Amazon EVS deployment prerequisite checklist

This section contains a list of prerequisites that must be completed to enable successful Amazon EVS environment deployment.

VCF license key information
Component	Description	Minimum requirements	Example value(s)
Site ID	Site ID provided by Broadcom for access to the Broadcom support portal.	Must provide a Site ID from Broadcom in the EVS environment creation request.	01234567
VCF solution key	A single VCF license key that unlocks features of the entire VCF stack, including vSphere, NSX, SDDC Manager, and vCenter Server.	Must provide a valid active VCF solution key in the EVS environment creation request. Key cannot already be in use by an existing EVS environment.	ABCDE-FGHIJ-KLMNO-PQRSTU-VWXYZ
vSAN license key	A vSAN license key allows you to activate and use the vSAN software within a VCF environment.	Must provide a valid active vSAN license key in the EVS environment creation request. Key cannot already be in use by an existing EVS environment.	ABCDE-FGHIJ-KLMNO-PQRSTU-VWXYZ

AWS account and Region information
Component	Description	Minimum requirements	Example value(s)
AWS account ID number	The AWS account allows you to create and manage AWS resources and access AWS services.	Must must have access to an AWS account.	999999999999
AWS Region	A physical geographic area where AWS maintains multiple isolated data centers called Availability Zones.	Must specify an AWS Region for Amazon EVS to deploy into. For a list of Regions where Amazon EVS is currently available, see Amazon Elastic VMware Service endpoints and quotas in the AWS General Reference Guide.	US West (Oregon)

AWS Transit Gateway for on-premises data center connectivity
Component	Description	Minimum requirements	Example value(s)
transit gateway ID	A transit gateway acts as a Regional virtual router for traffic flowing between your VPC and on-premises networks.	Must use a transit gateway to connect an Amazon EVS environment to your on-premises networks.	tgw-0262a0e521EXAMPLE
Connectivity method	To connect your on-premises networks to an Amazon EVS environment, you must use a transit gateway with AWS Direct Connect or AWS Site-to-Site VPN.	Determine if you will use AWS Direct Connect, AWS Site-to-Site VPN, or a combination of both. For more information about using Site-to-Site VPN with Direct Connect, see Private IP AWS Site-to-Site VPN with AWS Direct Connect.	AWS Site-to-Site VPN with AWS Direct Connect

VPC for Amazon EVS environment
Component	Description	Minimum requirements	Example value(s)
VPC ID	A VPC is a virtual network that closely resembles a traditional network that you’d operate in your own data center.	Any Amazon VPC may be used for environment deployment.	vpc-0abcdef1234567890
VPC CIDR block	In Amazon VPC, a CIDR block defines the range of IP addresses available within your VPC.	An RFC 1918 CIDR block with a minimum size of /22 netmask. The VPC CIDR block must be appropriately sized to accommodate all of the EVS subnets and hosts to be deployed in your VPC. This CIDR block should be unique across your environments.	10.1.0.0/20

VPC subnets for EVS environment
Component	Description	Minimum requirements	Example value(s)
service access subnet ID	A service access subnet is a standard VPC subnet that enables Amazon EVS service access. For more information, see Service access subnet.	Any VPC subnet may be used, provided that the subnet is appropriate sized within the VPC. We suggest specifying a VPC subnet CIDR block with a netmask of /24.	subnet-abcdef1234567890e
service access subnet CIDR	a VPC subnet CIDR block is a range of IP addresses, defined using CIDR notation, that is allocated to a specific subnet within a VPC.	The service access subnet must be appropriately sized to also accommodate the other EVS subnets and hosts to be deployed in your VPC. We suggest specifying a VPC subnet CIDR block with a netmask of /24.	10.1.0.0/24
AWS Availability Zone ID within the Region	A distinct location within an AWS Region, designed to be isolated from failures in other AZs, and consists of one or more data centers.	You can specify the Availability Zone that VPC subnets deploy into during subnet creation. For more information, see Create a subnet in the Amazon VPC User Guide.	us-west-2a

EVS VLAN subnets for EVS environment
Component	Description	Minimum requirements	Example value(s)
Host management VLAN CIDR	The CIDR block for the host management VLAN subnet. For more information, see Host management VLAN subnet.	Must have a minimum size of /28 netmask and a maximum size of /24 netmask. Must not overlap with any existing CIDR block that’s associated with the VPC.	10.1.1.0/24
vMotion VLAN CIDR	The CIDR block for the vMotion VLAN subnet. For more information, see vMotion VLAN subnet.	Must be the same size as the host management VLAN.	10.1.2.0/24
vSAN VLAN CIDR	The CIDR block for the vSAN VLAN subnet. For more information, see vSAN VLAN subnet.	Must be the same size as the host management VLAN.	10.1.3.0/24
VTEP VLAN CIDR	The CIDR block for the VTEP VLAN subnet. For more information, see VTEP VLAN subnet.	Must be the same size as the host management VLAN.	10.1.4.0/24
Edge VTEP VLAN CIDR	The CIDR block for the edge VTEP VLAN subnet. For more information, see Edge VTEP VLAN subnet.	Must have a minimum size of /28 netmask and a maximum size of /24 netmask. Must not overlap with any existing CIDR block that’s associated with the VPC.	10.1.5.0/24
Management VM VLAN CIDR	The CIDR block for the Management VM VLAN subnet. For more information, see Management VM VLAN subnet.	Must have a minimum size of /28 netmask and a maximum size of /24 netmask. Must not overlap with any existing CIDR block that’s associated with the VPC.	10.1.6.0/24
HCX uplink VLAN CIDR	The CIDR block for the HCX uplink VLAN subnet. For more information, see HCX uplink VLAN subnet.	Must have a minimum size of /28 netmask and a maximum size of /24 netmask. Must not overlap with any existing CIDR block that’s associated with the VPC.	10.1.7.0/24
NSX uplink VLAN CIDR	The CIDR block for the NSX uplink VLAN subnet. For more information, see NSX uplink VLAN subnet.	Must have a minimum size of /28 netmask and a maximum size of /24 netmask. Must not overlap with any existing CIDR block that’s associated with the VPC.	10.1.8.0/24
Expansion VLAN 1 CIDR	CIDR block for the expansion VLAN subnet. For more information, see Expansion VLAN subnet.	Must have a minimum size of /28 netmask and a maximum size of /24 netmask. Must not overlap with any existing CIDR block that’s associated with the VPC.	10.1.9.0/24
Expansion VLAN 2 CIDR	CIDR block for the expansion VLAN subnet. For more information, see Expansion VLAN subnet.	Must have a minimum size of /28 netmask and a maximum size of /24 netmask. Must not overlap with any existing CIDR block that’s associated with the VPC.	10.1.10.0/24

DNS and NTP infrastructure
Component	Description	Minimum requirements	Example value(s)
Primary DNS server IP address	The main domain name system (DNS) server used as the source of truth for all of the domain’s DNS records.	You can use any valid, unused IPv4 address within the usable host range.	10.1.1.10
Secondary DNS server IP address	A backup DNS server for the domain’s DNS records.	You can use any valid, unused IPv4 address within the usable host range.	10.1.5.25
NTP server IP address	A network time protocol (NTP) server is a device or application that synchronizes clocks within a network using the NTP standard.	You can use the default Amazon Time Sync Service with the local `169.254.169.123` IP address, or another NTP server IP address.	169.254.169.123 (Amazon Time Sync Service)
FQDN for VCF deployment	A fully qualified domain name (FQDN) is the absolute name of a device on a network. A FQDN consists of a hostname and domain name.	A FQDN can only contain alphanumeric characters, the minus sign (-), and periods that are used as a delimiter between labels. Must be a unique FQDN that is valid and unexpired.	evs.local

VPC DHCP option set
Component	Description	Minimum requirements	Example value(s)
DHCP option set ID	A DHCP option set is a group of network settings used by resources in your VPC, such as EC2 instances, to communicate over your virtual network.	Must contain a minimum of 2 DNS servers. You can use Route 53 or custom DNS servers. Must also contain your DNS domain name and an NTP server.	dopt-0a1b2c3d

EC2 key pair
Component	Description	Minimum requirements	Example value(s)
EC2 key pair name	An EC2 key pair is a set of security credentials used to securely connect to an Amazon EC2 instance.	Key pair name must be unique.	`my-ec2-key-pair`

VPC route tables
Component	Description	Minimum requirements	Example value(s)
main route table ID	In Amazon VPC, the main route table is the default route table automatically created with the VPC, and governs traffic for any VPC subnets that aren’t explicitly associated with a different route table. EVS VLAN subnets are implicitly associated to your VPC’s main route table when Amazon EVS creates them.	Must be configured to enable connectivity to dependent services such as DNS or on-premises systems for environment deployment to be successful.	rtb-0123456789abcdef0

Network access control list (ACL)
Component	Description	Minimum requirements	Example value(s)
Network ACL ID	A network access control list (ACL) allows or denies inbound or outbound traffic at the subnet level.	Must allow Amazon EVS to communicate with: DNS servers over TCP/UDP port 53. Host management VLAN subnet over HTTPS and SSH. Management VM VLAN subnet over HTTPS and SSH.	acl-0f62c640e793a38a3

DNS records for VCF components
Component	Description	Minimum requirements	Example IP address	Example hostname
ESXi host 1	IP address and hostname defined in the A record and PTR record for ESXi host 1.	Amazon EVS requires a DNS forward lookup zone with A records and a reverse lookup zone with PTR records created for each ESXi host in each EVS deployment.	10.1.0.10	esxi01
ESXi host 2	IP address and hostname defined in the A record and PTR record for ESXi host 2.	Amazon EVS requires a DNS forward lookup zone with A records and a reverse lookup zone with PTR records created for each ESXi host in each EVS deployment.	10.1.0.11	esxi02
ESXi host 3	IP address and hostname defined in the A record and PTR record for ESXi host 3.	Amazon EVS requires a DNS forward lookup zone with A records and a reverse lookup zone with PTR records created for each ESXi host in each EVS deployment.	10.1.0.12	esxi03
ESXi host 4	IP address and hostname defined in the A record and PTR record for ESXi host 4.	Amazon EVS requires a DNS forward lookup zone with A records and a reverse lookup zone with PTR records created for each ESXi host in each EVS deployment.	10.1.0.13	esxi04
vCenter Server appliance	IP address and hostname defined in the A record and PTR record for the vCenter Server appliance.	Amazon EVS requires a DNS forward lookup zone with A records and a reverse lookup zone with PTR records created for each VCF management appliance in each EVS deployment.	10.1.5.10	vc01
NSX Manager cluster	IP address and hostname defined in the A record and PTR record for the NSX Manager cluster.	Amazon EVS requires a DNS forward lookup zone with A records and a reverse lookup zone with PTR records created for each VCF management appliance in each EVS deployment.	10.1.5.11	nsx
SDDC Manager appliance	IP address and hostname defined in the A record and PTR record for the SDDC Manager appliance.	Amazon EVS requires a DNS forward lookup zone with A records and a reverse lookup zone with PTR records created for each VCF management appliance in each EVS deployment.	10.1.5.12	sddcm01
Cloud Builder appliance	IP address and hostname defined in the A record and PTR record for the Cloud Builder appliance.	Amazon EVS requires a DNS forward lookup zone with A records and a reverse lookup zone with PTR records created for each VCF management appliance in each EVS deployment.	10.1.5.13	cb01
NSX Edge 1 appliance	IP address and hostname defined in the A record and PTR record for the NSX Edge 1 appliance.	Amazon EVS requires a DNS forward lookup zone with A records and a reverse lookup zone with PTR records created for each VCF management appliance in each EVS deployment.	10.1.5.14	edge01
NSX Edge 2 appliance	IP address and hostname defined in the A record and PTR record for the NSX Edge 2 appliance.	Amazon EVS requires a DNS forward lookup zone with A records and a reverse lookup zone with PTR records created for each VCF management appliance in each EVS deployment.	10.1.5.15	edge02
NSX Manager 1 appliance	IP address and hostname defined in the A record and PTR record for the NSX Manager 1 appliance.	Amazon EVS requires a DNS forward lookup zone with A records and a reverse lookup zone with PTR records created for each VCF management appliance in each EVS deployment.	10.1.5.16	nsx01
NSX Manager 2 appliance	IP address and hostname defined in the A record and PTR record for the NSX Manager 2 appliance.	Amazon EVS requires a DNS forward lookup zone with A records and a reverse lookup zone with PTR records created for each VCF management appliance in each EVS deployment.	10.1.5.17	nsx02
NSX Manager 3 appliance	IP address and hostname defined in the A record and PTR record for the NSX Manager 3 appliance.	Amazon EVS requires a DNS forward lookup zone with A records and a reverse lookup zone with PTR records created for each VCF management appliance in each EVS deployment.	10.1.5.18	nsx03

VPC Route Server infrastructure
Component	Description	Minimum requirements	Example value(s)
route server ID	Amazon EVS uses Amazon VPC Route Server to to enable BGP-based dynamic routing to your VPC underlay network.	You must specify a route server that shares routes to at least two route server endpoints in the service access subnet. The peer ASN configured on the route server and NSX Edge peer must match, and the peer IP addresses must be unique.	rs-0a1b2c3d4e5f67890
route server association	The connection between a route server and a VPC.	Your route server must be associated to your VPC.	`{ "RouteServerAssociation": { "RouteServerId": "rs-0a1b2c3d4e5f67890", "VpcId": "vpc-1", "State": "associating" } }`
BGP ASN of the VPC Route Server side (Amazon-side ASN)	The Amazon-side ASN represents the AWS side of the BGP session between the VPC route server and the NSX Edge peer. You specify this BGP ASN when creating the route server. For more information, see Create a route server in the Amazon VPC User Guide.	This value must be unique, and in the range of 1-4294967295. AWS recommends using a private ASN in the 64512–65534 (16-bit ASN) or 4200000000–4294967294 (32-bit ASN) range.	65001
route server endpoint 1 ID	A route server endpoint is an AWS-managed component inside a subnet that facilitates BGP (Border Gateway Protocol) connections between your route server and your BGP peers.	Must deploy the route server endpoint into the service access subnet.	rse-0123456789abcdef0
route server peer 1 ID	The route server peer is a BGP peering session between a route server endpoint and the the device deployed in AWS (NSX Edge).	The peer ASN value specified in the route server peer must match the peer ASN value used for NSX Edge Tier-0 gateway.	rsp-0123456789abcdef0
route server peer 1 IP address (EVS NSX Edge 1 side)	The IP address of the route server peer (`PeerAddress`).	Must use a unique unused IP address from the NSX uplink VLAN. Amazon EVS will apply this IP address to NSX Edge 1 as part of the deployment and peer with the route server endpoint peer.	10.1.7.10
route server peer 1 endpoint ENI address	The endpoint ENI IP address of the route server peer (`EndpointEniAddress`).	Automatically generated by route server on peer creation.	10.1.7.11
route server endpoint 2 ID	A route server endpoint is an AWS-managed component inside a subnet that facilitates BGP (Border Gateway Protocol) connections between your route server and your BGP peers.	Must deploy the route server endpoint into the service access subnet.	rse-fedcba9876543210f
route server peer 2 ID (EVS NSX Edge 2 side)	The route server peer is a BGP peering session between a route server endpoint and the the device deployed in AWS (NSX Edge).	The peer ASN value specified in the route server peer must match the peer ASN value used for NSX Edge Tier-0 gateway.	rsp-fedcba9876543210f
route server peer 2 IP address	The IP address of the route server peer (`PeerAddress`).	Must use a unique IP address from the NSX uplink VLAN. Amazon EVS will apply this IP address to NSX Edge 2 as part of the deployment and peer with the route server endpoint peer.	10.1.7.200
route server peer 2 endpoint ENI address	The endpoint ENI IP address of the route server peer (`EndpointEniAddress`).	Automatically generated by route server on peer creation.	10.1.7.201
route server propagation	Route server propagation installs the routes in the FIB on the route table you’ve specified.	Must specify the route table associated with your service access subnet. Amazon EVS only supports IPv4 networking at this time.	`{ "RouteServerEndpoint": { "RouteServerId": "rs-1", "RouteServerEndpointId": "rse-1", "VpcId": "vpc-1", "SubnetId": "subnet-1", "State": "pending" } }`
BGP ASN of the NSX peer side	BGP ASN for the NSX side of the connection.	Suggest using the NSX default ASN 65000	65000

HCX internet access resources (Optional)
Component	Description	Minimum requirements	Example value(s)
IPAM ID	Amazon VPC IP Address Manager (IPAM) used to manage IP addresses for HCX internet access.	Must be configured to provide public IPv4 addresses. Required only for HCX internet access configuration.	ipam-0123456789abcdef0
IPAM pool ID	An Amazon-owned public IPv4 IPAM pool that provides addresses for HCX components.	Must be configured as a public IPv4 pool. Required only for HCX internet access configuration.	ipam-pool-0123456789abcdef0
HCX public VLAN CIDR block	A secondary public IPv4 CIDR block allocated from the IPAM pool for the HCX public VLAN subnet.	Must have a /28 netmask and be allocated from the Amazon-owned IPAM public pool. Required only for HCX internet access configuration.	18.97.137.0/28
Elastic IP addresses	Sequential Elastic IP addresses allocated from the IPAM pool for HCX components.	Minimum of 3 EIPs from the same IPAM pool for HCX Manager, HCX Interconnect Appliance (HCX-IX), and HCX Network Extension (HCX-NE). Required only for HCX internet access configuration.	eipalloc-0123456789abcdef0, eipalloc-0123456789abcdef1, eipalloc-0123456789abcdef2

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Setting up Amazon Elastic VMware Service

Getting started