# Setting up Amazon Elastic VMware Service
<a name="setting-up"></a>

To use Amazon EVS, you will need to configure other AWS services, as well as set up your environment to meet VMware Cloud Foundation (VCF) requirements. For a summary checklist of deployment prerequisites, see [Amazon EVS deployment prerequisite checklist](evs-deployment-prereq-checklist.md).

**Topics**
+ [Sign up for AWS](#setting-up-aws-sign-up)
+ [Create an IAM user](#setting-up-create-iam-user)
+ [Create an IAM role to delegate Amazon EVS permission to an IAM user](#setting-up-create-iam-role)
+ [Sign up for an AWS Business, AWS Enterprise On-Ramp, or AWS Enterprise Support plan](#setting-up-aws-business-support)
+ [Check quotas](#check-quotas)
+ [Plan VPC CIDR sizes](#vpc-planning)
+ [Create a VPC with subnets](#vpc-create)
+ [Configure the VPC main route table](#vpc-main-rt)
+ [Configure your VPC’s DHCP option set](#vpc-dhcp)
+ [Create and configure VPC Route Server infrastructure](#route-server)
+ [Create a transit gateway for on-premises connectivity](#transit-gateway)
+ [Create an Amazon EC2 Capacity Reservation](#ec2-future-capacity-reservation)
+ [Set up the AWS CLI](#set-up-cli)
+ [Create an Amazon EC2 key pair](#create-ec2-key-pair)
+ [Prepare your environment for VMware Cloud Foundation (VCF)](#setting-up-vcf)
+ [Acquire VCF license keys](#setting-up-vcf-licensing)
+ [VMware HCX prerequisites](#hcx-prereqs)
+ [Amazon EVS deployment prerequisite checklist](evs-deployment-prereq-checklist.md)

## Sign up for AWS
<a name="setting-up-aws-sign-up"></a>

If you don’t have an AWS account, complete the following steps to create one.

1. Open https://portal.aws.amazon.com/billing/signup.

1. Follow the online instructions.

## Create an IAM user
<a name="setting-up-create-iam-user"></a>

1. Sign in to the [IAM console](https://console.aws.amazon.com/iam/) as the account owner by choosing **Root user** and entering your AWS account email address. On the next page, enter your password.
**Note**  
We strongly recommend that you adhere to the best practice of using the `Administrator` IAM user below and securely lock away the root user credentials. Sign in as the root user only to perform a few [account and service management tasks](https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html).

1. In the navigation pane, choose **Users** and then choose **Create user**.

1. For **User name**, enter `Administrator`.

1. Select the check box next to ** AWS Management Console access**. Then select **Custom password**, and then enter your new password in the text box.

1. (Optional) By default, AWS requires the new user to create a new password when first signing in. You can clear the check box next to **User must create a new password at next sign-in** to allow the new user to reset their password after they sign in.

1. Choose **Next: Permissions**.

1. Under **Set permissions**, choose **Add user to group**.

1. Choose **Create group**.

1. In the **Create group** dialog box, for **Group name** enter `Administrators`.

1. Choose **Filter policies**, and then select ** AWS managed -job function** to filter the table contents.

1. In the policy list, select the check box for **AdministratorAccess**. Then choose **Create group**.
**Note**  
You must activate IAM user and role access to Billing before you can use the `AdministratorAccess` permissions to access the AWS Billing and Cost Management console. To do this, follow the instructions in [step 1 of the tutorial about delegating access to the billing console](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_billing.html).

1. Back in the list of groups, select the check box for your new group. Choose **Refresh** if necessary to see the group in the list.

1. Choose **Next: Tags**.

1. (Optional) Add metadata to the user by attaching tags as key-value pairs. For more information about using tags in IAM, see [Tagging IAM Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*.

1. Choose **Next: Review** to see the list of group memberships to be added to the new user. When you are ready to proceed, choose **Create user**.

You can use this same process to create more groups and users and to give your users access to your AWS account resources. To learn about using policies that restrict user permissions to specific AWS resources, see [Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/access.html) and [Example Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_examples.html).

## Create an IAM role to delegate Amazon EVS permission to an IAM user
<a name="setting-up-create-iam-role"></a>

You can use roles to delegate access to your AWS resources. With IAM roles, you can establish trust relationships between your trusting account and other AWS trusted accounts. The trusting account owns the resource to be accessed, and the trusted account contains the users who need access to the resource.

After you create the trust relationship, an IAM user or an application from the trusted account can use the AWS Security Token Service (AWS STS) `AssumeRole` API operation. This operation provides temporary security credentials that enable access to AWS resources in your account. For more information, see [Create a role to delegate permissions to an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) in the * AWS Identity and Access Management User Guide*.

Follow these steps to create an IAM role with a permissions policy that allows access to Amazon EVS operations.

**Note**  
Amazon EVS does not support the use of an instance profile to pass an IAM role to an EC2 instance.

**Example**  

1. Go the [IAM console](https://console.aws.amazon.com/iam).

1. On the left menu, choose **Policies**.

1. Choose **Create policy**.

1. In the policy editor, create a permissions policy that enables Amazon EVS operations. For an example policy, see [Create and manage an Amazon EVS environment](security-iam-id-based-policy-examples.md#security-iam-id-based-policy-examples-create-env). To view all available Amazon EVS actions, resources, and condition keys, see [Actions](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticvmwareservice.html) in the *Service Authorization Reference*.

1. Choose **Next**.

1. Under **Policy name**, enter a meaningful policy name to identify this policy.

1. Review the permissions defined in this policy.

1. (Optional) Add tags to help identify, organize, or search for this resource.

1. Choose **Create policy**.

1. On the left menu, choose **Roles**.

1. Choose **Create role**.

1. For **Trusted entity type**, choose AWS account.

1. Under **An AWS account **, specify the account that you want to perform Amazon EVS actions and choose **Next**.

1. On the **Add permissions** page, select the permissions policy that you previously created and choose **Next**.

1. Under **Role name**, enter a meaningful name to identify this role.

1. Review the trust policy and ensure that the correct AWS account is listed as the principal.

1. (Optional) Add tags to help identify, organize, or search for this resource.

1. Choose **Create role**.

1. Copy the following contents to a trust policy JSON file. For the principal ARN, replace the example AWS account ID and `service-user` name with your own AWS account ID and IAM user name.

   ```
   {
     "Version":"2012-10-17",		 	 	 
     "Statement": [
       {
         "Effect": "Allow",
         "Principal": {
           "AWS": "arn:aws:iam::123456789012:user/service-user" 
         },
         "Action": "sts:AssumeRole"
       }
     ]
   }
   ```

1. Create the role. Replace `evs-environment-role-trust-policy.json` with your trust policy file name.

   ```
   aws iam create-role \
     --role-name myAmazonEVSEnvironmentRole \
     --assume-role-policy-document file://"evs-environment-role-trust-policy.json"
   ```

1. Create a permissions policy that enables Amazon EVS operations and attach the policy to the role. Replace `myAmazonEVSEnvironmentRole` with your role name. For an example policy, see [Create and manage an Amazon EVS environment](security-iam-id-based-policy-examples.md#security-iam-id-based-policy-examples-create-env). To view all available Amazon EVS actions, resources, and condition keys, see [Actions](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticvmwareservice.html) in the *Service Authorization Reference*.

   ```
   aws iam attach-role-policy \
     --policy-arn arn:aws:iam::aws:policy/AmazonEVSEnvironmentPolicy \
     --role-name myAmazonEVSEnvironmentRole
   ```

## Sign up for an AWS Business, AWS Enterprise On-Ramp, or AWS Enterprise Support plan
<a name="setting-up-aws-business-support"></a>

Amazon EVS requires that customers are enrolled in an AWS Business, AWS Enterprise On-Ramp, or AWS Enterprise Support plan to receive continuous access to technical support and architectural guidance. AWS Business Support is the minimum AWS Support tier that meets Amazon EVS requirements. If you have business-critical workloads, we recommend enrolling in AWS Enterprise On-Ramp or AWS Enterprise Support plans. For more information, see [Compare AWS Support Plans](https://aws.amazon.com/premiumsupport/plans).

**Important**  
Amazon EVS environment creation fails if you do not sign up for an AWS Business, AWS Enterprise On-Ramp, or an AWS Enterprise Support plan.

## Check quotas
<a name="check-quotas"></a>

To enable Amazon EVS environment creation, ensure that your account has the required minimum account-level quotas. For more information, see [Amazon EVS service quotas](service-quotas-evs.md).

**Important**  
Amazon EVS environment creation fails if the host count per EVS environment quota value is not at least 4.

## Plan VPC CIDR sizes
<a name="vpc-planning"></a>

When you create an Amazon EVS environment, you are required to specify a VPC CIDR block. The VPC CIDR block cannot be changed after the environment is created, and will need to have enough space reserved to accommodate the required EVS subnets and hosts that Amazon EVS creates during environment deployment. As a result, it is critical to carefully plan out the CIDR block size, taking into account Amazon EVS requirements and your future scaling needs prior to deployment. Amazon EVS requires a VPC CIDR block with a minimum size of /22 netmask to allow sufficient space for the required EVS subnets and hosts. For more information, see [Amazon EVS networking considerations](architecture.md#evs-subnets).

**Important**  
Ensure that you have sufficient IP address space for both your VPC subnet and the VLAN subnets that Amazon EVS creates for VCF appliances. The VPC CIDR block must have a minimum size of /22 netmask to allow sufficient space for the required EVS subnets and hosts.

**Note**  
Amazon EVS does not support IPv6 at this time.

## Create a VPC with subnets
<a name="vpc-create"></a>

Amazon EVS deploys your environment into a VPC that you provide. This VPC must contain a subnet for Amazon EVS service access ([Service access subnet](concepts.md#concepts-service-access-subnet)). For steps to create a VPC with subnets for Amazon EVS, see [Create a VPC with subnets and route tables](getting-started.md#getting-started-create-vpc).

## Configure the VPC main route table
<a name="vpc-main-rt"></a>

Amazon EVS VLAN subnets are implicitly associated to the VPC main route table. To enable connectivity to dependent services such as DNS or on-premises systems for successful environment deployment, you must configure the main route table to allow traffic to these systems. For more information, see [Explicitly associate Amazon EVS VLAN subnets to a VPC route table](getting-started.md#getting-started-associate-vlans).

**Important**  
Amazon EVS supports the use of a custom route table only after the Amazon EVS environment is created. Custom route tables should not be used during Amazon EVS environment creation, as this may result in connectivity issues.

### Gateway route requirements
<a name="vpc-main-rt-reqs"></a>

Configure routes for these gateway types based on your connectivity requirements:
+  **NAT gateway (NGW)** 
  + Optional for outbound-only internet access.
  + Must be in a public subnet with internet gateway access.
  + Add routes from private subnets and EVS VLAN subnets to the NAT gateway.
  + For more information, see [Work with NAT gateways](https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateway-working-with.html) in the *Amazon VPC User Guide*.
+  **Transit gateway (TGW)** 
  + Required for on-premises connectivity via both AWS Direct Connect and AWS Site-to-Site VPN.
  + Add routes for on-premises network ranges.
  + Configure route propagation if using BGP.
  + For more information, see [Transit gateways in Amazon VPC Transit Gateways](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-transit-gateways.html) in the *Amazon VPC User Guide*.

### Best practices
<a name="evs-env-rtb-best"></a>
+ Document all route table configurations.
+ Use consistent naming conventions.
+ Regularly audit your route tables.
+ Test connectivity after making changes.
+ Back up route table configurations.
+ Monitor route health and propagation.

For more information about working with route tables, see [Configure route tables](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html) in the *Amazon VPC User Guide*.

## Configure your VPC’s DHCP option set
<a name="vpc-dhcp"></a>

**Important**  
Your environment deployment fails if you don’t meet these Amazon EVS requirements:  
Include a primary DNS server IP address and a secondary DNS server IP address in the DHCP option set.
Include a DNS forward lookup zone with A records for each VCF management appliance and Amazon EVS host in your deployment.
Include a DNS reverse lookup zone with PTR records for each VCF management appliance and Amazon EVS host in your deployment.
Configure the VPC’s main route table to ensure a route to your DNS servers exist.
Ensure that your domain name registration is valid and unexpired, and no duplicate hostnames or IP addresses exist.
Configure your security groups and network access control lists (ACLs) to allow Amazon EVS to communicate with:  
DNS servers over TCP/UDP port 53.
Host management VLAN subnet over HTTPS and SSH.
Management VLAN subnet over HTTPS and SSH.

For more information, see [Configure DNS and NTP servers using the VPC DHCP option set](getting-started.md#getting-started-config-dns-ntp-dhcp).

## Create and configure VPC Route Server infrastructure
<a name="route-server"></a>

Amazon EVS uses Amazon VPC Route Server to to enable BGP-based dynamic routing to your VPC underlay network. You must specify a route server that shares routes to at least two route server endpoints in the service access subnet. The peer ASN configured on the route server peers must match, and the peer IP addresses must be unique.

**Important**  
Your environment deployment fails if you don’t meet these Amazon EVS requirements for VPC Route Server configuration:  
You must configure at least two route server endpoints in the service access subnet.
When configuring Border Gateway Protocol (BGP) for the Tier-0 gateway, the VPC Route Server peer ASN value must match the NSX Edge peer ASN value.
When creating the two route server peers, you must use a unique IP address from the NSX uplink VLAN for each endpoint. These two IP addresses will be assigned to the NSX edges during Amazon EVS environment deployment.
When enabling Route Server propagation, you must ensure that all route tables being propagated have at least one explicit subnet association. BGP route advertisement fails if propagated route tables do not have an explicit subnet association.

**Note**  
For Route Server peer liveness detection, Amazon EVS only supports the default BGP keepalive mechanism. Amazon EVS does not support multi-hop Bidirectional Forwarding Detection (BFD).

### Prerequisites
<a name="evs-env-rs-prereq"></a>

Before you begin, you need:
+ A VPC subnet for your route server.
+ IAM permissions to manage VPC Route Server resources.
+ A BGP ASN value for route server (Amazon-side ASN). This value must be in the range of 1-4294967295.
+ A peer ASN to peer your route server with the NSX Tier-0 gateway. Peer ASN values entered in the route server and NSX Tier-0 gateway must match. The default ASN for an NSX Edge appliance is 65000.

### Steps
<a name="evs-env-rs-steps"></a>

For steps to set up VPC Route Server, see the [Route Server get started tutorial](https://docs.aws.amazon.com/vpc/latest/userguide/route-server-tutorial.html).

**Note**  
If you are using a NAT gateway or a transit gateway, ensure that your route server is configured correctly to propagate NSX routes to the VPC route table(s).

**Note**  
We recommend that you enable persistent routes for the route server instance with a persist duration between 1-5 minutes. If enabled, routes will be preserved in the route server’s routing database even if all BGP sessions end.

**Note**  
BGP connectivity status will be down until the Amazon EVS environment is deployed and operational.

## Create a transit gateway for on-premises connectivity
<a name="transit-gateway"></a>

You can configure connectivity for your on-premises data center to your AWS infrastructure using Direct Connect with an associated transit gateway, or using an AWS Site-to-Site VPN attachment to a transit gateway. For more information, see [Configure on-premises network connectivity (optional)](getting-started.md#getting-started-connect-on-prem).

## Create an Amazon EC2 Capacity Reservation
<a name="ec2-future-capacity-reservation"></a>

Amazon EVS launches Amazon EC2 i4i.metal instances that represent ESX hosts in your Amazon EVS environment. To ensure that you have sufficient i4i.metal instance capacity available when you need it, we recommend that you request an Amazon EC2 Capacity Reservation. You can create a Capacity Reservation at any time, and you can choose when it starts. You can request a Capacity Reservation for immediate use, or you can request a Capacity Reservation for a future date. For more information, see [Reserve compute capacity with EC2 On-Demand Capacity Reservations](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-capacity-reservations.html) in the *Amazon Elastic Compute Cloud User Guide*.

## Set up the AWS CLI
<a name="set-up-cli"></a>

The AWS CLI is a command line tool for working with AWS services, including Amazon EVS. It is also used to authenticate IAM users or roles for access to the Amazon EVS virtualization environment and other AWS resources from your local machine. To provision AWS resources from the command line, you need to obtain an AWS access key ID and secret key to use in the command line. Then you need to configure these credentials in the AWS CLI. For more information, see [Set up the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-quickstart.html) in the * AWS Command Line Interface User Guide for Version 2*.

## Create an Amazon EC2 key pair
<a name="create-ec2-key-pair"></a>

Amazon EVS uses an Amazon EC2 key pair that you provide during environment creation to connect to your hosts. To create a key pair, follow the steps on [Create a key pair for your Amazon EC2 instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/create-key-pairs.html) in the Amazon Elastic Compute Cloud User Guide.

## Prepare your environment for VMware Cloud Foundation (VCF)
<a name="setting-up-vcf"></a>

Before you deploy your Amazon EVS environment, your environment must meet VMware Cloud Foundation (VCF) infrastructure requirements. For detailed VCF prerequisites, see the [Planning and Preparation Workbook](https://techdocs.broadcom.com/us/en/vmware-cis/vcf/vcf-5-2-and-earlier/5-2/planning-and-preparation-workbook-5-2.html) in the VMware Cloud Foundation product documentation.

You should also familiarize yourself with VCF 5.2.x requirements. See the [VCF 5.2.x release notes](https://techdocs.broadcom.com/us/en/vmware-cis/vcf/vcf-5-2-and-earlier/5-2/vcf-release-notes.html) for relevant release information.

**Note**  
For information about VCF versions provided by Amazon EVS, see [VCF versions and EC2 instance types provided by Amazon EVS](versions-provided.md).

## Acquire VCF license keys
<a name="setting-up-vcf-licensing"></a>

To use Amazon EVS, you need to provide a VCF solution key and a vSAN license key. The VCF solution key must have at least 256 cores. The vSAN license key must have at least 110 TiB of vSAN capacity. For more information about VCF licenses, see [Managing License Keys in VMware Cloud Foundation](https://techdocs.broadcom.com/us/en/vmware-cis/vcf/vcf-5-2-and-earlier/5-2/map-for-administering-vcf-5-2/license-management-admin.html) in the *VMware Cloud Foundation Administration Guide*.

**Important**  
Use the SDDC Manager user interface to manage VCF solution and vSAN license keys. Amazon EVS requires that you maintain valid VCF solution and vSAN license keys in SDDC Manager for the service to function properly.

**Note**  
Your VCF license will be available to Amazon EVS across all AWS Regions for license compliance. Amazon EVS does not validate license keys. To validate license keys, visit [Broadcom support](https://support.broadcom.com/web/ecx).

## VMware HCX prerequisites
<a name="hcx-prereqs"></a>

You can use VMware HCX to migrate your existing VMware-based workloads to Amazon EVS. Before you use VMware HCX with Amazon EVS, make sure that the following prerequiste tasks have been completed.

**Note**  
VMware HCX is not installed in the EVS environment by default.
+ Before you can use VMware HCX with Amazon EVS, minimum network underlay requirements must be met. For more information, see [Network Underlay Minimum Requirements](https://techdocs.broadcom.com/us/en/vmware-cis/hcx/vmware-hcx/4-11/vmware-hcx-user-guide-4-11/preparing-for-hcx-installations/network-underlay-minimum-requirements.html) in the *VMware HCX User Guide*.
+ Confirm that VMware NSX is installed and configured in the environment. For more information, see the [VMware NSX Installation Guide](https://techdocs.broadcom.com/us/en/vmware-cis/nsx/vmware-nsx/4-2/installation-guide.html).
+ Ensure that VMware HCX is activated and installed in the environment. For more information about activating and installing VMware HCX, see [About Getting Started with VMware HCX](https://techdocs.broadcom.com/us/en/vmware-cis/hcx/vmware-hcx/4-11/getting-started-with-vmware-hcx-4-11/about-getting-started-with-vmware-hcx.html) in the *Getting Started with VMware HCX Guide*.
+ If you need HCX internet connectivity, you must complete the following prerequisite tasks:
  + Ensure that your IPAM quota for Amazon-provided contiguous public IPv4 CIDR block netmask length is /28 or greater.
**Important**  
For HCX internet connectivity, Amazon EVS requires use of IPv4 CIDR block from a public IPAM pool with a netmask length of /28 or greater. Use of any CIDR block with a netmask length smaller than /28 will result in HCX connectivity issues. For more information about increasing IPAM quotas, see [Quotas for your IPAM](https://docs.aws.amazon.com/vpc/latest/ipam/quotas-ipam.html).
  + Create an IPAM and a public IPv4 IPAM pool with CIDR that has a a minimum netmask length of /28.
  + Allocate at least two Elastic IP addresses (EIPs) from the IPAM pool for the HCX Manager and HCX Interconnect (HCX-IX) appliances. Allocate an additional Elastic IP address for each HCX network appliance that you need to deploy.
  + Add the public IPv4 CIDR block as an additional CIDR to your VPC.

For more information about HCX setup, see [Choose your HCX connectivity option](getting-started.md#hcx-connectivity-choice) and [HCX connectivity options](migrate-evs-hcx.md#migrate-evs-hcx-connectivity).

# Amazon EVS deployment prerequisite checklist
<a name="evs-deployment-prereq-checklist"></a>

This section contains a list of prerequisites that must be completed to enable successful Amazon EVS environment deployment.


**VCF license key information**  

| Component | Description | Minimum requirements | Example value(s) | 
| --- | --- | --- | --- | 
|  Site ID  |  Site ID provided by Broadcom for access to the Broadcom support portal.  |  Must provide a Site ID from Broadcom in the EVS environment creation request.  |  01234567  | 
|  VCF solution key  |  A single VCF license key that unlocks features of the entire VCF stack, including vSphere, NSX, SDDC Manager, and vCenter Server.  |  Must provide a valid active VCF solution key in the EVS environment creation request. Key cannot already be in use by an existing EVS environment.  |  ABCDE-FGHIJ-KLMNO-PQRSTU-VWXYZ  | 
|  vSAN license key  |  A vSAN license key allows you to activate and use the vSAN software within a VCF environment.  |  Must provide a valid active vSAN license key in the EVS environment creation request. Key cannot already be in use by an existing EVS environment.  |  ABCDE-FGHIJ-KLMNO-PQRSTU-VWXYZ  | 


**AWS account and Region information**  

| Component | Description | Minimum requirements | Example value(s) | 
| --- | --- | --- | --- | 
|   AWS account ID number  |  The AWS account allows you to create and manage AWS resources and access AWS services.  |  Must must have access to an AWS account.  |  999999999999  | 
|   AWS Region  |  A physical geographic area where AWS maintains multiple isolated data centers called Availability Zones.  |  Must specify an AWS Region for Amazon EVS to deploy into. For a list of Regions where Amazon EVS is currently available, see [Amazon Elastic VMware Service endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/evs.html) in the * AWS General Reference Guide*.  |  US West (Oregon)  | 


**AWS Transit Gateway for on-premises data center connectivity**  

| Component | Description | Minimum requirements | Example value(s) | 
| --- | --- | --- | --- | 
|  transit gateway ID  |  A transit gateway acts as a Regional virtual router for traffic flowing between your VPC and on-premises networks.  |  Must use a transit gateway to connect an Amazon EVS environment to your on-premises networks.  |  tgw-0262a0e521EXAMPLE  | 
|  Connectivity method  |  To connect your on-premises networks to an Amazon EVS environment, you must use a transit gateway with AWS Direct Connect or AWS Site-to-Site VPN.  |  Determine if you will use AWS Direct Connect, AWS Site-to-Site VPN, or a combination of both. For more information about using Site-to-Site VPN with Direct Connect, see [Private IP AWS Site-to-Site VPN with AWS Direct Connect](https://docs.aws.amazon.com/vpn/latest/s2svpn/private-ip-dx.html).  |   AWS Site-to-Site VPN with AWS Direct Connect  | 


**VPC for Amazon EVS environment**  

| Component | Description | Minimum requirements | Example value(s) | 
| --- | --- | --- | --- | 
|  VPC ID  |  A VPC is a virtual network that closely resembles a traditional network that you’d operate in your own data center.  |  Any Amazon VPC may be used for environment deployment.  |  vpc-0abcdef1234567890  | 
|  VPC CIDR block  |  In Amazon VPC, a CIDR block defines the range of IP addresses available within your VPC.  |  An RFC 1918 CIDR block with a minimum size of /22 netmask. The VPC CIDR block must be appropriately sized to accommodate all of the EVS subnets and hosts to be deployed in your VPC. This CIDR block should be unique across your environments.  |  10.1.0.0/20  | 


**VPC subnets for EVS environment**  

| Component | Description | Minimum requirements | Example value(s) | 
| --- | --- | --- | --- | 
|  service access subnet ID  |  A service access subnet is a standard VPC subnet that enables Amazon EVS service access. For more information, see [Service access subnet](concepts.md#concepts-service-access-subnet).  |  Any VPC subnet may be used, provided that the subnet is appropriate sized within the VPC. We suggest specifying a VPC subnet CIDR block with a netmask of /24.  |  subnet-abcdef1234567890e  | 
|  service access subnet CIDR  |  a VPC subnet CIDR block is a range of IP addresses, defined using CIDR notation, that is allocated to a specific subnet within a VPC.  |  The service access subnet must be appropriately sized to also accommodate the other EVS subnets and hosts to be deployed in your VPC. We suggest specifying a VPC subnet CIDR block with a netmask of /24.  |  10.1.0.0/24  | 
|   AWS Availability Zone ID within the Region  |  A distinct location within an AWS Region, designed to be isolated from failures in other AZs, and consists of one or more data centers.  |  You can specify the Availability Zone that VPC subnets deploy into during subnet creation. For more information, see [Create a subnet](https://docs.aws.amazon.com/vpc/latest/userguide/create-subnets.html) in the *Amazon VPC User Guide*.  |  us-west-2a  | 


**EVS VLAN subnets for EVS environment**  

| Component | Description | Minimum requirements | Example value(s) | 
| --- | --- | --- | --- | 
|  Host management VLAN CIDR  |  The CIDR block for the host management VLAN subnet. For more information, see [Host management VLAN subnet](concepts.md#concepts-evs-vmkernel-management-vlan).  |  Must have a minimum size of /28 netmask and a maximum size of /24 netmask. Must not overlap with any existing CIDR block that’s associated with the VPC.  |  10.1.1.0/24  | 
|  vMotion VLAN CIDR  |  The CIDR block for the vMotion VLAN subnet. For more information, see [vMotion VLAN subnet](concepts.md#concepts-evs-vmotion-vlan-subnet).  |  Must be the same size as the host management VLAN.  |  10.1.2.0/24  | 
|  vSAN VLAN CIDR  |  The CIDR block for the vSAN VLAN subnet. For more information, see [vSAN VLAN subnet](concepts.md#concepts-evs-vsan-vlan-subnet).  |  Must be the same size as the host management VLAN.  |  10.1.3.0/24  | 
|  VTEP VLAN CIDR  |  The CIDR block for the VTEP VLAN subnet. For more information, see [VTEP VLAN subnet](concepts.md#concepts-evs-vtep-vlan-subnet).  |  Must be the same size as the host management VLAN.  |  10.1.4.0/24  | 
|  Edge VTEP VLAN CIDR  |  The CIDR block for the edge VTEP VLAN subnet. For more information, see [Edge VTEP VLAN subnet](concepts.md#concepts-evs-edge-vtep-vlan-subnet).  |  Must have a minimum size of /28 netmask and a maximum size of /24 netmask. Must not overlap with any existing CIDR block that’s associated with the VPC.  |  10.1.5.0/24  | 
|  Management VM VLAN CIDR  |  The CIDR block for the Management VM VLAN subnet. For more information, see [Management VM VLAN subnet](concepts.md#concepts-evs-edge-vm-mgmt-vlan-subnet).  |  Must have a minimum size of /28 netmask and a maximum size of /24 netmask. Must not overlap with any existing CIDR block that’s associated with the VPC.  |  10.1.6.0/24  | 
|  HCX uplink VLAN CIDR  |  The CIDR block for the HCX uplink VLAN subnet. For more information, see [HCX uplink VLAN subnet](concepts.md#concepts-evs-hcx-uplink-vlan-subnet).  |  Must have a minimum size of /28 netmask and a maximum size of /24 netmask. Must not overlap with any existing CIDR block that’s associated with the VPC.  |  10.1.7.0/24  | 
|  NSX uplink VLAN CIDR  |  The CIDR block for the NSX uplink VLAN subnet. For more information, see [NSX uplink VLAN subnet](concepts.md#concepts-evs-nsx-uplink-vlan-subnet).  |  Must have a minimum size of /28 netmask and a maximum size of /24 netmask. Must not overlap with any existing CIDR block that’s associated with the VPC.  |  10.1.8.0/24  | 
|  Expansion VLAN 1 CIDR  |  CIDR block for the expansion VLAN subnet. For more information, see [Expansion VLAN subnet](concepts.md#concepts-evs-expansion-vlan-subnet).  |  Must have a minimum size of /28 netmask and a maximum size of /24 netmask. Must not overlap with any existing CIDR block that’s associated with the VPC.  |  10.1.9.0/24  | 
|  Expansion VLAN 2 CIDR  |  CIDR block for the expansion VLAN subnet. For more information, see [Expansion VLAN subnet](concepts.md#concepts-evs-expansion-vlan-subnet).  |  Must have a minimum size of /28 netmask and a maximum size of /24 netmask. Must not overlap with any existing CIDR block that’s associated with the VPC.  |  10.1.10.0/24  | 


**DNS and NTP infrastructure**  

| Component | Description | Minimum requirements | Example value(s) | 
| --- | --- | --- | --- | 
|  Primary DNS server IP address  |  The main domain name system (DNS) server used as the source of truth for all of the domain’s DNS records.  |  You can use any valid, unused IPv4 address within the usable host range.  |  10.1.1.10  | 
|  Secondary DNS server IP address  |  A backup DNS server for the domain’s DNS records.  |  You can use any valid, unused IPv4 address within the usable host range.  |  10.1.5.25  | 
|  NTP server IP address  |  A network time protocol (NTP) server is a device or application that synchronizes clocks within a network using the NTP standard.  |  You can use the default Amazon Time Sync Service with the local `169.254.169.123` IP address, or another NTP server IP address.  |  169.254.169.123 (Amazon Time Sync Service)  | 
|  FQDN for VCF deployment  |  A fully qualified domain name (FQDN) is the absolute name of a device on a network. A FQDN consists of a hostname and domain name.  |  A FQDN can only contain alphanumeric characters, the minus sign (-), and periods that are used as a delimiter between labels. Must be a unique FQDN that is valid and unexpired.  |  evs.local  | 


**VPC DHCP option set**  

| Component | Description | Minimum requirements | Example value(s) | 
| --- | --- | --- | --- | 
|  DHCP option set ID  |  A DHCP option set is a group of network settings used by resources in your VPC, such as EC2 instances, to communicate over your virtual network.  |  Must contain a minimum of 2 DNS servers. You can use Route 53 or custom DNS servers. Must also contain your DNS domain name and an NTP server.  |  dopt-0a1b2c3d  | 


**EC2 key pair**  

| Component | Description | Minimum requirements | Example value(s) | 
| --- | --- | --- | --- | 
|  EC2 key pair name  |  An EC2 key pair is a set of security credentials used to securely connect to an Amazon EC2 instance.  |  Key pair name must be unique.  |   `my-ec2-key-pair`   | 


**VPC route tables**  

| Component | Description | Minimum requirements | Example value(s) | 
| --- | --- | --- | --- | 
|  main route table ID  |  In Amazon VPC, the main route table is the default route table automatically created with the VPC, and governs traffic for any VPC subnets that aren’t explicitly associated with a different route table. EVS VLAN subnets are implicitly associated to your VPC’s main route table when Amazon EVS creates them.  |  Must be configured to enable connectivity to dependent services such as DNS or on-premises systems for environment deployment to be successful.  |  rtb-0123456789abcdef0  | 


**Network access control list (ACL)**  

| Component | Description | Minimum requirements | Example value(s) | 
| --- | --- | --- | --- | 
|  Network ACL ID  |  A network access control list (ACL) allows or denies inbound or outbound traffic at the subnet level.  |  Must allow Amazon EVS to communicate with: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/evs/latest/userguide/evs-deployment-prereq-checklist.html)  |  acl-0f62c640e793a38a3  | 


**DNS records for VCF components**  

| Component | Description | Minimum requirements | Example IP address | Example hostname | 
| --- | --- | --- | --- | --- | 
|  ESX host 1  |  IP address and hostname defined in the A record and PTR record for ESX host 1.  |  Amazon EVS requires a DNS forward lookup zone with A records and a reverse lookup zone with PTR records created for each ESX host in each EVS deployment.  |  10.1.0.10  |  esxi01  | 
|  ESX host 2  |  IP address and hostname defined in the A record and PTR record for ESX host 2.  |  Amazon EVS requires a DNS forward lookup zone with A records and a reverse lookup zone with PTR records created for each ESX host in each EVS deployment.  |  10.1.0.11  |  esxi02  | 
|  ESX host 3  |  IP address and hostname defined in the A record and PTR record for ESX host 3.  |  Amazon EVS requires a DNS forward lookup zone with A records and a reverse lookup zone with PTR records created for each ESX host in each EVS deployment.  |  10.1.0.12  |  esxi03  | 
|  ESX host 4  |  IP address and hostname defined in the A record and PTR record for ESX host 4.  |  Amazon EVS requires a DNS forward lookup zone with A records and a reverse lookup zone with PTR records created for each ESX host in each EVS deployment.  |  10.1.0.13  |  esxi04  | 
|  vCenter Server appliance  |  IP address and hostname defined in the A record and PTR record for the vCenter Server appliance.  |  Amazon EVS requires a DNS forward lookup zone with A records and a reverse lookup zone with PTR records created for each VCF management appliance in each EVS deployment.  |  10.1.5.10  |  vc01  | 
|  NSX Manager cluster  |  IP address and hostname defined in the A record and PTR record for the NSX Manager cluster.  |  Amazon EVS requires a DNS forward lookup zone with A records and a reverse lookup zone with PTR records created for each VCF management appliance in each EVS deployment.  |  10.1.5.11  |  nsx  | 
|  SDDC Manager appliance  |  IP address and hostname defined in the A record and PTR record for the SDDC Manager appliance.  |  Amazon EVS requires a DNS forward lookup zone with A records and a reverse lookup zone with PTR records created for each VCF management appliance in each EVS deployment.  |  10.1.5.12  |  sddcm01  | 
|  Cloud Builder appliance  |  IP address and hostname defined in the A record and PTR record for the Cloud Builder appliance.  |  Amazon EVS requires a DNS forward lookup zone with A records and a reverse lookup zone with PTR records created for each VCF management appliance in each EVS deployment.  |  10.1.5.13  |  cb01  | 
|  NSX Edge 1 appliance  |  IP address and hostname defined in the A record and PTR record for the NSX Edge 1 appliance.  |  Amazon EVS requires a DNS forward lookup zone with A records and a reverse lookup zone with PTR records created for each VCF management appliance in each EVS deployment.  |  10.1.5.14  |  edge01  | 
|  NSX Edge 2 appliance  |  IP address and hostname defined in the A record and PTR record for the NSX Edge 2 appliance.  |  Amazon EVS requires a DNS forward lookup zone with A records and a reverse lookup zone with PTR records created for each VCF management appliance in each EVS deployment.  |  10.1.5.15  |  edge02  | 
|  NSX Manager 1 appliance  |  IP address and hostname defined in the A record and PTR record for the NSX Manager 1 appliance.  |  Amazon EVS requires a DNS forward lookup zone with A records and a reverse lookup zone with PTR records created for each VCF management appliance in each EVS deployment.  |  10.1.5.16  |  nsx01  | 
|  NSX Manager 2 appliance  |  IP address and hostname defined in the A record and PTR record for the NSX Manager 2 appliance.  |  Amazon EVS requires a DNS forward lookup zone with A records and a reverse lookup zone with PTR records created for each VCF management appliance in each EVS deployment.  |  10.1.5.17  |  nsx02  | 
|  NSX Manager 3 appliance  |  IP address and hostname defined in the A record and PTR record for the NSX Manager 3 appliance.  |  Amazon EVS requires a DNS forward lookup zone with A records and a reverse lookup zone with PTR records created for each VCF management appliance in each EVS deployment.  |  10.1.5.18  |  nsx03  | 


**VPC Route Server infrastructure**  

| Component | Description | Minimum requirements | Example value(s) | 
| --- | --- | --- | --- | 
|  route server ID  |  Amazon EVS uses Amazon VPC Route Server to to enable BGP-based dynamic routing to your VPC underlay network.  |  You must specify a route server that shares routes to at least two route server endpoints in the service access subnet. The peer ASN configured on the route server and NSX Edge peer must match, and the peer IP addresses must be unique.  |  rs-0a1b2c3d4e5f67890  | 
|  route server association  |  The connection between a route server and a VPC.  |  Your route server must be associated to your VPC.  |  <pre>{<br />    "RouteServerAssociation": {<br />        "RouteServerId": "rs-0a1b2c3d4e5f67890",<br />        "VpcId": "vpc-1",<br />        "State": "associating"<br />    }<br />}</pre>  | 
|  BGP ASN of the VPC Route Server side (Amazon-side ASN)  |  The Amazon-side ASN represents the AWS side of the BGP session between the VPC route server and the NSX Edge peer. You specify this BGP ASN when creating the route server. For more information, see [Create a route server](https://docs.aws.amazon.com/vpc/latest/userguide/route-server-tutorial-create.html) in the *Amazon VPC User Guide*.  |  This value must be unique, and in the range of 1-4294967295. AWS recommends using a private ASN in the 64512–65534 (16-bit ASN) or 4200000000–4294967294 (32-bit ASN) range.  |  65001  | 
|  route server endpoint 1 ID  |  A route server endpoint is an AWS-managed component inside a subnet that facilitates BGP (Border Gateway Protocol) connections between your route server and your BGP peers.  |  Must deploy the route server endpoint into the service access subnet.  |  rse-0123456789abcdef0  | 
|  route server peer 1 ID  |  The route server peer is a BGP peering session between a route server endpoint and the the device deployed in AWS (NSX Edge).  |  The peer ASN value specified in the route server peer must match the peer ASN value used for NSX Edge Tier-0 gateway.  |  rsp-0123456789abcdef0  | 
|  route server peer 1 IP address (EVS NSX Edge 1 side)  |  The IP address of the route server peer (`PeerAddress`).  |  Must use a unique unused IP address from the NSX uplink VLAN. Amazon EVS will apply this IP address to NSX Edge 1 as part of the deployment and peer with the route server endpoint peer.  |  10.1.7.10  | 
|  route server peer 1 endpoint ENI address  |  The endpoint ENI IP address of the route server peer (`EndpointEniAddress`).  |  Automatically generated by route server on peer creation.  |  10.1.7.11  | 
|  route server endpoint 2 ID  |  A route server endpoint is an AWS-managed component inside a subnet that facilitates BGP (Border Gateway Protocol) connections between your route server and your BGP peers.  |  Must deploy the route server endpoint into the service access subnet.  |  rse-fedcba9876543210f  | 
|  route server peer 2 ID (EVS NSX Edge 2 side)  |  The route server peer is a BGP peering session between a route server endpoint and the the device deployed in AWS (NSX Edge).  |  The peer ASN value specified in the route server peer must match the peer ASN value used for NSX Edge Tier-0 gateway.  |  rsp-fedcba9876543210f  | 
|  route server peer 2 IP address  |  The IP address of the route server peer (`PeerAddress`).  |  Must use a unique IP address from the NSX uplink VLAN. Amazon EVS will apply this IP address to NSX Edge 2 as part of the deployment and peer with the route server endpoint peer.  |  10.1.7.200  | 
|  route server peer 2 endpoint ENI address  |  The endpoint ENI IP address of the route server peer (`EndpointEniAddress`).  |  Automatically generated by route server on peer creation.  |  10.1.7.201  | 
|  route server propagation  |  Route server propagation installs the routes in the FIB on the route table you’ve specified.  |  Must specify the route table associated with your service access subnet. Amazon EVS only supports IPv4 networking at this time.  |  <pre>    {<br />    "RouteServerEndpoint": {<br />        "RouteServerId": "rs-1",<br />        "RouteServerEndpointId": "rse-1",<br />        "VpcId": "vpc-1",<br />        "SubnetId": "subnet-1",<br />        "State": "pending"<br />    }<br />}</pre>  | 
|  BGP ASN of the NSX peer side  |  BGP ASN for the NSX side of the connection.  |  Suggest using the NSX default ASN 65000  |  65000  | 


**HCX internet access resources (Optional)**  

| Component | Description | Minimum requirements | Example value(s) | 
| --- | --- | --- | --- | 
|  IPAM ID  |  Amazon VPC IP Address Manager (IPAM) used to manage IP addresses for HCX internet access.  |  Must be configured to provide public IPv4 addresses. Required only for HCX internet access configuration.  |  ipam-0123456789abcdef0  | 
|  IPAM pool ID  |  An Amazon-owned public IPv4 IPAM pool that provides addresses for HCX components.  |  Must be configured as a public IPv4 pool. Required only for HCX internet access configuration.  |  ipam-pool-0123456789abcdef0  | 
|  HCX public VLAN CIDR block  |  A secondary public IPv4 CIDR block allocated from the IPAM pool for the HCX public VLAN subnet.  |  Must have a /28 netmask and be allocated from the Amazon-owned IPAM public pool. Required only for HCX internet access configuration.  |  18.97.137.0/28  | 
|  Elastic IP addresses  |  Sequential Elastic IP addresses allocated from the IPAM pool for HCX components.  |  Minimum of 3 EIPs from the same IPAM pool for HCX Manager, HCX Interconnect Appliance (HCX-IX), and HCX Network Extension (HCX-NE). Required only for HCX internet access configuration.  |  eipalloc-0123456789abcdef0, eipalloc-0123456789abcdef1, eipalloc-0123456789abcdef2  |