Link VMware Cloud on AWS vCenter to AD in AWS
For a customer I was doing a POC where we had to link the vCenter form the VMware on AWS offering from VMware with an AD that we created in a VPC in AWS. At the moment we where doing the POC there was no really good documentian besides Configuring Hybrid Linked Mode (HLM) for VMware Cloud on AWS.This helped me but was missing steps like setting up the VPN between a VPC and VMware Cloud on AWS Management Gateway.
Following steps need to be executed.
VMware on AWS
VPC on AWS
AD in Amazon AWS
Step by step
Steps taken on Amazon AWS
Create accounts in AD
Before this can be done you need to create a EC2 instance with AD features activated to access the AD and create user accounts. Detailed step by step can be found here:
Create a VPN connection on AWS
This is done in 3 steps
On your VPC configuruation page you can create a Customer gateway
During the creation of this customer gateway you have to specify the public IP address you can find in your VMWare on AWS console for the vCenter in the Management Gateway
Virtual Private Gateway
Here you create a entry that points to your VPC
Here you link your Customer Gateway with your Virtual Private gateway.
During the configuration of your VPN connection in AWS you need to specify the subnet of your vCenter. This can be found on the VMware on AWS console
Now you can download the configuration file. I used the Microsoft Windows format as that was for me the most readable
In this document you find the 2 public IP addresses of you AWS VPC that can be used to create redundant VPN connection to your vCenter Management Gateway on your VMware on AWS console
Also the Passphrase needed to setup on the VMware on AWS side can be found in this configuration file
Steps taken on VMware on AWS console
Create IP SEC VPN connection on the Management Gateway on VMware on AWS Console. Use the public AWS ip address and Passphrase you find in the configuration file downloaded in previous step.
If requited a second VPN can be setup with the second AWS ip address found in the configuration file for redundancy.
Steps taken on the vCenter console
Login in the vCenter console
Go to Administration
Go to Linked Domains
Before you can can add an Identity Source you need to know the Distinguished Names (DN) for the groups and users. This can be found using the AD Users and Groups tool you can find on the machine used to manage AD users and groups
Now you know the DN, you can start linking the domain using an AD over LDAP connection
The ip address of the DNS can be found on your configuration page of AD on AWS
Now just a Administrator group of the AD needs to selected and you are up and running to grant permissions on the users or groups created in your AD.
Some screenshots are taken from Configuring Hybrid Linked Mode (HLM) for VMware Cloud on AWS.