware Cloud Console, the AWS account status is healthy\/linked.\n&#8211; In AWS IAM, the role exists with the trust relationship including the correct external ID.<\/p>\n\n\n\n<p><strong>Common error and fix<\/strong>\n&#8211; <strong>Access denied \/ role assumption failed<\/strong>:\n  &#8211; Ensure the external ID matches exactly.\n  &#8211; Ensure you used the correct VMware-provided AWS account principal in the trust policy.\n  &#8211; Ensure the attached permissions policy matches VMware console requirements (don\u2019t substitute without verifying).<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4: Create a Connected VPC to the SDDC<\/h3>\n\n\n\n<p><strong>Goal<\/strong>: Establish private routing between AWS VPC and SDDC networks.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In VMware Cloud Console \u2192 your SDDC \u2192 <strong>Networking<\/strong> \u2192 <strong>Connected VPC<\/strong> (label varies)<\/li>\n<li>Choose:\n   &#8211; Linked AWS account\n   &#8211; Target AWS VPC\n   &#8211; Subnet(s) for connectivity (the console may require specific subnet characteristics)<\/li>\n<li>Complete the workflow and wait for status <strong>CONNECTED \/ AVAILABLE<\/strong>.<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; Connected VPC becomes available and routes are established between AWS VPC and SDDC gateway.<\/p>\n\n\n\n<p><strong>Verification (AWS route tables)<\/strong>\nUse AWS CLI to inspect route tables associated with the selected subnet(s):<\/p>\n\n\n\n<pre><code class=\"language-bash\">aws ec2 describe-route-tables \\\n  --filters \"Name=vpc-id,Values=vpc-xxxxxxxx\" \\\n  --query \"RouteTables[*].Routes[*].[DestinationCidrBlock,GatewayId,TransitGatewayId,VpcPeeringConnectionId,NetworkInterfaceId]\" \\\n  --output table\n<\/code><\/pre>\n\n\n\n<p>Look for routes pointing to VMware Cloud on AWS connectivity (the exact target may appear as an ENI, TGW attachment, or other construct depending on the implementation and chosen design). <strong>Do not hardcode expectations<\/strong>\u2014confirm based on what the console created.<\/p>\n\n\n\n<p><strong>Common error and fix<\/strong>\n&#8211; <strong>Connected VPC stuck in \u201cpending\u201d<\/strong>:\n  &#8211; Verify VPC\/subnet meets requirements (available IPs, route table association, no CIDR overlaps).\n  &#8211; Confirm AWS IAM role permissions are correct.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 5: Configure gateway firewall rules for test traffic<\/h3>\n\n\n\n<p><strong>Goal<\/strong>: Allow test traffic from AWS VPC to a workload segment (and optionally return traffic).<\/p>\n\n\n\n<p>You generally need to configure rules on:\n&#8211; Workload\/compute gateway firewall (for workload segment traffic)\n&#8211; Distributed firewall (if you use microsegmentation rules that would block traffic)<\/p>\n\n\n\n<p><strong>Recommended test traffic<\/strong>\n&#8211; ICMP (ping) and SSH (TCP\/22) to a Linux VM\n&#8211; Or TCP\/443 to a simple web server if you prefer application-level validation<\/p>\n\n\n\n<p><strong>Actions (high-level)<\/strong>\n1. In VMware Cloud Console \/ NSX networking:\n   &#8211; Identify the <strong>Compute\/Workload Gateway<\/strong>\n   &#8211; Add a firewall rule:\n     &#8211; <strong>Source<\/strong>: AWS VPC CIDR (e.g., <code>10.20.0.0\/16<\/code>) or a smaller test subnet\n     &#8211; <strong>Destination<\/strong>: your workload segment CIDR or the test VM IP\n     &#8211; <strong>Services<\/strong>: ICMP + SSH\n     &#8211; <strong>Action<\/strong>: Allow\n2. Ensure return traffic is permitted (stateful rules usually handle this, but verify gateway behavior in your environment).<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; Firewall rules show as published\/applied.<\/p>\n\n\n\n<p><strong>Verification<\/strong>\n&#8211; No rule conflicts; rule order is correct (deny rules above allow rules can break connectivity).<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 6: Create a workload segment and a test VM (or use an existing VM)<\/h3>\n\n\n\n<p><strong>Goal<\/strong>: Have a VM with an IP in a segment reachable from AWS VPC.<\/p>\n\n\n\n<p><strong>Option A (preferred): Use an existing VM<\/strong>\n&#8211; If your org already has a VM in a known segment, use it.<\/p>\n\n\n\n<p><strong>Option B: Create a simple Linux VM<\/strong>\n1. Open <strong>vCenter<\/strong> (from SDDC page, use vCenter URL).\n2. Create or confirm a <strong>network segment<\/strong> exists for workloads.\n3. Create a VM:\n   &#8211; Provide name: <code>vmc-test-vm<\/code>\n   &#8211; Choose compute\/resource pool\n   &#8211; Choose datastore (vSAN)\n   &#8211; Connect NIC to the workload segment\n4. Install a lightweight OS (Ubuntu\/Photon\/etc.) using an ISO you upload to the datastore.\n5. Assign a static IP or use DHCP depending on your network services configuration (many environments use DHCP via NSX or a DHCP service; availability\/config varies\u2014verify).<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; VM is powered on and has an IP address (e.g., <code>192.168.10.10<\/code> in a workload segment CIDR).<\/p>\n\n\n\n<p><strong>Verification<\/strong>\n&#8211; In vCenter, confirm VM IP is visible (VMware Tools helps) or log into console and run:<\/p>\n\n\n\n<pre><code class=\"language-bash\">ip addr\nip route\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 7: Launch an EC2 instance in the connected VPC for testing<\/h3>\n\n\n\n<p><strong>Goal<\/strong>: Generate test traffic from AWS VPC to the VM.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>AWS Console \u2192 <strong>EC2<\/strong> \u2192 <strong>Launch instance<\/strong><\/li>\n<li>Choose a small Linux instance type (e.g., t3.micro) for testing.<\/li>\n<li>Place it in:\n   &#8211; The VPC that is connected\n   &#8211; A subnet associated with the connectivity route table<\/li>\n<li>Security group:\n   &#8211; Allow outbound to the VM CIDR (default outbound allow is common)\n   &#8211; Inbound SSH from your admin IP if you need to access the EC2 instance<\/li>\n<li>Launch and connect via SSH.<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; EC2 is running, you can SSH into it.<\/p>\n\n\n\n<p><strong>Verification<\/strong>\nFrom your laptop:<\/p>\n\n\n\n<pre><code class=\"language-bash\">ssh -i \/path\/key.pem ec2-user@EC2_PUBLIC_IP\n<\/code><\/pre>\n\n\n\n<p>(Use the correct username for your AMI.)<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 8: Test connectivity (EC2 \u2192 VM)<\/h3>\n\n\n\n<p><strong>Goal<\/strong>: Validate routing and firewall rules.<\/p>\n\n\n\n<p>From the EC2 instance:<\/p>\n\n\n\n<pre><code class=\"language-bash\">ping -c 3 192.168.10.10\n<\/code><\/pre>\n\n\n\n<p>Then SSH:<\/p>\n\n\n\n<pre><code class=\"language-bash\">ssh user@192.168.10.10\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; Ping receives replies.\n&#8211; SSH connects (assuming the VM allows SSH and credentials are correct).<\/p>\n\n\n\n<p><strong>Verification checklist if it fails<\/strong>\n&#8211; VM has correct IP\/gateway\/DNS\n&#8211; SDDC gateway firewall allows the traffic\n&#8211; Any distributed firewall rules allow the traffic\n&#8211; AWS route table has a route to the VM segment CIDR\n&#8211; AWS security groups\/NACLs allow return traffic (especially if you tightened them)\n&#8211; No overlapping CIDRs<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Validation<\/h3>\n\n\n\n<p>Use this quick matrix to confirm the lab is correct:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Check<\/th>\n<th>Where<\/th>\n<th>How<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>AWS account linked<\/td>\n<td>VMware Cloud Console<\/td>\n<td>AWS account shows linked\/healthy<\/td>\n<\/tr>\n<tr>\n<td>Connected VPC active<\/td>\n<td>VMware Cloud Console<\/td>\n<td>Status connected\/available<\/td>\n<\/tr>\n<tr>\n<td>Routes exist<\/td>\n<td>AWS VPC route tables<\/td>\n<td>Route to SDDC segment CIDR exists<\/td>\n<\/tr>\n<tr>\n<td>Firewall allows test<\/td>\n<td>VMware gateway firewall<\/td>\n<td>Allow rule above any deny rules<\/td>\n<\/tr>\n<tr>\n<td>VM reachable<\/td>\n<td>EC2 instance<\/td>\n<td>ping\/ssh succeed<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Troubleshooting<\/h3>\n\n\n\n<p><strong>Problem: Connected VPC won\u2019t attach<\/strong>\n&#8211; Causes:\n  &#8211; IAM role incorrect\/external ID mismatch\n  &#8211; VPC\/subnet constraints (no IPs available, misassociated route table)\n  &#8211; CIDR overlap\n&#8211; Fix:\n  &#8211; Recreate IAM role using console-provided instructions\n  &#8211; Choose a different subnet with sufficient IP space\n  &#8211; Redesign CIDRs (avoid overlap)<\/p>\n\n\n\n<p><strong>Problem: Routes exist but ping fails<\/strong>\n&#8211; Causes:\n  &#8211; Firewall rule missing or wrong order\n  &#8211; Distributed firewall blocks traffic\n  &#8211; VM OS firewall blocks ICMP\n&#8211; Fix:\n  &#8211; Add\/adjust NSX gateway firewall rules and verify rule order\n  &#8211; Temporarily allow ICMP\/SSH for the test VM only\n  &#8211; On VM, check <code>ufw status<\/code> \/ <code>iptables -S<\/code> and allow ICMP\/SSH<\/p>\n\n\n\n<p><strong>Problem: SSH fails but ping works<\/strong>\n&#8211; Causes:\n  &#8211; SSH service not running, wrong username\/key, OS firewall, security hardening\n&#8211; Fix:\n  &#8211; Confirm <code>sshd<\/code> is running\n  &#8211; Confirm correct user for the distribution\n  &#8211; Verify VM security policies<\/p>\n\n\n\n<p><strong>Problem: One-way traffic<\/strong>\n&#8211; Causes:\n  &#8211; Asymmetric routing or missing return route\n  &#8211; NACLs blocking ephemeral ports\n&#8211; Fix:\n  &#8211; Confirm return path and stateful firewall behavior\n  &#8211; Temporarily relax NACLs for testing (then re-tighten)<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Cleanup<\/h3>\n\n\n\n<p>To avoid ongoing charges and reduce attack surface:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Terminate EC2 instance<\/strong> (AWS Console \u2192 EC2 \u2192 Instances \u2192 Terminate).<\/li>\n<li><strong>Delete or revert firewall rules<\/strong> created for the lab (gateway and distributed firewall).<\/li>\n<li><strong>Disconnect the Connected VPC<\/strong> from the SDDC (VMware Cloud Console).<\/li>\n<li><strong>Delete IAM role<\/strong> created for AWS account linking if no longer needed (be careful\u2014only if not used by other SDDCs).<\/li>\n<li>If you created a new SDDC only for this lab, <strong>delete the SDDC<\/strong> (this can take time and is a major cost lever).<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">11. Best Practices<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Architecture best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Design IP addressing early<\/strong>: Plan for non-overlapping CIDRs across on-prem, SDDC mgmt, SDDC segments, and AWS VPCs.<\/li>\n<li><strong>Separate shared services<\/strong>: Put shared services (DNS, AD, logging) in dedicated segments or VPCs with controlled access.<\/li>\n<li><strong>Keep latency-sensitive dependencies close<\/strong>: Prefer same-region integrations for databases and messaging.<\/li>\n<li><strong>Use a hub network pattern carefully<\/strong>: If using Transit Gateway, standardize route propagation and isolation rules (verify supported patterns for VMware Cloud on AWS in your chosen design).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">IAM\/security best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Least privilege IAM role<\/strong>: Use the exact permissions recommended by the VMware console; restrict who can modify the trust policy and external ID.<\/li>\n<li><strong>MFA and SSO<\/strong>: Enforce MFA for VMware Cloud Console and AWS privileged roles.<\/li>\n<li><strong>Separate duties<\/strong>: Different roles for network changes, security policy changes, and workload admin.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cost best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Avoid \u201calways-on\u201d migration SDDCs<\/strong>: Decommission temporary environments after a migration wave.<\/li>\n<li><strong>Commit only for steady state<\/strong>: Use longer-term commitments for stable production if financially justified.<\/li>\n<li><strong>Control egress<\/strong>: Track internet egress from VMs; use private access patterns where applicable.<\/li>\n<li><strong>Monitor host utilization<\/strong>: Right-size clusters and avoid \u201cCPU-ready\u201d or storage contention that forces unnecessary scaling.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Performance best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Use appropriate VM sizing<\/strong>: Over-allocating vCPU can reduce performance.<\/li>\n<li><strong>Storage policy alignment<\/strong>: Match vSAN policies to workload needs; don\u2019t use high redundancy where not required.<\/li>\n<li><strong>Network MTU consistency<\/strong>: Ensure MTU settings are compatible across hybrid links where jumbo frames are expected (verify supported MTU across your connectivity).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Reliability best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Use cluster HA\/DRS appropriately<\/strong>: Keep admission control and HA policies aligned with failure domain assumptions.<\/li>\n<li><strong>Backup and restore strategy<\/strong>: Define VM-level backups and application-consistent backups; validate restores.<\/li>\n<li><strong>Test failover<\/strong>: If used for DR, run scheduled failover drills and measure RTO\/RPO.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operations best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Standardize change management<\/strong>: Treat gateway firewall and route changes as production network changes (peer review + rollback).<\/li>\n<li><strong>Centralize logging<\/strong>: Forward logs to a SIEM; include AWS VPC Flow Logs and VMware events.<\/li>\n<li><strong>Runbooks for common outages<\/strong>: Connectivity loss, DNS failures, certificate expiration, role\/permission issues.<\/li>\n<li><strong>Tagging\/naming<\/strong>: Use naming standards for segments, firewall rules, SDDCs, and AWS resources.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Governance\/tagging\/naming best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use names that encode:<\/li>\n<li>Environment (<code>prod<\/code>, <code>stage<\/code>, <code>dev<\/code>)<\/li>\n<li>Region<\/li>\n<li>App\/service<\/li>\n<li>Owner\/team<\/li>\n<li>Maintain an inventory:<\/li>\n<li>Connected VPCs and routes<\/li>\n<li>Segment CIDRs<\/li>\n<li>Firewall rule intents and approvals<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">12. Security Considerations<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Identity and access model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>VMware Cloud Console<\/strong>:<\/li>\n<li>Controls org-level access and SDDC lifecycle operations.<\/li>\n<li>Use SSO\/IdP integration if available in your org (verify supported identity integrations).<\/li>\n<li><strong>vCenter\/NSX administration<\/strong>:<\/li>\n<li>Controls VM\/network policy operations.<\/li>\n<li>Restrict access to a small admin group; provide read-only roles to auditors\/operations as needed.<\/li>\n<li><strong>AWS IAM<\/strong>:<\/li>\n<li>Cross-account role is sensitive\u2014guard it as privileged infrastructure access.<\/li>\n<li>Use CloudTrail to audit changes to IAM roles, policies, VPC routes, security groups.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Encryption<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>In transit<\/strong>: Use TLS for management access (vCenter\/console). Use VPN\/DX encryption options as appropriate.<\/li>\n<li><strong>At rest<\/strong>: vSAN encryption capabilities exist in VMware ecosystems but may depend on configuration\/entitlement in the managed environment\u2014verify official docs for VMware Cloud on AWS specifics.<\/li>\n<li><strong>Backups<\/strong>: Ensure backup targets encrypt data at rest (e.g., S3 SSE-KMS) and in transit.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network exposure<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Avoid exposing management interfaces to the internet.<\/li>\n<li>Use controlled admin access paths:<\/li>\n<li>Bastion hosts, VPN, or zero-trust access brokers (depending on your enterprise standard)<\/li>\n<li>Minimize inbound rules; prefer \u201cinside-out\u201d management where possible.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secrets handling<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Do not store credentials in VM templates or user-data scripts.<\/li>\n<li>Use AWS Secrets Manager \/ Parameter Store for apps running in VMs (where appropriate).<\/li>\n<li>Rotate credentials and integrate with enterprise password vaults.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Audit\/logging<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>On AWS side: enable <strong>CloudTrail<\/strong>, VPC Flow Logs, Config (if used), and centralize logs.<\/li>\n<li>On VMware side: collect vCenter events\/alarms and NSX firewall logs if required for compliance.<\/li>\n<li>Retention and immutability: align to regulatory requirements.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compliance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Shared responsibility: clarify what VMware\/AWS manages vs what you manage (guest OS hardening, app security, IAM, firewall policies).<\/li>\n<li>Data residency: choose region carefully; ensure backups and replication comply with residency rules.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Common security mistakes<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Overly permissive gateway firewall rules (\u201callow any any\u201d for troubleshooting that never gets removed).<\/li>\n<li>CIDR overlap causing engineers to use unsafe workarounds (e.g., NAT everywhere) without review.<\/li>\n<li>Leaving linked IAM role unused but active with broad permissions.<\/li>\n<li>No centralized logging for NSX\/firewall events.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secure deployment recommendations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use least privilege and segmented admin access.<\/li>\n<li>Treat network\/security policy as code where possible (or at minimum, version-controlled change records).<\/li>\n<li>Implement continuous compliance checks on AWS-side resources and periodic audits on VMware-side roles and firewall rules.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">13. Limitations and Gotchas<\/h2>\n\n\n\n<blockquote>\n<p>These are common real-world constraints. Exact numbers\/limits and feature availability change; verify in official docs for your region and offering.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Known limitations \/ constraints categories<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Regional availability<\/strong>: Not all AWS regions support VMware Cloud on AWS, and host types vary.<\/li>\n<li><strong>Minimum host counts<\/strong>: You may be required to run a minimum number of hosts per cluster\/SDDC.<\/li>\n<li><strong>Host type constraints<\/strong>: Storage and performance characteristics are tied to host type; you cannot arbitrarily mix without supported patterns.<\/li>\n<li><strong>Operational restrictions<\/strong>: Some vCenter\/NSX settings are restricted in managed environments.<\/li>\n<li><strong>Networking complexity<\/strong>: Multiple gateways, firewall layers, and route tables can be difficult for teams new to NSX.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Limits on:<\/li>\n<li>Connected VPCs per SDDC\/org<\/li>\n<li>Number of segments and firewall rules<\/li>\n<li>VPN sessions and NAT rules<br\/>\nVerify current limits in the latest VMware Cloud on AWS documentation.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Regional constraints<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Feature availability (e.g., stretched clusters, specific connectivity patterns, or certain host types) can be region-dependent.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing surprises<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Paying for more capacity than expected due to:<\/li>\n<li>Minimum host requirements<\/li>\n<li>Keeping migration\/test SDDCs running<\/li>\n<li>Underestimating internet egress costs<\/li>\n<li>AWS-side costs:<\/li>\n<li>NAT Gateway hours and data processing<\/li>\n<li>Transit Gateway attachments and data processing<\/li>\n<li>VPC Flow Logs ingestion into logging systems<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compatibility issues<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Legacy OS and apps might move easily, but:<\/li>\n<li>Licensing rules may change in cloud<\/li>\n<li>Time sync, MTU, and network dependencies can cause issues<\/li>\n<li>Migration tooling version compatibility (source vSphere version, network extension constraints) must be validated.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational gotchas<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Firewall rule ordering issues cause outages.<\/li>\n<li>DNS misconfiguration across hybrid networks leads to \u201cit pings but app doesn\u2019t work.\u201d<\/li>\n<li>Overlapping RFC1918 space is common and painful\u2014plan renumbering or isolation early.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Migration challenges<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Large-scale migrations require:<\/li>\n<li>Wave planning<\/li>\n<li>Dependency mapping<\/li>\n<li>Rollback strategies<\/li>\n<li>Performance baselines<\/li>\n<li>Storage-heavy workloads may need special handling due to transfer time and replication windows.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Vendor-specific nuances<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>VMware Cloud on AWS has a managed service boundary:<\/li>\n<li>Some troubleshooting requires VMware support engagement.<\/li>\n<li>Maintenance\/upgrade windows should be communicated and tested in non-prod first.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">14. Comparison with Alternatives<\/h2>\n\n\n\n<p>The \u201cright\u201d platform depends on whether you prioritize speed of migration, cost, cloud-native features, or operational familiarity.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Comparison table<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Option<\/th>\n<th>Best For<\/th>\n<th>Strengths<\/th>\n<th>Weaknesses<\/th>\n<th>When to Choose<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>VMware Cloud on AWS<\/strong><\/td>\n<td>Fast migration\/extension of VMware workloads to AWS<\/td>\n<td>VMware operational continuity; managed SDDC; strong segmentation; adjacency to AWS services<\/td>\n<td>Premium cost; managed restrictions; networking complexity<\/td>\n<td>Large VMware estate, DC exit, hybrid operations, DR, minimal refactor<\/td>\n<\/tr>\n<tr>\n<td><strong>Amazon EC2 (rehost\/replatform)<\/strong><\/td>\n<td>Apps that can run on cloud VMs without VMware dependencies<\/td>\n<td>Broad instance choice; mature AWS ecosystem; often lower cost at scale<\/td>\n<td>Requires migration conversion; ops model changes<\/td>\n<td>When you can move to EC2\/ASG\/ALB patterns and want AWS-native operations<\/td>\n<\/tr>\n<tr>\n<td><strong>Amazon EKS (containers)<\/strong><\/td>\n<td>Modernized apps and platform engineering<\/td>\n<td>Kubernetes ecosystem; scaling; DevOps automation<\/td>\n<td>Requires containerization and new operating model<\/td>\n<td>When app teams are ready to refactor and standardize on containers<\/td>\n<\/tr>\n<tr>\n<td><strong>AWS Outposts<\/strong><\/td>\n<td>On-prem AWS infrastructure for low-latency local needs<\/td>\n<td>AWS services on-prem; consistent AWS APIs<\/td>\n<td>Not a VMware stack; capacity planning needed<\/td>\n<td>When you want AWS on-prem for latency\/regulatory constraints, not VMware continuity<\/td>\n<\/tr>\n<tr>\n<td><strong>VMware on-prem (self-managed)<\/strong><\/td>\n<td>Stable environments with existing hardware and processes<\/td>\n<td>Full control; existing investments<\/td>\n<td>Hardware lifecycle burden; limited cloud elasticity<\/td>\n<td>When cloud migration is not needed yet or constraints block cloud adoption<\/td>\n<\/tr>\n<tr>\n<td><strong>VMware Cloud on Azure \/ Google Cloud VMware Engine<\/strong><\/td>\n<td>VMware workloads on other hyperscalers<\/td>\n<td>Similar VMware-managed patterns<\/td>\n<td>Different cloud ecosystem; different pricing and integrations<\/td>\n<td>When your enterprise is standardized on Azure\/GCP or has data gravity there<\/td>\n<\/tr>\n<tr>\n<td><strong>Self-managed VMware on AWS EC2 (not typical\/limited)<\/strong><\/td>\n<td>Special cases only<\/td>\n<td>Control (if achievable)<\/td>\n<td>Generally not the standard supported path; licensing\/architecture complexity<\/td>\n<td>Usually <strong>not<\/strong> recommended; use managed VMware Cloud on AWS instead unless a vendor-supported exception exists<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">15. Real-World Example<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Enterprise example: Financial services data center exit with compliance controls<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong><\/li>\n<li>A bank needs to exit two aging data centers within 12 months.<\/li>\n<li>Many apps are VMware-based, with strict segmentation and audit requirements.<\/li>\n<li><strong>Proposed architecture<\/strong><\/li>\n<li>Deploy VMware Cloud on AWS SDDCs in a chosen AWS region.<\/li>\n<li>Connect on-prem to AWS via dedicated connectivity (Direct Connect) and\/or VPN (verify exact supported\/desired design).<\/li>\n<li>Use Connected VPC to integrate shared services (AD\/DNS, logging, patching) hosted on AWS.<\/li>\n<li>Implement NSX microsegmentation for PCI and sensitive workloads.<\/li>\n<li>Centralize logs into SIEM (CloudTrail + VPC Flow Logs + VMware logs).<\/li>\n<li><strong>Why VMware Cloud on AWS was chosen<\/strong><\/li>\n<li>Migration timeline is tight; refactoring hundreds of apps is not feasible.<\/li>\n<li>VMware skillsets and operational processes are mature and audited.<\/li>\n<li>Need controlled segmentation and hybrid connectivity during multi-wave migration.<\/li>\n<li><strong>Expected outcomes<\/strong><\/li>\n<li>Meet data center exit deadline with reduced migration risk.<\/li>\n<li>Improve agility by provisioning capacity faster than buying hardware.<\/li>\n<li>Establish a modernization runway: apps can later move to EC2\/EKS service-by-service.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Startup\/small-team example: SaaS vendor with a VMware-only dependency<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong><\/li>\n<li>A small SaaS vendor runs a proprietary appliance certified only on vSphere.<\/li>\n<li>They want AWS presence for proximity to customers and AWS services.<\/li>\n<li><strong>Proposed architecture<\/strong><\/li>\n<li>Small VMware Cloud on AWS SDDC for the appliance and a few supporting VMs.<\/li>\n<li>Connected VPC for integration with AWS services (S3 for artifacts, RDS for managed DB, CloudWatch for AWS-side metrics).<\/li>\n<li>Tight gateway firewall policies; minimal exposed surface.<\/li>\n<li><strong>Why VMware Cloud on AWS was chosen<\/strong><\/li>\n<li>Avoids re-certifying the appliance on a different hypervisor or refactoring the product.<\/li>\n<li>Allows the startup to use AWS services without abandoning the VMware dependency.<\/li>\n<li><strong>Expected outcomes<\/strong><\/li>\n<li>Faster entry into an AWS region while preserving vendor support constraints.<\/li>\n<li>Hybrid architecture flexibility as the product evolves.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">16. FAQ<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>Is VMware Cloud on AWS an AWS service or a VMware service?<\/strong><br\/>\n   It\u2019s a jointly delivered managed service: VMware operates the VMware SDDC layer on AWS infrastructure, with integration into AWS networking and services.<\/p>\n<\/li>\n<li>\n<p><strong>Do I still use vCenter in VMware Cloud on AWS?<\/strong><br\/>\n   Yes. You typically manage VMs and many virtualization tasks via vCenter, with some restrictions appropriate to a managed environment.<\/p>\n<\/li>\n<li>\n<p><strong>Can I use AWS native services from VMs running in VMware Cloud on AWS?<\/strong><br\/>\n   Yes, commonly by connecting to AWS services through private networking patterns (Connected VPC, endpoints) and standard AWS SDK\/API usage from inside the VM.<\/p>\n<\/li>\n<li>\n<p><strong>Is VMware Cloud on AWS suitable for net-new cloud-native apps?<\/strong><br\/>\n   Usually not as the primary target. For net-new apps, EC2\/EKS\/Lambda typically provide better cost and cloud-native capabilities. VMware Cloud on AWS is best for VMware workload continuity and migration.<\/p>\n<\/li>\n<li>\n<p><strong>Does VMware Cloud on AWS replace EC2?<\/strong><br\/>\n   Not exactly. It provides VMware-based compute on AWS, while EC2 is AWS-native VM compute. Many organizations use both.<\/p>\n<\/li>\n<li>\n<p><strong>What\u2019s the biggest design requirement to get right?<\/strong><br\/>\n   IP addressing and routing. Avoid overlapping CIDRs and plan segments, gateway policies, and connectivity patterns early.<\/p>\n<\/li>\n<li>\n<p><strong>How do I connect my AWS VPC to the SDDC?<\/strong><br\/>\n   Commonly through a \u201cConnected VPC\u201d workflow that links your AWS account and establishes private routing. The exact implementation details are guided by the console.<\/p>\n<\/li>\n<li>\n<p><strong>How do I connect on-premises to VMware Cloud on AWS?<\/strong><br\/>\n   Typically through VPN and\/or Direct Connect patterns, sometimes with Transit Gateway designs. Verify the currently supported reference architectures in official documentation.<\/p>\n<\/li>\n<li>\n<p><strong>Who patches ESXi and the underlying hosts?<\/strong><br\/>\n   In a managed service model, the provider handles much of the platform lifecycle. You still patch guest operating systems and applications.<\/p>\n<\/li>\n<li>\n<p><strong>Can I microsegment traffic between VMs?<\/strong><br\/>\n   Yes, using NSX distributed firewall policies and segmentation constructs (capabilities depend on your configuration).<\/p>\n<\/li>\n<li>\n<p><strong>Can I use my existing VMware tools (backup, monitoring, automation)?<\/strong><br\/>\n   Often yes, but confirm compatibility and supported access in VMware Cloud on AWS. Some tools require specific vCenter privileges or network access.<\/p>\n<\/li>\n<li>\n<p><strong>How long does it take to create an SDDC?<\/strong><br\/>\n   It varies by region, capacity, and host count. Plan for provisioning time and potential capacity constraints.<\/p>\n<\/li>\n<li>\n<p><strong>What are the most common causes of connectivity failures?<\/strong><br\/>\n   CIDR overlap, missing routes, firewall rule order, distributed firewall blocks, OS firewalls, and DNS issues.<\/p>\n<\/li>\n<li>\n<p><strong>Is there a free tier or cheap sandbox?<\/strong><br\/>\n   There\u2019s usually no free tier. For no-cost practice, use VMware Hands-on Labs (concept training). For real deployments, use official pricing tools and commitments.<\/p>\n<\/li>\n<li>\n<p><strong>How do I estimate cost accurately?<\/strong><br\/>\n   Use the official pricing page (and any official calculators\/quotes), select region\/host type\/term, and add AWS-side networking and data transfer costs.<\/p>\n<\/li>\n<li>\n<p><strong>Can I scale up and down easily?<\/strong><br\/>\n   You can scale by adding\/removing hosts or adding clusters, but minimums, lead times, and contractual terms apply. Verify elasticity options and constraints in your offering.<\/p>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">17. Top Online Resources to Learn VMware Cloud on AWS<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Resource Type<\/th>\n<th>Name<\/th>\n<th>Why It Is Useful<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Official product page<\/td>\n<td>AWS VMware Cloud on AWS<\/td>\n<td>Overview, positioning, and entry points to docs and pricing: https:\/\/aws.amazon.com\/vmware\/<\/td>\n<\/tr>\n<tr>\n<td>Official documentation<\/td>\n<td>VMware Cloud on AWS Documentation<\/td>\n<td>Primary source for networking, operations, and configuration (verify latest): https:\/\/docs.vmware.com\/en\/VMware-Cloud-on-AWS\/<\/td>\n<\/tr>\n<tr>\n<td>Official pricing page<\/td>\n<td>VMware Cloud on AWS Pricing (AWS)<\/td>\n<td>Official pricing model and region\/term guidance: https:\/\/aws.amazon.com\/vmware\/pricing\/<\/td>\n<\/tr>\n<tr>\n<td>Getting started<\/td>\n<td>VMware Cloud on AWS Getting Started (Docs)<\/td>\n<td>Step-by-step onboarding and first SDDC guidance (navigate from docs landing page): https:\/\/docs.vmware.com\/en\/VMware-Cloud-on-AWS\/<\/td>\n<\/tr>\n<tr>\n<td>Architecture guidance<\/td>\n<td>AWS Architecture Center<\/td>\n<td>Reference patterns for AWS networking, hybrid connectivity, and security: https:\/\/aws.amazon.com\/architecture\/<\/td>\n<\/tr>\n<tr>\n<td>Networking docs<\/td>\n<td>VMware Cloud on AWS Networking (Docs section)<\/td>\n<td>Connected VPC, gateways, firewall rules, routing (find within official docs): https:\/\/docs.vmware.com\/en\/VMware-Cloud-on-AWS\/<\/td>\n<\/tr>\n<tr>\n<td>Migration docs<\/td>\n<td>VMware HCX Documentation<\/td>\n<td>Migration and network extension concepts (verify entitlements): https:\/\/docs.vmware.com\/en\/VMware-HCX\/<\/td>\n<\/tr>\n<tr>\n<td>Official videos<\/td>\n<td>AWS YouTube Channel \/ VMware YouTube<\/td>\n<td>Recorded sessions, webinars, architecture talks (search official channels): https:\/\/www.youtube.com\/@amazonwebservices and https:\/\/www.youtube.com\/@vmware<\/td>\n<\/tr>\n<tr>\n<td>Hands-on practice<\/td>\n<td>VMware Hands-on Labs<\/td>\n<td>Free guided labs (conceptual practice even without a paid SDDC): https:\/\/hol.vmware.com\/<\/td>\n<\/tr>\n<tr>\n<td>Community learning<\/td>\n<td>AWS re:Post<\/td>\n<td>Q&amp;A and operational tips; validate against docs: https:\/\/repost.aws\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">18. Training and Certification Providers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Institute<\/th>\n<th>Suitable Audience<\/th>\n<th>Likely Learning Focus<\/th>\n<th>Mode<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps engineers, cloud engineers, platform teams<\/td>\n<td>DevOps + cloud operations fundamentals, tooling, and applied practices<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>ScmGalaxy.com<\/td>\n<td>Beginners to intermediate engineers<\/td>\n<td>SCM\/DevOps foundations, automation, and delivery pipelines<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.scmgalaxy.com\/<\/td>\n<\/tr>\n<tr>\n<td>CLoudOpsNow.in<\/td>\n<td>Cloud operations and support teams<\/td>\n<td>CloudOps practices, monitoring, reliability, operational readiness<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.cloudopsnow.in\/<\/td>\n<\/tr>\n<tr>\n<td>SreSchool.com<\/td>\n<td>SREs, operations, reliability engineers<\/td>\n<td>SRE principles, incident response, reliability patterns<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.sreschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>AiOpsSchool.com<\/td>\n<td>Ops teams adopting AIOps<\/td>\n<td>Observability, automation, AIOps concepts and practices<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.aiopsschool.com\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">19. Top Trainers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Platform\/Site<\/th>\n<th>Likely Specialization<\/th>\n<th>Suitable Audience<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>RajeshKumar.xyz<\/td>\n<td>Cloud\/DevOps training content (verify current offerings)<\/td>\n<td>Beginners to intermediate practitioners<\/td>\n<td>https:\/\/rajeshkumar.xyz\/<\/td>\n<\/tr>\n<tr>\n<td>devopstrainer.in<\/td>\n<td>DevOps tooling and hands-on guidance (verify scope)<\/td>\n<td>DevOps engineers and students<\/td>\n<td>https:\/\/www.devopstrainer.in\/<\/td>\n<\/tr>\n<tr>\n<td>devopsfreelancer.com<\/td>\n<td>Freelance DevOps services\/training resources (verify scope)<\/td>\n<td>Small teams needing practical help<\/td>\n<td>https:\/\/www.devopsfreelancer.com\/<\/td>\n<\/tr>\n<tr>\n<td>devopssupport.in<\/td>\n<td>DevOps support and enablement resources (verify scope)<\/td>\n<td>Ops\/DevOps teams<\/td>\n<td>https:\/\/www.devopssupport.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">20. Top Consulting Companies<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Company<\/th>\n<th>Likely Service Area<\/th>\n<th>Where They May Help<\/th>\n<th>Consulting Use Case Examples<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>cotocus.com<\/td>\n<td>Cloud\/DevOps consulting (verify exact portfolio)<\/td>\n<td>Architecture, migration planning, CI\/CD, operations<\/td>\n<td>VMware-to-AWS migration planning; hybrid connectivity runbooks; cost governance<\/td>\n<td>https:\/\/cotocus.com\/<\/td>\n<\/tr>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps and cloud consulting\/training<\/td>\n<td>Enablement, workshops, implementation support<\/td>\n<td>Landing zone setup; operational best practices; automation for deployments<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>DEVOPSCONSULTING.IN<\/td>\n<td>DevOps consulting services (verify offerings)<\/td>\n<td>Assessments, implementation, and support<\/td>\n<td>Observability setup; security reviews; build\/deploy automation<\/td>\n<td>https:\/\/devopsconsulting.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">21. Career and Learning Roadmap<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn before VMware Cloud on AWS<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>VMware fundamentals<\/strong><\/li>\n<li>vSphere concepts: clusters, resource pools, datastores, HA\/DRS<\/li>\n<li>Basic ESXi and vCenter administration<\/li>\n<li><strong>Networking<\/strong><\/li>\n<li>IP subnetting, routing, NAT, VPN concepts<\/li>\n<li>Firewall policy design and troubleshooting<\/li>\n<li><strong>AWS fundamentals<\/strong><\/li>\n<li>VPC, subnets, route tables, security groups, NACLs<\/li>\n<li>IAM roles and trust policies<\/li>\n<li>CloudTrail basics and least privilege patterns<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn after VMware Cloud on AWS<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Hybrid networking at scale<\/strong><\/li>\n<li>Transit Gateway design patterns<\/li>\n<li>Direct Connect architectures and routing (BGP)<\/li>\n<li><strong>Modernization paths<\/strong><\/li>\n<li>Replatform from VMs to containers (EKS) where appropriate<\/li>\n<li>Use managed databases and messaging systems<\/li>\n<li><strong>Operations excellence<\/strong><\/li>\n<li>SRE practices, incident management, capacity planning<\/li>\n<li>Security posture management and continuous compliance<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Job roles that use it<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud Architect (hybrid\/migration)<\/li>\n<li>VMware Administrator \/ Virtualization Engineer<\/li>\n<li>Cloud Network Engineer<\/li>\n<li>DevOps \/ Platform Engineer (hybrid platforms)<\/li>\n<li>Security Engineer (segmentation and governance)<\/li>\n<li>Migration Lead \/ Program Engineer<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Certification path (if available)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>VMware certifications (vSphere, NSX) are commonly relevant.<\/li>\n<li>AWS certifications (Solutions Architect, Advanced Networking) help for AWS-side integration.<\/li>\n<li>Exact certification mappings change; verify current VMware and AWS certification catalogs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Project ideas for practice<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Design a hybrid IP plan for on-prem + VMware Cloud on AWS + AWS multi-VPC<\/li>\n<li>Build a connectivity lab: Connected VPC + EC2 bastion + VM segment + firewall policies<\/li>\n<li>Create a migration runbook: prerequisites, wave planning, rollback steps, validation scripts<\/li>\n<li>Implement observability: VPC Flow Logs + centralized log store + VMware event forwarding<\/li>\n<li>Cost governance exercise: identify egress hot spots and propose mitigations<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">22. Glossary<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>SDDC (Software-Defined Data Center)<\/strong>: A virtualized data center stack including compute, storage, networking, and management software.<\/li>\n<li><strong>vSphere<\/strong>: VMware\u2019s virtualization platform.<\/li>\n<li><strong>vCenter Server<\/strong>: Central management for vSphere environments.<\/li>\n<li><strong>ESXi<\/strong>: VMware hypervisor installed on physical hosts.<\/li>\n<li><strong>vSAN<\/strong>: VMware\u2019s software-defined storage aggregating host-local storage into a shared datastore.<\/li>\n<li><strong>NSX<\/strong>: VMware\u2019s software-defined networking and security platform (segments, distributed firewall, gateways).<\/li>\n<li><strong>Segment<\/strong>: A logical Layer 2 network for VMs in NSX.<\/li>\n<li><strong>Distributed Firewall (DFW)<\/strong>: Firewall enforced at the VM vNIC level (microsegmentation).<\/li>\n<li><strong>Gateway Firewall<\/strong>: North-south firewall at the gateway\/edge.<\/li>\n<li><strong>Connected VPC<\/strong>: A private connectivity pattern between VMware Cloud on AWS SDDC and a VPC in your AWS account.<\/li>\n<li><strong>CIDR<\/strong>: IP range notation (e.g., <code>10.0.0.0\/16<\/code>) used for network planning.<\/li>\n<li><strong>IAM Role (cross-account)<\/strong>: AWS identity object that a different account\/service can assume to perform actions, governed by a trust policy and permissions policy.<\/li>\n<li><strong>Direct Connect<\/strong>: AWS dedicated private connectivity service from on-prem to AWS.<\/li>\n<li><strong>Transit Gateway (TGW)<\/strong>: AWS hub for connecting multiple VPCs and on-prem networks.<\/li>\n<li><strong>Egress<\/strong>: Outbound traffic from your environment to the internet or other networks, often a cost driver.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">23. Summary<\/h2>\n\n\n\n<p>VMware Cloud on AWS is a managed VMware SDDC running on AWS infrastructure that helps organizations extend or migrate VMware workloads into AWS with minimal refactoring. It fits the <strong>Compute<\/strong> category as an alternative compute platform: you run VMs on VMware (vSphere\/ESXi) while integrating with AWS networking and services.<\/p>\n\n\n\n<p>Key takeaways:\n&#8211; Use it when you need <strong>speed, VMware operational continuity, and hybrid architectures<\/strong>, especially for migrations, DR, and data center exit.\n&#8211; Plan carefully for <strong>networking (CIDR\/routing\/firewalls)<\/strong> and define clear operational ownership across VMware and AWS layers.\n&#8211; Cost is primarily driven by <strong>dedicated host consumption<\/strong>, plus AWS-side networking and data transfer\u2014use official pricing sources and avoid assumptions.\n&#8211; Security success depends on <strong>least privilege IAM<\/strong>, strong segmentation, controlled management access, and centralized auditing\/logging.<\/p>\n\n\n\n<p>Next step: follow the hands-on lab to build a Connected VPC and validate EC2-to-VM connectivity, then expand into production patterns (Transit Gateway, Direct Connect, microsegmentation, backup\/DR, and operational monitoring) using the official documentation and reference architectures.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Compute<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,26],"tags":[],"class_list":["post-174","post","type-post","status-publish","format-standard","hentry","category-aws","category-compute"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/174","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=174"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/174\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=174"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=174"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=174"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}