Reduce the total cost of ownership of IT infrastructure further for vSphere-based workloads with 20% off for i3en.metal hosts across all VMware Cloud on AWS regions.
Hybrid Cloud Platform for US Public Sector
Secure Your Workloads
Run highly sensitive government workloads in FedRAMP High JAB and DoD IL5 compliant VMware Cloud on AWS GovCloud (US) environment.
Embrace the Hybrid Future
Leverage the hybrid cloud to facilitate the unique needs of government agencies.
Eliminate Rework Tax and Reduce Risk
Leverage consistent infrastructure and operations to integrate the public cloud with your existing investments.
Modernize Your Apps
Leverage cloud-scale infrastructure and services to extend the value of your enterprise apps.
Migrate Your Applications to the Cloud
Rapidly and seamlessly migrate enterprise applications and vSphere-based workloads to the cloud without complex conversions in an operationally consistent way. Reduce the complexity, cost, and risk of cloud migrations to alertnatives leveraging the same skills and toolsets you already use.
Extend Your Data Center to the Cloud
Extend your vSphere environments to the AWS GovCloud (US) and meet on-demand capacity needs in minutes, allowing for fast and cost-effective business growth.
Modernize Your Applications
Start delivering VMware SDDC-consistent dev/test environments that can integrate with modern frameworks and automation tools, enriching them with AWS PaaS services and automating the underlying infrastructure operations with DevOps tools.
Deliver Virtual Desktops from the Cloud
Extend on-premises Horizon VDI environment for virtual desktops and published apps to consistent on-demand, agile VDI environment in AWS GovCloud (US). Manage on-premises and AWS GovCloud (US) VDI environments in an architecturally, and operationally consistent way by reusing existing on-premises tools, processes, and governance in AWS GovCloud (US).
Recover from Disasters with Cloud Service
VMware Site Recovery delivers Disaster Recovery as a Service (DRaaS) for VMware Cloud on AWS GovCloud (US) for on-demand site disaster recovery (DR) protection with automated orchestration, failover and failback capabilities.
Designed to meet the requirements of larger environments.
- vSphere + vSAN + NSX
- High Availability, SLA, Multi-Cluster
- Starting at $10.03/hour/host. This pricing is applicable to AWS GovCloud (US West) and AWS GovCloud (US East) regions for the i3.metal instance type. Please check the i3en.metal pricing below
- Available on-demand or with a 1 year and 3 year subscription options
- Available in USD only
- Refer to the FAQs for more details
/host/hour (~$7,322 per month)
Discover Production Pricing
VMware Cloud on AWS GovCloud (US) service provides simple yet flexible options to consume VMware’s powerful software capabilities and AWS’s elastic, bare-metal infrastructure as a combined offering that can be purchased on-demand, or as 1-year or 3-year subscription. The minimum required configuration for the production environment is 2 hosts per cluster for i3.metal and i3en. metal host type. Above the minimum, hosts can be added or removed in 1 unit increments.
I3en hosts are FedRAMP High compliant and must be selected when deploying new SDDC's that require FedRAMP High compliance.
Any customers who purchase any number of on-demand, 1-year, or 3-year standard subscriptions of VMware Cloud on AWS GovCloud i3en.metal hosts during the promotion period that starts from October 4th, 2022, through October 4th, 2023 are eligible for 20% off discount on the purchase. The i3en.metal pricing below reflects the discounted pricing.
|Cores / host|
|Memory / host (GiB)|
List Price / host
Savings vs. On-Demand
List Price / host
Savings vs. On-Demand
List Price / host
Savings vs. On-Demand
What is the difference between on-demand and subscription pricing? On-Demand Pricing
On-Demand consumption lets you pay for physical hosts by the hour. There are no upfront costs and you have the flexibility to scale the number of hosts up or down without long-term commitments. You only pay for each hour that the host is active in your account.
Longer-term subscription of hosts gives you up to 50% cost saving compared to On-Demand hosts consumed over equivalent period. Host Subscriptions are available in 1 or 3-year term. You pay upfront but maximize your savings.
Additional charges not included Data Transfer charges:
Data transfer IN to VMware Cloud on AWS from internet: $0.00/GB
Data transfer IN to VMware Cloud on AWS from another region: $0.00/GB
Data transfer IN/OUT/BETWEEN same Availability Zone: $0.00/GB
Data transfer IN/OUT/BETWEEN different Availability Zones or using elastic IP or ELB: $0.01/GB
Data transfer OUT from VMware Cloud on AWS to internet: $0.065/GB
Data transfer OUT from VMware Cloud on AWS to another AWS region: $0.03/GB
IP address charges:
Elastic IP address associated with a running instance: $0.005/IP/hour
Elastic IP address not associated with a running instance: $0.005/IP/hour
Elastic IP address remap: $0.1/IP For more information, please check here.
Use the production pricing calculator
How to understand our roadmap:
Available - Feature now available for use by applicable customers. May not be available in all AWS regions.
Preview - Feature released in preview to gather feedback. May not be available to all applicable customers or in all AWS regions.
Developing - Feature in active development and testing.
Planned - Feature under consideration or planned for future development.
The information in this website is for informational purposes only and may not be incorporated into any contract. There is no commitment or obligation that items in ‘Preview’, ‘Developing’, and ‘Planned’, will become ‘Available’ and is subject to change at VMware’s sole discretion. The information on this website should not be relied upon in making purchasing decisions.
Stretched cluster is now supporting a 2 host configuration across multi-AZ. A customer who wants a 2-host configuration can choose to deploy it across AZs.
Minimum cluster size is 2 hosts. Customers can add capacity up to 16 hosts per cluster. Dedicated single-tenant infrastructure delivered on AWS i3 EC2 elastic bare-metal infrastructure.
Customers can scale capacity by adding additional stretched clusters to a stretched cluster SDDC deployed on i3.metal instances. All clusters in the SDDC must be stretched clusters.
Ability to inhibit DRS initiated vMotion for load balancing purposes. Useful for vMotion sensitive applications such as, large transactional databases, real-time transaction processing applications, etc.
Customers can now see all the historical notification events in their Activity Log tab. Example notification events include maintenance notifications, EDRS add host notifications, detailed SDDC upgrade notifications, DRaaS notifications, etc. This new feature would enable customers to audit historical notification events in the UI.
Enabling smaller configuration purchase option at a low, predictable price for fast and flexible consumption. Ability to purchase a three host configuration of VMware Cloud on AWS. Dedicated single-tenant infrastructure delivered on AWS EC2 elastic bare-metal infrastructure.
VMware SDDCs can be deployed and resized hourly for on-demand granularity. Longer-term reservation of hosts gives you up to 50% cost saving compared to on-demand hosts consumed over equivalent period. Host Reservations are available in 1 or 3 year terms. You pay upfront, but maximize your savings.
Now US Federal customers can take advantage of a smaller configuration purchase option at a low, predictable price for fast and flexible consumption for production environments. Organizations have the ability to purchase a two-host configuration of VMware Cloud on AWS GovCloud(US) and use dedicated single-tenant infrastructure delivered on AWS EC2 elastic bare-metal infrastructure.
Supporting AWS Direct Connect for management appliance and workload traffic along with ESX management and vMotion. Eliminating the need for separate VPN tunnels while also simplifying connectivity.
Improves application availability and performance by live migrating virtual machines within a VMware Cloud on AWS SDDC cluster. Optimize workload distribution within a VMware Cloud on AWS cluster using vSphere DRS, High Availability and vMotion.
VMware SDDCs are deployed with dedicated, single-tenant i4i bare-metal hosts. Each host has 3rd generation Intel® Xeon® Ice Lake processors with up to 128 vCPUs and 1,024 GiB of memory, and Up to 30TB of local AWS Nitro SSD storage. It offers high I/O performance, low latency, minimal latency variability, and better security with always-on encryption.
Microsoft introduced new minimum virtual hardware requirements with the Windows 11 operating system. Microsoft requires a Virtual Trusted Platform Module (vTPM) device to be present during Windows 11 virtual machine installation and upgrades. SDDCs created using version 1.19 and later automatically include the provisioning of vSphere Native Key Provider in vCenter to support new vTPM devices.
Ability to support cloud-to-cloud DR topologies where both the Active and Failover sites are deployed as VMware Cloud on AWS GovCloud SDDCs in GovCloud (US-East) and GovCloud (US-West) regions or vice-versa with federated authentication enabled between vCenter and VMware Cloud Console.
Zero RPO high availability is now available for enterprise applications virtualized on vSphere across AWS Availability Zones (AZ), leveraging multi-AZ stretched clusters. This enables you to: - Significantly improve your application's availability without needing to architect it into your application. - Stretch an SDDC cluster across two AWS AZs within a region, which means if an AZ goes down, it is simply treated as a vSphere HA event and the virtual machine is restarted in the other AZ. - 99.99% infrastructure availability provided by stretched clusters.
Extends the value of enterprise applications running in VMware Cloud on AWS by providing Enterprises with a simple and consistent way for their applications to access native AWS services. Get high-bandwidth, low-latency network connectivity from VMware Cloud on AWS to AWS services accessed via public endpoints such as AWS Lambda, Amazon Simple Queue Service (SQS), Amazon S3 and Elastic Load Balancing.
Extends the value of Enterprise applications running in VMware Cloud on AWS by providing Enterprises with a simple and consistent way for their applications to access native AWS services. Get high-bandwidth, low-latency network connectivity from VMware Cloud on AWS to private resources in the customer's Amazon VPC such as Amazon EC2, and data and analytics services such as Amazon RDS, Amazon DynamoDB, Amazon Kinesis and Amazon Redshift. Customers can also leverage the newest generation of VPC Endpoints designed to access AWS services while keeping all the traffic within the AWS network.
VMware Cloud on AWS SDDCs are deployed with a fully configured VMware vSAN running on NVMe Flash storage local to the cluster. - Leverage zero-click enterprise-class shared storage that is natively integrated with vSphere with consistent and predictable performance delivered on an all-flash architecture (NVMe). - Deliver self-healing and resilient storage - Manage storage SLAs on a per-application basis through Storage Policy-Based Management - Increase storage efficiency and performance with advanced data services, including QoS, snapshots, Erasure coding and APIs for third-party data protection (vADP) - Data intensive workloads can take advantage of vSAN compression and deduplication to reduce TCO. Reduces overall storage consumption with advanced space efficiency driven by deduplication and compression natively built into vSAN. For e.g., a customer with typical workloads can save 40% in TCO for a 150TB VMware Cloud on AWS SDDC cluster over a 3-year period.
vMotion improves application availability and performance by live migrating virtual machines in a stretched cluster deployed across 2 AWS Availability Zones.
VMware Cloud on AWS offers support for Single Sign On and federation using VMware Identity Manager, Microsoft Active Directory Federation Services and directory services such as AWS Directory Service.
VMware Cloud on AWS offers the ability to encrypt data stores deployed in VMware SDDCs using vSAN encryption with keys stored in AWS Key Management Service (KMS). Customers can now take advantage of built-in vSAN encryption with AWS KMS. This enables encryption of data at rest with AWS's managed service for creating and controlling the encryption keys. All data in VMware Cloud on AWS is encrypted.
Provides flow level visibility across VMs on an overlay network. Flow data can be consumed by application performance monitoring tools, security analysis tools, and troubleshooting tools.
Provides packet level visibility across VMs on an overlay network. Packet data can be consumed by application performance monitoring tools, security analysis tools, and troubleshooting tools.
Support for Firewall packet logging on Edge FW and DFW within VMware Cloud on AWS. Allows users to operationalize firewall within SDDC using VMware vRealize Log Insight Cloud service.
Enables Internet connectivity for workloads running on private subnets within VMware Cloud on AWS by allocating public IP addresses and configuring 1:1 or 1:Many NAT on compute gateway.
Enables customers to run enterprise business critical application workloads on VMware Cloud on AWS. Enterprise applications, including the most resource intensive ones such as, Oracle RAC, Microsoft SQL Server, Apache Spark and Hadoop have been tested and run successfully on VMware Cloud on AWS.
L2 VPN configuration requires customers to deploy a standalone NSX edge if they don't have NSX on-premises. Deploy standalone edges in an active standby configuration to provide added resiliency. In the case of failure of the active standalone edge, the standby takes over and continues to provide connectivity.
Provides a simple topology with a single compute gateway (CGW) connected to a distributed layer 3 router, which in turn is connected to logical layer 2 networks created by the users. Workloads deployed in VMwareCloud on AWS SDDC are connected to the logical layer 2 networks. The compute gateway (CGW) provides these workloads access to external world (Internet and on-premises Data center) and connected AWS VPC.
VMware HCX is a SaaS service that provides application migration and infrastructure hybridity, which enables large-scale, seamless, bi-directional workload portability between on-premises and VMware Cloud on AWS with VMware HCX. Migrations can be done live and in bulk (warm and cold) between various vSphere versions on-premises and VMware Cloud on AWS GovCloud.
VMware SDDCs are deployed with dedicated, single-tenant i3en bare-metal hosts. Each host has Intel® Xeon® Cascadelake Processors @ 2.5GHz CPUs, 48 cores, 96 logical cores with hyperthreading enabled, 768GiB RAM, 8 x 7,500 NVMe SSD and native encryption at NIC-level for east-west traffic within SDDC boundaries. The checksum is enabled by default to provide better storage efficiencies. Compression and Deduplication are not available on i3en bare-metal hosts.
There is a new tab within the SDDC that now allows customers to test their network or other services. The first test released for the troubleshooting tab is for Hybrid Linked Mode (HLM). The HLM test checks your network connectivity to ensure that you are ready to enable the HLM feature.
VMware Site Recovery for VMware Cloud on AWS GovCloud (US) enables US Public Sector agencies to protect and migrate their workloads to the FedRAMP compliant AWS GovCloud region in the US. The service automates workload recovery in a DR event between on-premises data centers and VMware Cloud on AWS GovCloud(US), as well as between different instances of VMware Cloud on AWS. Built on top of enterprise-grade DR tools (VMware Site Recovery Manager, vSphere Replication), the service provides an end-to-end disaster recovery solution that is quick to deploy and leverages existing know-how.
Frequently Asked Questions
VMware Cloud on AWS GovCloud (US) is a jointly engineered secure, scalable cloud service that brings VMware’s rich Software-Defined Data Center software to the AWS GovCloud (US) Region. VMware Cloud on AWS GovCloud (US) integrates VMware's compute, storage and network virtualization products (VMware vSphere, VMware vSAN and VMware NSX) along with VMware vCenter Server management, optimized to run on dedicated, elastic, bare-metal AWS infrastructure. With the same architecture and operational experience on-premises and in the cloud, IT teams can now quickly derive instant business value from use of the AWS and VMware hybrid cloud experience.
VMware Cloud on AWS GovCloud (US) is designed to address specific regulatory and compliance requirements of US government agencies at the federal, state, and local level, as well as contractors, educational institutions, and other U.S. customers that run sensitive workloads in the cloud. VMware Cloud on AWS GovCloud (US) customers and partners must obtain an AWS GovCloud account from AWS in order use this instance of the VMware service.
The services are available in AWS GovCloud (US-West) and AWS GovCloud (US-East) regions.
The VMware Cloud on AWS GovCloud (US) Console can be accessed via web browser here.
Yes. VMware Cloud on AWS GovCloud (US) has achieved FedRAMP High JAB Authorization from the U.S. Federal Government. Our service is listed in the FedRAMP Marketplace where you can verify that we are authorized.
VMware Cloud on AWS GovCloud (US) is part of VMware Government Services listing on FedRAMP marketplace.
Federal, State and Local Agencies and healthcare providers, educational institutions etc. can run production workloads on VMware Cloud on AWS GovCloud (US). They must each evaluate the risk of using the service and determine that VMware has sufficient security in place to support their security requirements of their workloads.
VMware plans to complete its Heath Insurance Portability and Accountability Act (HIPPA) certification to ensure compliance and protect sensitive patient health information.
Yes, VMware Cloud on AWS GovCloud (US) is operated by VMware employees who are U.S citizens on U.S soil.
VMware provides a white-glove service to onboard customers. Each customer will be provided with a team consisting of members of our Solutions Engineering, Customer Success, Global Support and Product Management organizations to ensure the onboarding process goes smoothly. After onboarding, customers with U.S. Federal SaaS Production Support can call 1-877-869-2730 to obtain assistance 24x7x365.
VMware Cloud on AWS GovCloud (US) provides a consistent and interoperable infrastructure and services between VMware-based data centers and the AWS cloud, which minimizes the complexity and associated risks of managing diverse environments. VMware Cloud on AWS GovCloud (US) offers native access to AWS services and innovation that extends the value of enterprise applications over their lifecycle. With the same architecture and operational experience on-premises and in the cloud, IT teams can now quickly derive instant business value from use of the AWS and VMware hybrid cloud experience.
VMware Cloud on AWS GovCloud (US) enabled customers to provision fully functional Software Defined Data Centers (SDDCs) on-demand. Additional details can be found in the VMware Cloud on AWS GovCloud (US) Service Description.
Yes. VMware Cloud on AWS GovCloud (US) SDDC is connected to your VPC using Elastic Network Interface (ENI) and therefore has access to AWS services. Virtual machine workloads can access public API endpoints for AWS services such as AWS Lambda, Amazon S3 and Elastic Load Balancing, as well as private resources in the customer's Amazon VPC such as Amazon EC2, and data and analytics services such as Amazon RDS, Amazon DynamoDB, Amazon Kinesis and Amazon Redshift.
Please contact your VMware account team or VMware partner for more information.
VMware Cloud on AWS GovCloud (US) is available through VMware and its many partners in the VMware Partner Network. You can get started here.
VMware Cloud on AWS GovCloud (US) is designed with multiple layers of protection. The service inherits the physical and network security controls from the AWS GovCloud infrastructure and adds dedicated compute and storage along with the security capabilities derived from vSphere, vSAN and NSX. The VMware Cloud on AWS GovCloud (US) infrastructure is monitored 24x7 and regularly tested for security vulnerabilities and hardened to enhance security.
All data-in-transit between the customer site and the service can be transmitted over a Direct Connect circuit and/or encrypted via IPsec VPN. Data at rest is encrypted by VMware vSAN encryption which is FIPS 140-2 compliant and leverages the FIPS 140-2 compliant AWS KMS service. VMware vSAN stores customer data on local self-encrypting NVMe Drives.
There are no requirements for running VMware software on-premises in order to deploy or use a VMware Cloud on AWS GovCloud (US) SDDC. That said, many customers deploy hybrid cloud environments by connecting their on-premises vSphere estates to their SDDCs using features like vCenter Hybrid Linked Mode.
VMware Cloud on AWS GovCloud (US) SDDCs run on dedicated, single tenant host clusters within a dedicated AWS VPC associated with a single AWS account per customer. Each bare metal host can run many VMware virtual machines (tens to hundreds depending on their compute, memory and storage requirements). Clusters can range from a minimum of 3 hosts up to a maximum of 16 hosts per cluster. A minimum of 2-host stretched clusters can be deployed across AWS availability zones. A dedicated set of management VMs, including VMware vCenter Server and VMware NSX Manager, are deployed within each SDDC environment.
With vSphere 6.0 or later running in your on-premises environment, you can move workloads to and from VMware Cloud on AWS GovCloud (US) by doing cold migration of VMs. No conversion or modification is necessary.
A vCenter Server is deployed as part of every VMware Cloud on AWS GovCloud (US) SDDC. The VMware Cloud on AWS GovCloud (US) Console allows for common tasks such as create SDDC, add/remove hosts, configure firewall rules, IPsec VPN connections and other networking settings.
Yes. In order to do this, you will need vSphere version 6.5 and vCenter Server 6.5 or later running in your data center for single pane of glass management of resources on-premises and in the cloud. More information on this can be found in the VMware Cloud on AWS Documentation.
Yes. There are multiple ways to migrate existing vSphere VMs to VMware Cloud on AWS GovCloud (US) such as content library synchronization, and cold migration. You can also use VMware Site Recovery to migrate existing vSphere VMs to VMware Cloud on AWS GovCloud (US).
VMware Cloud on AWS GovCloud (US) is available on-demand or in 1-year and 3-year subscriptions. Please contact your VMware account team or VMware partners for more information or for pricing visit here.
This service is delivered, sold and supported by VMware and you will receive you a bill each month. You will get a single bill that includes the total charges for using the VMware Cloud on AWS GovCloud (US) SDDC including the underlying AWS resources. Note that for any AWS GovCloud (US) resources that you provision in your connected AWS VPC will be billed directly through your AWS account.
VMware Cloud on AWS GovCloud (US) pricing can be found here.
No, subscriptions do not auto-renew. You are free to purchase additional subscriptions at any time. Any workloads running at the end of the subscription term will be billed at an on-demand rate.
No, VMware Cloud on AWS GovCloud (US) is supported by VMware Federal Support Services. However, you can choose to purchase AWS support for additional AWS services you use in your connected account.
Yes, you will need an active AWS GovCloud (US) customer account that will be linked to the VMware Cloud on AWS GovCloud (US) service. If you don’t have an existing AWS GovCloud customer account, you will be asked to create one as part of the onboarding process.
EC2 I3.metal hosts have dual 2.3 GHz CPUs (custom-built Intel Xeon Processor E5-2686 v4 CPU package) with 18 cores per socket (36 cores total), 512 GiB RAM, and 15.2 TB Raw NVMe storage. In order for your workloads to be compliant with FedRAMP High JAB authorization, you will have to deploy those on i3en.metal host type. EC2 I3en.metal instance is a 96 vCPU, 768 GiB memory & 8*7,500 NvME SSD storage instance. It utilizes the Intel Xeon Cascade Lake processor @2.5 GHz. This instance provides network-level encryption for east-west traffic by default.
No. ESXi runs directly on bare metal without the use of nested virtualization, while still participating in Amazon VPC networking.
VMware Cloud on AWS GovCloud (US) infrastructure runs on dedicated, single-tenant bare metal infrastructure for each customer.
Yes, additional hosts can be added to a VMware Cloud on AWS GovCloud (US) cluster using the VMware Cloud on AWS GovCloud (US) console.
Yes, you can add and/or remove hosts on-demand as long as the minimum cluster size is three hosts.
The maximum cluster size is 16 ESXi hosts.
Elastic DRS (eDRS) is a feature that uses the resource management features of vSphere to analyze the load running in your SDDC to scale your clusters up or down. Using this feature, you can enable VMware Cloud on AWS GovCloud (US) to manage your cluster sizes without manual intervention.
eDRS will automatically scale up when your cluster reaches a capacity threshold. The system automatically monitors your current capacity and your capacity trend to make a decision to add more capacity to your cluster.
It takes about 10-15 minutes to add a host to an existing cluster. eDRS will make a scaling recommendation approximately every five minutes.
Yes. When your cluster is lightly loaded, eDRS will also scale down automatically.
When configuring eDRS, you configure the minimum and maximum allowed cluster size. eDRS will only scale within the limits you set.
No, eDRS will not add hosts sequentially. eDRS is throttled to prevent runaway cluster scaling. The system is also monitored by our operations team to ensure that scale operations are conducted correctly.
If you have an SPBM policy that requires a minimum number of hosts (such as RAID 6), eDRS will not scale down below that minimum number. To allow scale-down, reconfigure SPBM to use a policy without that restriction such as RAID 1.
You are billed per host per hour on VMware Cloud on AWS GovCloud (US). eDRS simply changes the number of hosts you have running in your SDDC. It is the same as if you manually added hosts to your SDDC.
Yes. DRS will automatically re-balance your workloads across the available hosts in the SDDC.
This depends on how heavily loaded your host is. A lightly loaded host will take only a few minutes to remove from the cluster. A very heavily loaded host could take many hours. In the case of eDRS, we only remove hosts which are lightly loaded so we expect this operation to be on the lower end of this spectrum. However, your actual evacuation time largely depends on how many VM's are running and how much data must be evacuated from the host so your times will vary.
No. Because eDRS is throttled, it's not designed for very sudden load spikes such as caused by a DR event. In this case, you should script the host addition process as part of your DR runbook. After the DR workload is started, you can rely on eDRS to maintain the correct number of hosts in your cluster.
No. Because eDRS can increase your bill by adding hosts to your cluster, it is off by default. You can use the VMware Cloud UI or API to turn this feature on.
When you enable eDRS, you do so per cluster.
VMware Cloud on AWS GovCloud (US) includes VMware’s vSAN storage technology that provides a single namespace shared datastore (vSAN datastore) comprised of the storage residing in the host instance type that makes up the SDDC.
No. vSAN uses storage residing in the host to provide data store. You will have to add hosts to increase your storage capacity.
No, you cannot use EFS as vSphere datastore. However, you can mount EFS to VMs running inside the SDDC.
Yes. You have the flexibility to create specific policies catering to your application needs, including RAID levels, checksum, object space reservation, and IOPS limit. You can apply these policies at the individual vdisk level, or you can choose the default vSAN Datastore policy for simplicity.
Yes, data is encrypted at rest by vSAN Encryption and again on each self-encrypting NVMe flash device backing the vSAN datastore in each host.
Customer data at rest will be natively encrypted by vSAN. vSAN will use AWS Key Management Service (KMS) to generate the Customer Master Key (CMK). While CMK is acquired from AWS, two additional keys are generated by vSAN. Those keys are an intermediate key, referred as Key Encryption Key (KEK) and Disk Encryption Key (DEK). The CMK wraps the KEK and the KEK in turn wraps the DEK. The CMK never leaves AWS control. Encryption and decryption of the KEK is offered via standard AWS API call. One CMK and one KEK is required per cluster and one DEK for every disk in the cluster.
You have the option to change the KEK (Key Encryption Key) either through vSAN API or through the vSphere UI. This process is called rekey. Note, shallow rekey doesn’t change the Disk Encryption Key (DEK) or the Customer Master Key (CMK). Changing the DEK and CMK is not supported. In rare situations, if there is a need to change the DEK or CMK, users have the option to set up a new cluster with new CMK and can Storage vMotion the data from existing cluster.
Similar to D&C (Deduplication & Compression), vSAN encryption at rest cannot be turned on or off for individual clusters. It is a cluster-wide setting that is always on by default when a cluster is provisioned in the SDDC.
For vSAN encryption, the Customer Master Key (CMK) is sourced from AWS Key Management Service and this is the only option available. Customers may run any security or encryption software they choose within the guest operating systems and use their own keys and KMI to manage the in-guest software.
Two VMware NSX Edges serve as gateways for the SDDC. Traffic can be directed to your on-premises environment using a IPsec VPN connection AWS Direct Connect, or directly over the Internet.
By default, there is no external access to the vCenter Server system in your SDDC on VMware Cloud on AWS GovCloud (US). Open access to your vCenter Server system by either configuring a firewall rule to allow access to the vCenter Server system or configuring an IPsec VPN between your on-premises data center and your SDDC.
Among other things, you can: 1. Create firewall rules 2. Configure IPsec VPN connections 3. Configure DNS settings 4. Configure inbound NAT 5. Allocate IP adresses
You must create an AWS virtual interface (VIF) to begin using your AWS Direct Connect connection. There are two types of virtual interfaces: 1. You can create a Private Virtual Interface to connect to a VPC. 2. You can create a Public Virtual Interface to connect to AWS public services. The Public Virtual Interface also allows VPN traffic to travel over your DX. For more information, please click here. What is AWS Direct Connect? AWS Direct Connect makes it easy to establish a dedicated network connection from your premises to AWS. Using AWS Direct Connect (DX), you can establish private connectivity between AWS and your data center, office, or colocation environment, which in many cases can reduce your network costs, increase bandwidth throughput and provide a more consistent network experience than internet-based connections.
No. You are not required to run NSX on-premises in order to interoperate with VMware Cloud on AWS GovCloud (US). VMware Virtual Machines can be cold migrated to VMware Cloud on AWS GovCloud (US) without any modifications.
NSX L2 VPN is a tunnel that enables extending layer 2 networks across geographic sites. Extended layer 2 networks enable virtual machines to move across sites (vMotion) while keeping their IP addresses the same. L2 VPN allows enterprises to seamlessly migrate workloads backed by VLAN or VXLAN between on-premises and VMware Cloud on AWS GovCloud (US).
No. You do not need NSX on-premises to use L2 VPN. There are two components of L2 VPN - a client-side component and a server-side component - the server side is running in VMware Cloud on AWS GovCloud (US). In order to configure an L2 VPN between on-premises and VMware Cloud on AWS GovCloud (US), you must configure the client-side component on-premises. If you do not have NSX on-premises, you can download a standalone NSX edge and configure the client side of L2VPN.
You can extend up to 25 layer 2 networks.
i3.metal host supports throughput of up to 25 Gbps and i3en.metal host supports throughput up to 100Gbps.
VMware will offer VMware Federal Global Support Services (GSS) and a Customer Success team support for select customers. Customers with active SaaS Production Support will be able to contact support via phone at 1-877-869-2730.
VMware is responsible for the SDDC software components and the IaaS infrastructure resources. Customers are responsible for their virtual machines and applications running on the service. More details can be found in the VMware Cloud on AWS GovCloud (US) Service Description.
VMware provides a 24x7 command center that supports the service along with site reliability teams and engineering teams that are on-call supporting the service. Service operational readiness and live service operations and support are key activities for the service teams. VMware will actively monitor and maintain the SDDC components and IaaS infrastructure to ensure customers receive a high‐quality service experience. In addition, fleet SDDC lifecycle management will enable efficient and reliable operations at scale.
VMware handles all vSphere and NSX patching and updates for VMware Cloud on AWS GovCloud (US) SDDCs.
Maintenance for an SDDC running on VMware Cloud on AWS GovCloud (US) is performed by VMware.
Prior to a maintenance update, you will receive an email notification telling you the date and time of when the update is going to occur. When the update process is initiated, you will receive another email notification. The process occurs in 2 main phases, control plane update and data plane update. During the control plane update, customers are temporarily prevented from gaining access to vCenter. Direct access to VMs will still be available during this phase. A backup of vCenter and NSX Manager is taken prior to installing the update. The update is then installed. Once the installation is completed, access to vCenter is restored and the control plane phase is completed. An email is sent to you once the control plane is completed. In the data plane update phase, an extra ESXi host is temporarily added to each cluster to ensure sufficient capacity to complete the update process. The data plane update process is conducted on a rolling basis, with the hosts being updated one at a time. Each ESXi host is placed into maintenance mode and VMs are migrated to another host in the cluster. Update of the ESXi host is done in-place after the VMs are migrated. Once all of the hosts are updated, one of the hosts is removed from the cluster to restore the host count to the original number before the update process gets over. An email is sent to customers once the data plane update is completed.
Yes, during the control plane phase of the SDDC maintenance update, access to vCenter will be removed. Once the control plane phase is finished, access will be restored.
VMware will backup vCenter and NSX Manager prior to installing control plane updates. VMware will be able to restore from these backups as needed. VMware will not backup your VMs, as these are the responsibility of the customer.
Due to the nature of software updates, this can and will be done on an as-needed basis. For planning purposes, VMware anticipates monthly updates to infrastructure during the initial rollout and expects to transition to quarterly updates as the service matures.
DRS and HA settings are fixed to values that provide the best performance and availability for both management components as well as virtual machines you deploy.
The names for the hosts are generated automatically and cannot be changed. In addition, if a host is replaced, there is no guarantee that the hostname will be the same. You should modify any scripts and other tools so that they do not rely upon fixed hostnames.
No, you are not able to add any software to the base ESXi image installed on your hosts. Patching and updates will be handled for you by the VMware Cloud service.
When you delete an SDDC, your VMs and data are deleted and the hosts and other resources allocated to the SDDC are released for use in other SDDCs.
VMware will provide installers for a designated release of VMware Tools for all supported guest operating systems and will update those from time to time. You have the option of using a different version of VMware Tools than the one shipped with VMware Cloud on AWS GovCloud (US) to ensure there is a standardized version between their on-premises and VMware Cloud on AWS GovCloud (US) environment. You can either upload the desired VMware Tools ISO to vSphere Datastore or use Guest Operating System tools to deploy the desired VMware Tools version using Microsoft Windows SCCM, Linux apt-get, etc.
The VMware Cloud on AWS GovCloud (US) Service, Console and APIs are all located in AWS GovCloud (US) West. Only a complete failure of this region would result in a service disruption to the VMware Cloud on AWS GovCloud (US) Service, Console and APIs. If the region that your SDDCs are deployed in goes down, then you will not have access to vCenter Server and the ability to perform actions on the impacted SDDCs.
No, you use the same endpoints to access the VMware Cloud on AWS GovCloud (US) API and VMware Cloud on AWS GovCloud (US) Console regardless of the region your SDDCs are in.
Yes. As part of our responsibility for maintaining your working SDDC, we may add additional hosts to your SDDC if the health of this SDDC is in danger. Generally, this only occurs when your datastore fills up to an unsafe level.
Yes. You are billed for all hosts in your environment per running host hour.
Generally, we advise customers to monitor their capacity and take action when the system passes 70% capacity. At that point, some customer action should be taken. If you take corrective action at 70%, automated remediation by VMware will not occur.
We do not automatically add subscriptions to your account. Because scale up events may represent temporary spikes, we do not recommend that you automatically buy a new subscription every time a scale up event causes a host to be added to your SDDC. For most customers, it is more cost effective to buy additional host subscriptions after you have established that baseline capacity. Normally, you want to review your capacity requirements by looking backwards 30 to 60 days and then buy subscriptions based on your minimum capacity requirement for that period. This ensures that you are only buying subscriptions you actually need.
The best way to ensure that we automatically scale your cluster up or down is to enable eDRS. If eDRS is not enabled, we will only add hosts in an emergency and we will not remove those hosts if usage later drops. So, the only way to ensure that VMware is monitoring your cluster size is to enable eDR.
EC2 I3en.metal instance is a 96 vCPU, 768 GiB memory & 8*7,500 NvME SSD storage instance. It utilizes the Intel Xeon Cascade Lake processor @2.5 GHz. This instance provides network-level encryption for east-west traffic by default. In order for your workloads to be compliant with FedRAMP High JAB authorization, you will have to deploy those on i3en.metal host type.
For EC2 i3en.metal instances, the minimum production cluster size is 2 and the maximum cluster size is 16
EC2 i3en.metal instance is available in AWS GovCloud(US-West) and AWS GovCloud(US-East) regions today.
No, a single Stretched Cluster can only consist of hosts of the same instance type.
Yes. Due to host-to-host encryption security requirements, I3en.metal host types are required for FedRAMP compliance. I3.metal host types are not compliant.
No, single host is not available in VMware Cloud on AWS GovCloud (US). 2-host SDDC on i3en.metal can be deployed as stretched cluster across availability zones within the region.
Yes, VMware Site Recovery is available on VMware Cloud on AWS GovCloud (US). VMware Site Recovery brings trusted replication, orchestration, and automation technologies to VMware Cloud on AWS GovCloud(US) to protect applications in the event of site failures. The service is built on an industry-leading recovery plan automation solution that includes VMware Site Recovery Manager™ and native hypervisor-based replication via VMware vSphere® Replication™. The service provides an end-to-end disaster recovery solution that can help reduce the requirements for a secondary recovery site, accelerate time-to-protection, and simplify disaster recovery operations.
Please see the technical documentation for VMware Site Recovery to learn how to create private DNS entries for VMware Site Recovery endpoints on VMware Cloud on AWS GovCloud (US) SDDC.
For VMware Cloud on AWS GovCloud (US), SDDCs created after January 8th, 2021, the AD users (or an AD group) who operate VMware Site Recovery must be added to the vCenter group "CloudAdminGroup" in the SDDC. Please contact our support team for assistance as this step cannot be performed by customers. For VMware Cloud on AWS GovCloud (US) SDDCs created before January 8th, 2021, please contact our support team to determine if VMware Site Recovery can be activated for your VMware Cloud on AWS GovCloud(US) SDDC.
VMware provides a white-glove service to onboard customers. Each customer will be provided with a team consisting of members of our Solutions Engineering, Customer Success, Global Support, and Product Management organizations to ensure the onboarding process goes smoothly. After onboarding, customers with U.S. Federal SaaS Production Support can call 1-877-869-2730 to obtain assistance 24x7x365.
The smallest supported stretched cluster is two hosts and provides a 99.9% availability guarantee. At six hosts the service increases the availability guarantee to 99.99%. This is because we require a quorum to survive in case of a full AZ failure. This implies you must have three nodes per AZ. Thus, six is the smallest stretched cluster to provide the 99.99% SLA.
No, a single Stretched Cluster can only consist of hosts of the same instance type.
VMware Cloud on AWS GovCloud (US) achieved DoD Impact level 5 provisional authorization to handle DoD sensitive or classified data, including data related to national security. More details can be found here.
VMware Cloud on AWS GovCloud(US) achieved State Risk and Authorization Management Program impact level High authorization to meet IT compliance requirements for states and local governments. VMware Cloud on AWS GovCloud (US) is listed on StateRAMP authorized product list.
VMware Cloud on AWS GovCloud(US) achieved International Traffic in Arms Regulations certification to ensure security measures and controls to protect ITAR-controlled data stored or processed with their systems.
VMware Cloud on AWS GovCloud (US) achieved Criminal Justice Information Services certification to support law enforcement agencies across the United States. CJIS data includes information related to criminal records, fingerprints, and other sensitive information subject to strict security and privacy regulations.
There are several ways to migrate virtual machines to VMware Cloud on AWS GovCloud (US). You must establish connection between on-premises data centers to VMware Cloud on AWS GovCloud (US) using VPN or Direct Connect. Be sure to read VMware HCX documentation for networking requirements.
1. VMware HCX vMotion: With HCX and vMotion technology, you can move virtual machines across different physical hosts without downtime or disruption.
2. VMware HCX Bulk migration: This method allows you to migrate many virtual machines in a single operation. You can use the VMware HCX bulk migration feature to move virtual machines from your on-premises data center to VMware Cloud on AWS GovCloud (US) in a controlled and efficient manner.
3. VMware HCX Cold migration: This method allows you to migrate virtual machines powered off from your on-premises data center to VMware Cloud on AWS GovCloud (US).
4. VMware HCX Replication Assisted vMotion: VMware HCX RAV combines advantages from VMware HCX Bulk Migration with VMware HCX vMotion.
Additional information can be found here.