Datrium DR-as-a-Service Networking with VMware Cloud (VMC)

Originally posted on MyVirtualCloud.net.

During VMworld, Datrium launched a unique DRaaS solution completely integrated into VMware Cloud on AWS. At a high-level DRaaS if a complete DR solution offered as a subscription that leverages the VMware Cloud and native Datrium cloud-based backups to deliver a fully-orchestrated low cost, low RPO and lower RTO disaster recovery for VMware customers.

Datrium provides fully integrated purchasing, support, and billing for all components and services, including VMware Cloud on AWS and AWS itself. It’s delivered as a SaaS solution that eliminates all the complexity of packaged software.


All Datrium services are deployed as AMIs into a Datrium-created VPC and Subnet. VPC endpoints used to access all other external services required by Datrium components (ControlShift and Cloud DVX) are also created automatically. All components are monitored and restarted for high availability and resilience. All required state is replicated to ensure resilience.

However, some of the most asked questions relate to networking connectivity options to VMware Cloud on AWS when in DR more. Please note that this blog post is addressing user and site connectivity to applications running on VMware Cloud in DR mode, rather than Datrium replication between on-premises and Cloud DVX. The replication between on-premises DVX and Cloud DVX is done using native snapshots coupled with universal deduplication and compression, and transmitted over a HTTPS tunnel over the Internet.

At this point, if you are not yet familiar with Datrium DRaaS, I suggest you to stop reading and briefly read World’s 1st Just-in-Time Cloud DR (VMware Cloud)… Everything Techies Need to Know….

There are several options when it comes to connecting on-premises data centers to other on-premises data centers or to the public cloud. This blog post outlines the various options available.


Site Connectivity Options



The diagram above demonstrate some of the more popular connectivity options. Represented by a solid line, these solutions typically offer secure, private, one-to-one connections between sites. Represented by a dashed line, these solutions enable access to internal applications via the public internet.


On-Premises to On-Premises Connectivity

First things first, let’s discuss the connectivity necessary for using ControlShift between on-premises datacenters. ControlShift requires network connectivity between on-premises datacenters to failover or migrate workloads. This connectivity is primarily at the Datrium infrastructure level. Additional connectivity between sites may be needed for applications to communicate with each or for users to interact with the applications.

Connecting multiple on-premises data centers is a practice that has been around for many years. There are many ways to connect on-premises data centers. The connection method selected should be decided independently by the customer’s networking team.

Datrium will automatically establish connectivity (outbound) with a ControlShift SaaS instance running on AWS.

On-Premises to Cloud Connectivity

There are a few options when it comes to connecting on-premises datacenters to VMC on AWS. Below are the four most common options, but please note that the options below are addressing user connectivity to their applications, rather than Datrium replication between on-premises and Cloud DVX.

AWS Direct Connect (DX)



AWS Direct Connect (DX) is a service aimed at allowing enterprise customers easy access to their AWS environment. Enterprises can leverage the DX to establish secure, private connectivity to the AWS global network from their data centers, office locations or co-location environments.

  • This is the recommended approach from VMware, and some customers may already have DX in place if they heavily utilise AWS.
  • DX is a one-to-one connection between on-premises and cloud.
  • The process of purchasing a DX can take months between contract signing to installation, so some forward planning is required.
  • Direct Connect offers higher speeds and lower latency than you can achieve with a connection over the public Internet. Connections can either be 1Gbps or 10Gbps.
  • All data transferred over the dedicated connection is charged at the reduced AWS Direct Connect data transfer rate rather than Internet data transfer rates.
  • DX is a physical connection from the on-premises site to the cloud site – as such it could be affected by on-premises failure modes and needs to be accounted for in the design and operations appropriately.




A Layer 2 Virtual Private Network (L2VPN) can be used to extend an on-premises network which provides a secure communications tunnel between an on-premises network and a network segment in VMC on AWS SDDC.

  • The L2VPN extended network is a single subnet with a single broadcast domain so you can migrate VMs to and from your VMC SDDC without having to change their IP addresses.
  • VLANs (up to 100) can be used to create multiple private networks within the single subnet.
  • VMware Cloud on AWS uses NSX-T to provide the L2VPN server in your VMC SDDC. L2VPN client functions are provided by a standalone NSX Edge (for free) that is downloadable and deployable into an on-premises data center.
  • A one-to-one connection between on-premises and cloud (multiple L2VPN’s can be used).
  • Not typically used to access the Management workloads of VMC. See DX or IPSec VPN.




IPsec VPN is a feature of VMC on AWS which provides secure access to On-Premises management and workload connectivity via a secure IPsec VPN tunnel.

  • VMware NSX-T Edge provides the IPsec implementation within VMC. The On-Premises gateway can be provided with any IPsec compatible appliance, either physical or virtual.
  • A one-to-one connection between on-premises and cloud.

There are two types of IPsec VPN’s that can be used with VMC on AWS:

  • Route-based VPN (Dynamic Routing) – A route-based VPN provides resilient, secure access to multiple subnets. When a route-based VPN is used, new routes are added automatically when new networks are created. Route-based VPN uses BGP to dynamically share routes across the VPN tunnel.
  • Policy-based VPN (Static Routing) – A policy-based VPN creates an IPsec tunnel and a policy that specifies how traffic uses it. When you use a policy-based VPN, you must update the routing tables on both ends of the network when new routes are added.

3rd Party VPN



A 3rd party Virtual Private Network (VPN) solution can be used to extend an on-premises network to a public cloud SDDC. Many VPN solutions providers offer a virtual appliance deployment option. These vSphere compatible appliances can be deployed into VMC to offer another method of extending an on-premises network to or enabling individual users to access workloads running within VMC.

  • OpenVPN and Palo Alto Networks are example 3rd party VPN solutions.
  • Requires a vSphere compatible VPN appliance.
  • 3rd Party licensing applies.
  • Allows customers to utilise existing products and skill-sets.
  • Typically, a one-to-one connection between on-premises and cloud, but can also be used as a many-to-one VPN via the Internet.
  • Public IP required for connectivity.

Accessing VMC Workloads on the Internet

The connectivity options above enable secure, controlled access to workloads running within VMC. However, if a user is neither on-premises or using a secure VPN client, internal workloads will be inaccessible when in DR mode on VMware Cloud.

Datrium ControlShift DR plans are responsible for creating mapping rules between on-premises networks and VMware SSDC networks, if necessary, and as part of the DR plan ControlShift can also re-IP VMs accordingly. When it’s time to fallback, ControlShift will automatically reverse the IP addressing to the original ones, along with transferring only unique data back on-premises.


Occasionally workloads may need to be made available via the public internet. To enable direct internet access for workloads VMC offers Public IP addresses. Public IP addresses can be requested on-demand and mapped to workloads that need to be directly accessed via the internet. Some examples of servers that may require direct internet access would be:

  • Email servers
  • Web servers
  • VMware Horizon – Unified Access Gateways
  • 3rd Party VPN solutions

Thanks to Mike McLaughlin and Simon Long for crafting most of this information.