So as of HCX 4.2, it is now supported to have HCX use SD-WANs. The exact requirements are listed here:
I managed to catch up with my buddy @gabe_rosas who I the TPM for HCX, as I had a couple of customers that were curious about this new addition. Based on my discussion with him I thought id make a blog post about it!
There was a blanket lack of support for HCX VPN in underlay, as it is essentially a VPN and then HCX creates its own VPN tunnels. Now there is support but you must be careful you are on the correct version and meet all the underlay requirements.
So, the fact that it is supported brings more options on getting your networks and VMs into the cloud.
One of the key requirements when it comes to using SDWANs with the destination being VMC on AWS is the limitation:
HCX does not support VPN configurations where the NSX Tier-0 router provides the VPN termination AND connectivity to the HCX uplinks via NSX Service Insertion.
So, I thought I would run through some examples of what will and will not work:
So, as we can see in this diagram, the SD-WAN appliance has created a highly resilient mesh between the on-prem appliances and the ones deployed into native AWS. These are then connected to a native AWS TGW.
So, the question now becomes, how do we get it to connect to the VMC on AWS SDDC?
So, you might be thinking that a VPN from the TGW to VMC on AWS would work? Well yes, that is a supported way of doing it in general, but if you have HCX Service Meshes going over the SD-WAN, then I’m afraid you are out of luck, as it terminates at the T0, as shown below:
Now you are probably wondering what you can do to get HCX to work with the SD-WAN when used in conjunction with VMC on AWS? Well, there are ways as described below:
This way is documented by my work colleague Giles, here is the full link on how it works, but what you need to do is add the VMC on AWS SDDC to an SDDC group, by doing this you get a VMware TGW given to you and then create another VPC (Peering VPC):
https://www.gilles.cloud/2021/06/connect-vmware-managed-tgw-to-your-aws.html
There was no reason for me to diagram it out again when his diagram shows exactly what needs to be done! As you can see in the diagram the vTGW has a VPC peering connection with the Peering VPC and the Customer TGW has a peering connection with the Peering VPC.
So that is the way you would do it if you really wanted HCX Service Meshes to be able to use the SD-WAN.
If you weren’t bothered about the Service Meshes using the SDWAN, you could do it like you normally do:
Now if you have Direct Connect there is another option as well, just to make things more exciting:
Adding SDWAN as an option for HCX is interesting, but as with everything you need to fully understand it and make the correct design choices based on your requirements!
Leave a Reply