Migration & Modernization

Accelerate Your VMware Migration to AWS: Leveraging Amazon Elastic VMware Service and VMware HCX

Introduction

Migrating VMware workloads to the cloud presents numerous challenges for organizations. From maintaining application dependencies and preserving IP addresses to managing downtime windows and ensuring consistent performance, the complexity of these migrations can often slow down cloud adoption initiatives. Network reconfigurations, application testing, and maintaining business continuity throughout the migration process add additional layers of complexity that IT teams must carefully navigate.

Amazon Elastic VMware Service (EVS) offers a compelling solution for organizations looking to leverage AWS while preserving their VMware investments and expertise. EVS runs VMware Cloud Foundation (VCF) directly within your Amazon Virtual Private Cloud (Amazon VPC), providing a familiar operational experience while giving you access to AWS’ extensive infrastructure and services.

Solution Overview

One of the key advantages of EVS is its integration with VMware Cloud Foundation Operations HCX (HCX), a powerful migration toolkit from VMware by Broadcom. HCX reduces migration complexity by enabling seamless workload mobility between on-premises and cloud environments while preserving IP addresses and configurations. This helps organizations overcome many common migration hurdles and accelerates their path to cloud adoption.

In this blog post, we’ll walk you through the connectivity options, design considerations, and best practices when migrating your workloads into AWS using EVS and HCX.

The choice between utilizing private or public connectivity for workload migration is a one-time decision made during the initial EVS deployment. Understanding these options is critical before beginning your implementation.

Prerequisites

  • The EVS prerequisite checklist has been reviewed and completed.
  • On-premises vSphere version 8.0 or higher. See Broadcom product interoperability matrix for detailed list.
  • On-premises HCX version 4.11.3.
  • EVS HCX version 4.11.3.
  • Sufficient VCF licenses for an EVS deployment (Minimum 256 cores and 110 TiB vSAN for 4 x i4i.metal EC2 instances).

Private network connectivity

Private networks create secure, isolated connections that enable authorized users and devices to exchange data without direct public internet exposure.

AWS offers two connectivity options for customers looking to migrate their VMware workloads from their on-premises vSphere environments into EVS across a private connection:

Option 1: Direct Connect

Figure 1. High-level architecture diagram of an on-premises data center connected to two EVS deployments across different AWS regions. The solution utilizes two separate Direct Connect transit VIFs connected to a single Direct Connect Gateway, which is associated with two Transit Gateways in different regions for high availability. Each Transit Gateway has a VPC attachment to a VPC containing an EVS environment. Both EVS environments can communicate with each other over the Transit Gateway peering connection . On-premises HCX appliances pair to EVS HCX appliances using private IP addresses.

Direct Connect provides a dedicated physical network connection from a customer’s on-premises environment to AWS. Think of it as a private link that creates a direct, high-speed highway between your data center and AWS, completely bypassing the public internet.

Customers can accelerate their VMware migrations to EVS by using Direct Connect, which offers flexible bandwidth options from 1 Gbps – 400 Gbps through AWS directly as a dedicated connection, or from 50 Mbps – 25 Gbps using AWS Direct Connect Partner hosted connections. While it can take longer to provision than using a Site-to-Site VPN, Direct Connect provides bandwidth flexibility, low latency, and more reliable throughput for large-scale workload migrations.

End-to-end Direct Connect connectivity from on-premises to Amazon EVS requires the following:

For production workloads, where connectivity to on-premises is always required, customers can implement redundancy through multiple Direct Connect connections at geographically diverse locations, or by configuring backup Site-to-Site VPN tunnels ensuring continuous connectivity during maintenance or circuit failures.

When planning VMware workload migrations to EVS over Direct Connect, it’s important to understand that while there are no data ingress charges for traffic from on-premises to AWS, you need to account for other costs including Transit Gateway data processing charges ($0.02 per GB), Direct Connect port fees, and any data egress charges for traffic leaving AWS. Additionally, your migration planning should factor in Direct Connect circuit procurement lead times, carefully assessed bandwidth requirements, and proper BGP routing configuration to ensure these technical aspects align with your migration timelines.

Customers can also consider utilizing Direct Connect Partners, who can quickly provision hosted transit VIFs, offering significant advantages for rapid VMware migrations to AWS.

These partners provide:

  • Near-immediate provisioning, often within hours versus weeks or months for net-new dedicated connections
  • Flexible bandwidth options from 50 Mbps – 25 Gbps
  • Pay-as-you-go pricing
  • Managed router infrastructure, eliminating the need for customers to procure and manage their own network equipment

Option 2: Site-to-Site VPN

Figure 2. High-level architecture diagram of an on-premises data center connected to two EVS deployments across different AWS regions.
The solution utilizes two separate AWS Site-to-Site VPNs connected to separate Transit Gateways in different regions using VPN attachments for high availability. Each Transit Gateway has a VPC attachment to a VPC containing an EVS environment. Both EVS environments can communicate with each other over the Transit Gateway peering connection. On-premises HCX appliances pair to EVS HCX appliances using private IP addresses.

Site-to-Site VPNs provide customers with a private connection that securely extends a their on-premises network to AWS across the public internet, enabling secure cross-network communication through authenticated and encrypted tunnels using IP Security (IPSec).

Customers connecting their on-premises sites to AWS typically choose a Site-to-Site VPN rather than Direct Connect when they need a quick, cost-effective connectivity solution with lower bandwidth requirements and can tolerate the variable performance of internet-based connections.

EVS requires Site-to-Site VPN connections to terminate directly onto a TGW using a TGW VPN attachment. The TGW attaches to a customer’s EVS VPC with a VPC attachment, providing end-to-end connectivity.

End-to-end connectivity to Amazon EVS using Site-to-Site VPN requires the following:

  • On-premises hardware capable of creating IPSec VPN tunnels.
  • Create and terminate on-premises Site-to-Site VPN connections on Transit Gateway via VPN attachment.
  • Attach the Transit Gateway to an EVS VPC using a VPC attachment.
  • Update any on-premises firewall rules, router network paths, TGW route tables, and VPC route tables with any on-premises VCF and EVS VCF networks which need to communicate with each other to enable migration, such as ESX hosts, VCF management appliances, and HCX appliances.

Customers migrating to EVS choose Site-to-Site VPN over procuring Direct Connect when they have smaller data footprints, need to start migrations quickly, or want to avoid the upfront costs and longer procurement times of dedicated connections. Site-to-Site VPN offers a private, secure connection with customizable security controls, but Internet-based performance can impact migration speeds. For production workloads, where connectivity to on-premises is always required, customers can establish multiple Site-to-Site VPN connections across different internet service providers or deploy VPN endpoints in different on-premises locations, ensuring redundancy if one internet path experiences issues.

When planning migrations to EVS using Site-to-Site VPN, customers benefit from simpler configuration and faster deployment compared to Direct Connect, eliminating the complexity of BGP routing configuration and management. Each Site-to-Site VPN connection can be configured for either standard (1.25 Gbps per tunnel) or large (5 Gbps per tunnel) bandwidth. By leveraging Equal Cost Multi-Path (ECMP) routing, you can achieve maximum throughput of 20 Gbps utilizing multiple large bandwidth tunnels. Internet quality, available bandwidth from your data center, and encryption processing overhead will determine your actual VPN throughput performance.

For workload migrations using Site-to-Site VPN, it’s important to understand that while there are no data ingress charges for traffic from on-premises to AWS, customers should consider data egress costs for traffic leaving AWS (free for the first 100 GB per month, then $0.09 per GB), along with hourly VPN connection fees and Transit Gateway data processing charges ($0.02 per GB). Although Site-to-Site VPN doesn’t have specific bandwidth charges like Direct Connect, using multiple VPN connections to achieve higher throughput will increase your data processing costs while reducing overall migration time.

After reviewing considerations above, customers can follow the EVS user guide to set up their environment and begin migration of workloads into AWS.

HCX appliances and components deployed into a customer’s EVS environment using the private connectivity option will establish secure connections with on-premises HCX appliances using private IP addresses, routable over Direct Connect or Site-to-Site VPN. When migrating workloads using HCX over an already-encrypted Site-to-Site IPSec VPN tunnel, it’s recommended to disable HCX’s default encryption within the service mesh options to avoid performance issues caused by double encapsulation, following Broadcom documentation.

Public internet connectivity

Figure 3. High-level architecture diagram of on-premises HCX appliances connected to HCX across two EVS deployments within different AWS regions. The solution creates a point-to-point connection between on-premises HCX appliances and EVS HCX appliances using public IP addresses, allowing for minimal configuration

The public internet operates as a globally accessible network infrastructure utilizing shared protocols and public IP addressing.

Public networks enable customers to use direct internet-based connections for VMware workload migrations to EVS, offering flexibility when private connectivity options are challenging due to Direct Connect procurement delays, lack of VPN termination hardware, complex BGP routing requirements, or when rapid deployment is needed without extensive network configuration.

EVS now supports HCX migration over the public internet for vSphere workloads on-premises via direct public IP assignment to HCX appliances deployed within EVS. This provides straightforward internet-based connectivity through an Internet Gateway (IGW) associated to a customer’s EVS VPC.

When considering public internet connectivity for VMware migrations, careful evaluation of your Internet Service Provider (ISP) capabilities is crucial. Customers must assess their available internet bandwidth to ensure it can support two phases of data transfer within the project timeline: the initial seeding of virtual machine data and the subsequent delta changes before migration cutover. For example, a data center evacuation requiring the migration of multiple terabytes of data may be impractical over a connection with limited bandwidth or during business hours when bandwidth is shared with critical operations.

Additionally, customers should review their ISP service agreements for any data transfer caps or throttling policies that could impact the migration – some ISPs impose monthly data transfer limits or reduce speeds after certain thresholds, which could lead to unexpected delays or additional costs during large-scale migrations.

Customers who want to migrate using the public internet should follow the EVS user guide to setup their environment and configuring HCX public internet connectivity instructions to configure HCX.

HCX appliances and components deployed into a customer’s EVS environment using the public connectivity option will establish secure connections with on-premises HCX appliances directly over the public internet. Amazon provides customers with a contiguous /28 CIDR block of IPv4 public addresses, which can then be assigned directly to uplink interfaces on HCX appliances to perform workload migration.

Summary

Customers migrating VMware workloads to EVS using HCX have multiple connectivity options, each suited to different business needs and constraints.

Direct Connect offers the most reliable, high-performance solution ideal for large-scale migrations and ongoing hybrid operations, though it requires more planning and procurement time.

Site-to-Site VPN provides a quick-to-implement alternative with good security and moderate bandwidth, perfect for smaller migrations or when rapid deployment is essential.

The public internet connectivity option simplifies implementation by eliminating complex networking requirements, making it particularly valuable for organizations lacking specialized networking expertise or facing time constraints.

Regardless of the chosen path, success depends on carefully evaluating your migration requirements, including data volume, timeline, available bandwidth, and cost considerations. By understanding these options and their trade-offs, organizations can select the most appropriate connectivity strategy for their EVS journey.