VMware Cloud Foundation for EC2 Overview

Secure by Design:  The VCF Framework 

VCF is intended to provide one consistent set of data center management services across vSphere and non-vShpere environments.  For the EC2 environment, a mechanism must be in place to transparently insert these services into the workloads running on EC2.  In the private cloud environment, users may be familiar with VMware’s VM Tools.  This is a collection of host-resident probes, drivers and agents that allow the vSphere system to optimize and manage workloads running on VMWare’s ESXi hypervisor.  VMware has extended this concept to EC2 based workloads.  VM Tools for EC2 creates a bundle of host-resident probes, drivers and agents, and provides a framework to transparently insert, manage and protect these host components as they run on EC2 environments, either in Amazon’s EC2 public cloud or on premise on Amazon’s Outposts hybrid cloud solution.

Networking Services 

The first set of services enabled in VMware Cloud Foundation for EC2 is NSX Networking and Security.  A key feature of the NSX offering for EC2 is service insertion and packet capture.  With this capability, the rich partner ecosystem of NSX that exists on VMware private clouds can now be extended into native EC2 environments.  Partners can utilize the same NSX APIs for service insertion and packet capture on premise in vSphere environments and in EC2 environments.  This is extremely useful for using NSX and the VMware Cloud Foundation as the platform to deliver consistent services across the hybrid cloud. 

Another very popular feature of NSX for EC2 is layer two network stretching.  This allows workloads running in any EC2 environment, whether on AWS Outposts on premises or in the public cloud to share a common L2 IP space even across multiple VPCs.  This greatly simplifies workload migration and DR scenarios as workloads do not to be re-addressed or modified to take advantage of the flexibility and elasticity of the hybrid cloud.

Security Services 

NSX is known for its built-in security services.  One of the most powerful is the firewall built for Internal (East-West) traffic flows.  This firewall understands the application topology and can visualize and map flows between the web tier, app tiers, and persistence tiers.  Firewall policies can then be automatically deployed and dynamically updated if there are changes to application topology.  This use case has been widely deployed and there are now thousands of enterprise customers using NSX to internally segment server to server traffic in the data center.  With VMware Cloud Foundation for EC2, this same capability can be extended to EC2 based workloads, either on the public cloud or running on AWS Outposts in the customer data center.  From a single policy console, IT can now ensure that foundational security policies are consistently enforced for workloads running on premise or in the public cloud, on vShpere or on EC2 environments.  In the future, this same architecture will allow VMware advanced security offerings such as App Defense to be extended onto native EC2 environments.

Management 

In addition to the data plane services of NSX, VMware has a collection of control plane services that support both vSphere and native EC2 workloads.  vRealize Network Insights provides a single pane of glass that allows customers to visualize their flows for workloads running in a vSphere environment and/or in EC2.  This is extremely helpful for troubleshooting hybrid cloud workloads, and also for formulating security policies. Additionally, VMware’s Cloud Health provides industry leading cost management for EC2 environments. 

The Foundation for all workloads 

VMware Cloud Foundation for EC2 creates a common set of data center services that spans the hybrid cloud. These services support all types of workloads from traditional VM based enterprise applications to modern container-based workloads utilizing platforms like PKS or Red Hat OpenShift.