Connectivity over private network

VMware Cloud Foundation for VPC can be both a target and a source for a site peering and service mesh over private network though Transit Gateway and Direct Link. HCX appliance uplinks use IBM Cloud VPC routing capabilities to access on-premises, other IBM Cloud VPC VMware or Classic VMware deployments.

The following diagram introduces the high-level steps to configure and deploy this connectivity type.

This architecture pattern deployment is summarized as follows:

1. Provision a new or use an existing Transit Gateway or Direct Link to connect to the HCX replication partner network.
2. Validate that the management subnet in Virtual Private Cloud (VPC) and the other VMware® deployment's HCX management and uplink networks are routed and can communicate properly.
3. With Classic Infrastructure VMware and HCX deployments, ensure that you attached the Classic network as a Transit Gateway connection and routing toward the VPC prefixes or subnets is configured in the HCX appliances to point toward the IBM Cloud private network's backend customer router (BCR). In addition, ensure that you have a new private portable subnet for private uplinks in the Classic Infrastructure, if you use that as the source or destination side HCX.
4. Create an HCX service mesh by using the compute profile created during the HCX deployment.
5. Use management subnet for HCX management and uplink traffic and vMotion subnets for vMotion traffic in VPC.
6. Create L2 extensions by using network extensions for the NSX overlay segments, if required.

Connectivity over the internet

Currently, VMware Cloud Foundation for VPC supports to be a source only when you create site peering and service mesh over a public network. Though HCX is used as a source, migration is possible both ways. In this model, HCX appliances use IBM Cloud VPC public gateway for the egress traffic.

The following diagram introduces the high-level steps to configure and deploy this connectivity type.

This architecture pattern deployment is summarized as follows:

1. Establish site peering between on-premises and the VMware Cloud Foundation instance in IBM Cloud VPC. The connection must be established from the VMware Cloud Foundation instance.
2. Egress connectivity to the internet is established through the public gateway that is attached to the management subnet. Here, the traffic is in principle just source NATed by using the floating IP address that is assigned to the public gateway as the new source IP address. You can use this floating IP address in your firewall rules, if needed.
3. Create a service mesh by using the compute profile created during the deployment.
4. Use management subnet for HCX management and uplink network interfaces in the network profiles. Use the vMotion subnet for vMotion traffic.
5. Create L2 extensions by using Network Extensions for the NSX overlay segments, if required.

HCX as Cloud target does not support NAT and floating IP addresses cannot be used to be as a direct target for HCX in this connectivity pattern.

Considerations for HCX site peering and service mesh in IBM Cloud

When you design or deploy this architecture pattern, consider the following information:

• For detailed HCX network flows, see Networks diagrams for VMware HCX.
• Create a network profile that matches the required HCX network flows.
• Ensure your MTUs match end to end.
• Ensure that the networks are properly routed and possible firewall rules allow the required traffic at both the source and destination sites and between the HCX appliance uplinks.

Related links

• Architecture pattern for HCX - consolidated architecture
• VPC network design
• VMware HCX documentation