PCI configuration in VMC on AWS release 1.14 -

VMware Cloud on AWS is fully PCI compliant as of the 1.14 release. You must deploy a brand new 1.14 SDDC in order to turn it into a PCI compliant SDDC. You cannot take an existing SDDC and convert it to a PCI SDDC.

To enable PCI, you must first disable HCX and SRM – neither of those two services are currently PCI compliant. The Components Control section of the Settings tab gives you the options. Finally, you must disable access to the Networking & Security tab in the VMC CSP as it is not PCI compliant. In a PCI SDDC, you will manage networking and security settings directly via NSX manager.

A brand new SDDC will not have HCX or SRM deployed. But if you do use these tools to migrate VMs into your PCI environment, you must uninstall them before disabling them for PCI compliance.

Deactivate Site Recovery

Site Recovery is enabled in this environment. I find the Site Recovery tile and click Actions>Deactivate.

I check all the boxes and click Deactivate

The Site Recovery deactivation process begins.

Site Recovery is now deactivated.

Undeploy HCX

I click the Open HCX link in the VMware HCX tile

I click the Undeploy HCX link

I click Confirm

The HCX Undeployment process begins

HCX is undeployed.

Establish connectivity

You MUST have either a VPN or a Direct Connect link to get access to the NSX Manager private IP address. It is also possible to use an EC2 instance and manage NSX Manager across the ENI. You must set this connectivity up before disabling the N&S tab. For this lab exercise, I set up a policy-based IPSEC VPN to my homelab.

Open the MGW firewall

There is an MGW group named NSX Manager. Access to HTTPS must be granted before you enable direct NSX-T access. You would obviously not use source ‘Any ‘for a production PCI environment, but I use it here in my lab.