Prerequisites Create a VPC with subnets and route tables Configure the VPC main route table Configure DNS and NTP servers using the VPC DHCP option set (Optional) Configure on-premises network connectivity Set up a VPC Route Server instance with endpoints and peers Create an Amazon EVS environment Verify Amazon EVS environment creation Explicitly associate Amazon EVS VLAN subnets to a VPC route table (Optional) Configure transit gateway route tables and Direct Connect prefixes for on-premises connectivity Create a network ACL to control Amazon EVS VLAN subnet traffic Retrieve VCF credentials and access VCF management appliances Configure the EC2 Serial Console Clean up Next steps

Getting started with Amazon Elastic VMware Service

Note

Amazon EVS is in public preview release and is subject to change.

Use this guide to get started with Amazon Elastic VMware Service (Amazon EVS). You’ll learn how to create an Amazon EVS environment with hosts within your own Amazon Virtual Private Cloud (VPC).

After you’re finished, you’ll have an Amazon EVS environment that you can use to migrate your VMware vSphere-based workloads to the AWS Cloud.

Important

To get started as simply and quickly as possible, this topic includes steps to create a VPC, and specifies minimum requirements for DNS server configuration and Amazon EVS environment creation. Before creating these resources, we recommend that you plan out your IP address space and DNS record setup that meets your requirements. You should also familiarize yourself with VCF 5.2.1 requirements. For more information, see the VCF 5.2.1 release notes.

Important

Amazon EVS only supports VCF version 5.2.1.x at this time.

Topics

Prerequisites
Create a VPC with subnets and route tables
Configure the VPC main route table
Configure DNS and NTP servers using the VPC DHCP option set
(Optional) Configure on-premises network connectivity
Set up a VPC Route Server instance with endpoints and peers
Create an Amazon EVS environment
Verify Amazon EVS environment creation
Explicitly associate Amazon EVS VLAN subnets to a VPC route table
(Optional) Configure transit gateway route tables and Direct Connect prefixes for on-premises connectivity
Create a network ACL to control Amazon EVS VLAN subnet traffic
Retrieve VCF credentials and access VCF management appliances
Configure the EC2 Serial Console
Clean up
Next steps

Prerequisites

Before getting started, you must complete the Amazon EVS prerequisite tasks. For more information, see Setting up Amazon Elastic VMware Service.

Create a VPC with subnets and route tables

Note

The VPC, subnets, and Amazon EVS environment must all be created in the same account. Amazon EVS does not support cross-account sharing of VPC subnets or Amazon EVS environments.

Open the Amazon VPC console.
On the VPC dashboard, choose Create VPC.
For Resources to create, choose VPC and more.
Keep Name tag auto-generation selected to create Name tags for the VPC resources, or clear it to provide your own Name tags for the VPC resources.
For IPv4 CIDR block, enter an IPv4 CIDR block. A VPC must have an IPv4 CIDR block. Ensure that you create a VPC that is adequately sized to accommodate the Amazon EVS subnets. For more information, see Amazon EVS networking considerations

Note
Amazon EVS does not support IPv6 at this time.
Keep Tenancy as Default. With this option selected, EC2 instances that are launched into this VPC will use the tenancy attribute specified when the instances are launched. Amazon EVS launches bare metal EC2 instances on your behalf.
For Number of Availability Zones (AZs), choose 1.

Note
Amazon EVS only supports Single-AZ deployments at this time.
Expand Customize AZs and choose the AZ for your subnets.

Note
You must deploy in an AWS Region where Amazon EVS is supported. For more information about Amazon EVS Region availability, see Amazon Elastic VMware Service endpoints and quotas.
(Optional) If you need internet connectivity, for Number of public subnets, choose 1.
For Number of private subnets, choose 1.
To choose the IP address ranges for your subnets, expand Customize subnets CIDR blocks.

Note
Amazon EVS VLAN subnets will also need to be created from this VPC CIDR space. Ensure that you leave enough space in the VPC CIDR block for the VLAN subnets that the service requires. For more information, see Amazon EVS networking considerations
(Optional) To grant internet access over IPv4 to resources, for NAT gateways, choose In 1 AZ. Note that there is a cost associated with NAT gateways. For more information, see Pricing for NAT gateways.

Note
Amazon EVS requires the use of a NAT gateway to enable outbound internet connectivity.
For VPC endpoints, choose None.

Note
Amazon EVS does not support gateway VPC endpoints for Amazon S3 at this time. To enable Amazon S3 connectivity, you must set up an interface VPC endpoint using AWS PrivateLink for Amazon S3. For more information, see AWS PrivateLink for Amazon S3 in the Amazon Simple Storage Service User Guide.
For DNS options, keep the defaults selected. Amazon EVS requires your VPC to have DNS resolution capability for all VCF components.
(Optional) To add a tag to your VPC, expand Additional tags, choose Add new tag, and enter a tag key and a tag value.
Choose Create VPC.

Note
During VPC creation, Amazon VPC automatically creates a main route table and implicitly associates subnets to it by default.

Configure the VPC main route table

Amazon EVS subnets are implicitly associated to your VPC’s main route table when they are created. To enable connectivity to dependent services such as DNS or on-premises systems for successful environment deployment, you must configure the main route table to allow traffic to these systems. For more information about managing subnet route tables, see Manage subnet route tables in the Amazon VPC User Guide.

After the Amazon EVS environment deploys, you can configure explicit route table associations to enable connectivity through a custom route table. For more information, see Replace the main route table in the Amazon VPC User Guide.

Important

Amazon EVS supports the use of a custom route table only after the Amazon EVS environment is created. Custom route tables should not be used during Amazon EVS environment creation, as this may result in connectivity issues.

Configure DNS and NTP servers using the VPC DHCP option set

Amazon EVS uses your VPC’s DHCP option set to retrieve the following:

Domain Name System (DNS) servers that are used to resolve host IP addresses.
Network Time Protocol (NTP) servers that are used to avoid time synchronization issues in the SDDC.

You can create a DHCP option set using the Amazon VPC console or AWS CLI. For more information, see Create a DHCP option set in the Amazon VPC User Guide.

To enable DNS connectivity for successful environment deployment, you must first configure the VPC’s main route table to allow DNS traffic. For more information, see Configure the VPC main route table.

DNS server configuration

You can enter IPv4 addresses of up to four Domain Name System (DNS) servers. You can use Route 53 as your DNS server provider, or you can provide your own custom DNS servers. For more information about configuring Route 53 as your DNS service for an existing domain, see Making Route 53 the DNS service for a domain that’s in use.

Note

Using both Route 53 and a custom Domain Name System (DNS) server may cause unexpected behavior.

Note

Amazon EVS does not support IPv6 at this time.

To successfully deploy an environment, your VPC’s DHCP option set must have the following DNS settings:

A primary DNS server IP address and a secondary DNS server IP address in the DHCP option set.
A DNS forward lookup zone with A records for each VCF management appliance and Amazon EVS host in your deployment as detailed in Create an Amazon EVS environment.
A reverse lookup zone with PTR records for each VCF management appliance and Amazon EVS host in your deployment as detailed in Create an Amazon EVS environment.

For more information about configuring DNS servers in a DHCP option set, see Create a DHCP option set.

Note

If you use custom DNS domain names defined in a private hosted zone in Route 53, or use private DNS with interface VPC endpoints (AWS PrivateLink), you must set both the enableDnsHostnames and enableDnsSupport attributes to true. For more information, see DNS attributes for your VPC.

NTP server configuration

NTP servers provide the time to your network. You can enter the IPv4 addresses of up to four Network Time Protocol (NTP) servers. For more information about configuring NTP servers in a DHCP option set, see Create a DHCP option set.

Note

Amazon EVS does not support IPv6 at this time.

You can specify the Amazon Time Sync Service at IPv4 address 169.254.169.123. By default, the Amazon EC2 instances that Amazon EVS deploys use the Amazon Time Sync Service at IPv4 address 169.254.169.123.

For more information about NTP servers, see RFC 2123. For more information about the Amazon Time Sync Service, see Set the time for your instance in the Amazon EC2 User Guide.

(Optional) Configure on-premises network connectivity

You can configure connectivity for your on-premises data center to your AWS infrastructure using AWS Direct Connect with an associated transit gateway, or using an AWS Site-to-Site VPN attachment to a transit gateway. AWS Site-to-Site VPN creates an IPsec VPN connection to the transit gateway over the internet. AWS Direct Connect creates an IPsec VPN connection to the transit gateway over a private dedicated connection. After the Amazon EVS environment is created, you can use either option to connect your on-premises data center firewalls to the VMware NSX environment.

To enable connectivity to on-premises systems for successful environment deployment, you must configure the VPC’s main route table to allow traffic to these systems. For more information, see Configure the VPC main route table.

After the Amazon EVS environment is created, you must update the transit gateway route tables with the VPC CIDRs created within the Amazon EVS environment. For more information, see (Optional) Configure transit gateway route tables and Direct Connect prefixes for on-premises connectivity.

For more information about setting up an AWS Direct Connect connection, see AWS Direct Connect gateways and transit gateway associations. For more information about using AWS Site-to-Site VPN with AWS Transit Gateway, see AWS Site-to-Site VPN attachments in Amazon VPC Transit Gateways in the Amazon VPC Transit Gateway User Guide.

Note

Amazon EVS does not support connectivity via an AWS Direct Connect private virtual interface (VIF), or via an AWS Site-to-Site VPN connection that terminates directly into the underlay VPC.

Set up a VPC Route Server instance with endpoints and peers

Amazon EVS uses Amazon VPC Route Server to to enable BGP-based dynamic routing to your VPC underlay network. You must specify a route server that shares routes to at least two route server endpoints in the service access subnet. The peer ASN configured on the route server peers must match, and the peer IP addresses must be unique.

Important

When enabling Route Server propagation, ensure that all route tables being propagated have at least one explicit subnet association. BGP route advertisement fails if the route table does have an explicit subnet association.

For more information about setting up VPC Route Server, see the Route Server get started tutorial.

Note

For Route Server peer liveness detection, Amazon EVS only support the default BGP keepalive mechanism. Amazon EVS does not support multi-hop Bidirectional Forwarding Detection (BFD).

Note

We recommend that you enable persistent routes for the route server instance with a persist duration between 1-5 minutes. If enabled, routes will be preserved in the route server’s routing database even if all BGP sessions end. For more information, see Create a route server in the Amazon VPC User Guide.

Note

If you are using a NAT gateway or a transit gateway, ensure that your route server is configured correctly to propagate NSX routes to the VPC route table(s).

Create an Amazon EVS environment

Important

To get started as simply and quickly as possible, this topic includes steps to create an Amazon EVS environment with default settings. Before creating an environment, we recommend that you familiarize yourself with all settings and deploy an environment with the settings that meet your requirements. Environments can only be configured during initial environment creation. Environments cannot be modified after you’ve created them. For an overview of all possible Amazon EVS environment settings, see the Amazon EVS API Reference Guide.

Note

You environment ID will be available to Amazon EVS across all AWS Regions for VCF license compliance needs.

Note

Amazon EVS environments must be deployed into the same Region and Availability Zone as the VPC and VPC subnets.

Complete this step to create an Amazon EVS environment with hosts and VLAN subnets.

Amazon EVS console

Go to the Amazon EVS console.

Note
Ensure that the AWS Region shown in the upper right of your console is the AWS Region that you want to create your environment in. If it’s not, choose the dropdown next to the AWS Region name and choose the AWS Region that you want to use.

Note
Amazon EVS operations triggered from the Amazon EVS console will not generate CloudTrail events.
In the navigation pane, choose Environments.
Choose Create environment.
On the Validate Amazon EVS requirements page, do the following.
1. Check that the AWS Support requirement and the service quota requirements are met. For more information about Amazon EVS support requirements, see Sign up for an AWS Business, AWS Enterprise On-Ramp, or AWS Enterprise Support plan. For more information about Amazon EVS quota requirements, see Service quotas.
2. (Optional) For Name, enter an environment name.
3. For Environment version, choose your VCF version. Amazon EVS currently only supports version 5.2.1.x.
4. For Site ID, enter your Broadcom Site ID.
5. For VCF Solution key, enter a VCF solution key. This license key cannot be in use by an existing environment.
  
  Note
  The VCF solution key must have at least 256 cores.
  
  Note
  Your VCF license will be available to Amazon EVS across all AWS Regions for license compliance. Amazon EVS does not validate license keys. To validate license keys, visit Broadcom support.
  
  Note
  Amazon EVS requires that you maintain a valid VCF solution key in SDDC Manager for the service to function properly. If you manage the VCF solution key using the vSphere Client post-deployment, you must ensure that the keys also appears in the licensing screen of the SDDC Manager user interface.
6. For vSAN license key, enter a vSAN license key. This license key cannot be in use by an existing environment.
  
  Note
  The vSAN license key must have at least 110 TiB of vSAN capacity.
  
  Note
  Your VCF license will be available to Amazon EVS across all AWS Regions for license compliance. Amazon EVS does not validate license keys. To validate license keys, visit Broadcom support.
  
  Note
  Amazon EVS requires that you maintain a valid vSAN license key in SDDC Manager for the service to function properly. If you manage the vSAN license key using the vSphere Client post-deployment, you must ensure that the keys also appears in the licensing screen of the SDDC Manager user interface.
7. For VCF license terms, check the box to confirm that you have purchased and will continue to maintain the required number of VCF software licenses to cover all physical processor cores in the Amazon EVS environment. Information about your VCF Software in Amazon EVS will be shared with Broadcom to verify license compliance.
8. Choose Next.
On the Specify host details page, complete the following steps 4 times to add 4 hosts to the environment. Amazon EVS environments require 4 hosts for initial deployment.
1. Choose Add host details.
2. For DNS hostname, enter the host name for the host.
3. For instance type, choose the EC2 instance type.
  
  Important
  Do not stop or terminate EC2 instances that Amazon EVS deploys. This action results in data loss.
  
  Note
  Amazon EVS only supports i4i.metal EC2 instances at this time.
4. For SSH key pair, choose an SSH key pair for SSH access into the host.
5. Choose Add host.
On the Configure networks and connectivity page, do the following.
1. For VPC, choose the VPC that you previously created.
2. For Service access subnet, choose the private subnet that was created when you created the VPC.
3. For Security group -optional , you can choose up to 2 security groups that control communication between the Amazon EVS control plane and VPC. Amazon EVS uses the default security group if no security group is chosen.
  
  Note
  Ensure that the security groups that you choose provide connectivity to your DNS servers and Amazon EVS VLAN subnets.
4. Under Management connectivity, enter the CIDR blocks to be used for the Amazon EVS VLAN subnets.
  
  Important
  Amazon EVS VLAN subnets can only be created during Amazon EVS environment creation, and cannot be modified after the environment is created. You must ensure that the VLAN subnet CIDR blocks are properly sized before creating the environment. You will not be able to add VLAN subnets after the environment is deployed. For more information, see Amazon EVS networking considerations.
5. Under Expansion VLANs, enter the CIDR blocks for additional Amazon EVS VLAN subnets that can be used to expand VCF capabilities within Amazon EVS, such as enabling NSX Federation.
  
  Note
  Ensure that the VLAN CIDR blocks that you provide are properly sized within the VPC. For more information, see Amazon EVS networking considerations.
6. Under Workload/VCF connectivity, enter the CIDR block for the NSX uplink VLAN, and choose 2 VPC Route Server peer IDs that peer to Route Server endpoints over the NSX uplink.
  
  Note
  Amazon EVS requires a VPC Route Server instance that is associated with 2 Route Server endpoints and 2 Route Server peers. This configuration enables dynamic BGP-based routing over the NSX uplink. For more information, see Set up a VPC Route Server instance with endpoints and peers.
7. Choose Next.
On the Specify Management DNS hostnames page, do the following.
1. Under Management appliance DNS hostnames, enter the DNS hostnames for the virtual machines to host VCF management appliances. If using Route 53 as your DNS provider, also choose the hosted zone that contains your DNS records.
2. Under Credentials, choose whether you’d like to use the AWS managed KMS key for Secrets Manager or a customer managed KMS key that you provide. This key is used to encrypt the VCF credentials that are required to use SDDC Manager, NSX Manager, and vCenter appliances.
  
  Note
  There are usage costs associated with customer managed KMS keys. For more information, see the AWS KMS pricing page.
3. Choose Next.
(Optional) On the Add tags page, add any tags that you would like to be assigned to this environment and choose Next.

Note
Hosts created as part of this environment will receive the following tag: DoNotDelete-EVS-environmentid-hostname.

Note
Tags that are associated with the Amazon EVS environment do not propagate to underlying AWS resources such as EC2 instances. You can create tags on underlying AWS resources using the respective service console or the AWS CLI.
On the Review and create page, review your configuration and choose Create environment.

Important
During environment deployment, Amazon EVS creates the EVS VLAN subnets and implicitly associates them with the main route table. After the deployment completes, you must explicitly associate the Amazon EVS VLAN subnets with a route table for NSX connectivity purposes. For more information, see Explicitly associate Amazon EVS VLAN subnets to a VPC route table.

Note
Amazon EVS deploys a recent bundled version of VMware Cloud Foundation which may not include individual product updates, known as async patches. Upon completion of this deployment, we strongly recommend that you review and update individual products using Broadcom’s Async Patch Tool (AP Tool) or SDDC Manager in-product LCM automation. NSX upgrades must be done outside of SDDC Manager.

Note
Environment creation can take several hours.

AWS CLI

Open a terminal session.
Create an Amazon EVS environment. Below is a sample aws evs create-environment request.

Important
Before running the aws evs create-environment command, check that all Amazon EVS prerequisites have been met. Environment deployment fails if prerequisites have not been met. For more information about Amazon EVS support requirements, see Sign up for an AWS Business, AWS Enterprise On-Ramp, or AWS Enterprise Support plan. For more information about Amazon EVS quota requirements, see Service quotas.

Important
During environment deployment, Amazon EVS creates the EVS VLAN subnets and implicitly associates them with the main route table. After the deployment completes, you must explicitly associate the Amazon EVS VLAN subnets with a route table for NSX connectivity purposes. For more information, see Explicitly associate Amazon EVS VLAN subnets to a VPC route table.

Note
Amazon EVS deploys a recent bundled version of VMware Cloud Foundation which may not include individual product updates, known as async patches. Upon completion of this deployment, we strongly recommend you review and update individual products using Broadcom’s Async Patch Tool (AP Tool) or SDDC Manager in-product LCM automation. NSX upgrades must be done outside of SDDC Manager.

Note
Environment deployment can take several hours.
- For --vpc-id, specify the VPC that you previously created with a minimum IPv4 CIDR range of /22.
- For --service-access-subnet-id, specify the unique ID of the private subnet that was created when you created the VPC.
- For --vcf-version, Amazon EVS currently only supports VCF 5.2.1.x.
- With --terms-accepted, you confirm that you have purchased and will continue to maintain the required number of VCF software licenses to cover all physical processor cores in the Amazon EVS environment. Information about your VCF software in Amazon EVS will be shared with Broadcom to verify license compliance.
- For --license-info, enter your VCF solution key and vSAN license key.
  
  Note
  The VCF solution key must have at least 256 cores. The vSAN license key must have at least 110 TiB of vSAN capacity.
  
  Note
  Amazon EVS requires that you maintain a valid VCF solution key and vSAN license key in SDDC Manager for the service to function properly. If you manage these license keys using the vSphere Client post-deployment, you must ensure that they also appear in the licensing screen of the SDDC Manager user interface.
  
  Note
  The VCF solution key and vSAN license key cannot be in use by an existing Amazon EVS environment.
- For --initial-vlans specify the CIDR ranges for the Amazon EVS VLAN subnets that Amazon EVS creates on your behalf. These VLANs are used to deploy VCF management appliances.
  
  Important
  Amazon EVS VLAN subnets can only be created during Amazon EVS environment creation, and cannot be modified after the environment is created. You must ensure that the VLAN subnet CIDR blocks are properly sized before creating the environment. You will not be able to add VLAN subnets after the environment is deployed. For more information, see Amazon EVS networking considerations.
- For --hosts, specify host details for the hosts that Amazon EVS requires for environment deployment. Include DNS hostname, EC2 SSH key name, and EC2 instance type for each host.
  
  Important
  Do not stop or terminate EC2 instances that Amazon EVS deploys. This action results in data loss.
  
  Note
  Amazon EVS only supports i4i.metal EC2 instances at this time.
- For --connectivity-info, specify the 2 VPC Route Server peer IDs that you created in the previous step.
  
  Note
  Amazon EVS requires a VPC Route Server instance that is associated with 2 Route Server endpoints and 2 Route Server peers. This configuration enables dynamic BGP-based routing over the NSX uplink. For more information, see Set up a VPC Route Server instance with endpoints and peers.
- For --vcf-hostnames, enter the DNS hostnames for the virtual machines to host VCF management appliances.
- For --site-id, enter your unique Broadcom site ID. This ID allows access to the Broadcom portal, and is provided to you by Broadcom at the close of your software contract or contract renewal.
- (Optional) For --region, enter the Region that your environment will be deployed into. If the Region isn’t specified, your default Region is used.
```
aws evs create-environment \
--environment-name testEnv \
--vpc-id vpc-1234567890abcdef0 \
--service-access-subnet-id subnet-01234a1b2cde1234f \
--vcf-version VCF-5.2.1 \
--terms-accepted \
--license-info "{
      \"solutionKey\": \"00000-00000-00000-abcde-11111\",
      \"vsanKey\": \"00000-00000-00000-abcde-22222\"
    }" \
   --initial-vlans "{
      \"vmkManagement\": {
        \"cidr\": \"10.10.0.0/24\"
      },
      \"vmManagement\": {
        \"cidr\": \"10.10.1.0/24\"
      },
      \"vMotion\": {
        \"cidr\": \"10.10.2.0/24\"
      },
      \"vSan\": {
        \"cidr\": \"10.10.3.0/24\"
      },
      \"vTep\": {
        \"cidr\": \"10.10.4.0/24\"
      },
      \"edgeVTep\": {
        \"cidr\": \"10.10.5.0/24\"
      },
      \"nsxUplink\": {
        \"cidr\": \"10.10.6.0/24\"
      },
      \"hcx\": {
        \"cidr\": \"10.10.7.0/24\"
      },
      \"expansionVlan1\": {
        \"cidr\": \"10.10.8.0/24\"
      },
      \"expansionVlan2\": {
          \"cidr\": \"10.10.9.0/24\"
      }
    }" \
--hosts "[
    {
      \"hostName\": \"esx01\",
      \"keyName\": \"sshKey-04-05-45\”,
      \"instanceType\": \"i4i.metal\"
    },
    {
      \"hostName\": \"esx02\",
      \"keyName\": \"sshKey-04-05-45\",
      \"instanceType\": \"i4i.metal\"
    },
    {
      \"hostName\": \"esx03\",
      \"keyName\": \"sshKey-04-05-45\",
      \"instanceType\": \"i4i.metal\"
    },
    {
      \"hostName\": \"esx04\",
      \"keyName\": \"sshKey-04-05-45\",
      \"instanceType\": \"i4i.metal\"
    }
  ]" \
--connectivity-info "{
    \"privateRouteServerPeerings\": [\"rsp-1234567890abcdef0\",\"rsp-abcdef01234567890\"]
  }" \
  --vcf-hostnames "{
    \"vCenter\": \"vcf-vc01\",
    \"nsx\": \"vcf-nsx\",
    \"nsxManager1\": \"vcf-nsxm01\",
    \"nsxManager2\": \"vcf-nsxm02\",
    \"nsxManager3\": \"vcf-nsxm03\",
    \"nsxEdge1\": \"vcf-edge01\",
    \"nsxEdge2\": \"vcf-edge02\",
    \"sddcManager\": \"vcf-sddcm01\",
    \"cloudBuilder\": \"vcf-cb01\"
  }" \
--site-id my-site-id \
--region us-east-2
```
  The following is a sample response.
```
{
    "environment": {
        "environmentId": "env-abcde12345",
        "environmentState": "CREATING",
        "stateDetails": "The environment is being initialized, this operation may take some time to complete.",
        "createdAt": "2025-04-13T12:03:39.718000+00:00",
        "modifiedAt": "2025-04-13T12:03:39.718000+00:00",
        "environmentArn": "arn:aws:evs:us-east-2:111122223333:environment/env-abcde12345",
        "environmentName": "testEnv",
        "vpcId": "vpc-1234567890abcdef0",
        "serviceAccessSubnetId": "subnet-01234a1b2cde1234f",
        "vcfVersion": "VCF-5.2.1",
        "termsAccepted": true,
        "licenseInfo": [
            {
                "solutionKey": "00000-00000-00000-abcde-11111",
                "vsanKey": "00000-00000-00000-abcde-22222"
            }
        ],
        "siteId": "my-site-id",
        "connectivityInfo": {
            "privateRouteServerPeerings": [
                "rsp-1234567890abcdef0",
                "rsp-abcdef01234567890"
            ]
        },
        "vcfHostnames": {
            "vCenter": "vcf-vc01",
            "nsx": "vcf-nsx",
            "nsxManager1": "vcf-nsxm01",
            "nsxManager2": "vcf-nsxm02",
            "nsxManager3": "vcf-nsxm03",
            "nsxEdge1": "vcf-edge01",
            "nsxEdge2": "vcf-edge02",
            "sddcManager": "vcf-sddcm01",
            "cloudBuilder": "vcf-cb01"
        }
    }
}
```

Verify Amazon EVS environment creation

Amazon EVS console

Go to the Amazon EVS console.
In the navigation pane, choose Environments.
Select the environment.
Select the Details tab.
Check that the Environment status is Passed and the Environment state is Created. This lets you know that the environment is ready to use.

Note
Environment creation can take several hours. If the Environment state still shows Creating, refresh the page.

AWS CLI

Open a terminal session.

Run the following command, using the environment ID for your environment and the Region name that contains your resources. The environment is ready to use when the environmentState is CREATED.

Note

Environment creation can take several hours. If the environmentState still shows CREATING, run the command again to refresh the output.


aws evs get-environment  --environment-id env-abcde12345

The following is a sample response.


{
    "environment": {
        "environmentId": "env-abcde12345",
        "environmentState": "CREATED",
        "createdAt": "2025-04-13T13:39:49.546000+00:00",
        "modifiedAt": "2025-04-13T13:40:39.355000+00:00",
        "environmentArn": "arn:aws:evs:us-east-2:111122223333:environment/env-abcde12345",
        "environmentName": "testEnv",
        "vpcId": "vpc-0c6def5b7b61c9f41",
        "serviceAccessSubnetId": "subnet-06a3c3b74d36b7d5e",
        "vcfVersion": "VCF-5.2.1",
        "termsAccepted": true,
        "licenseInfo": [
            {
                "solutionKey": "00000-00000-00000-abcde-11111",
                "vsanKey": "00000-00000-00000-abcde-22222"
            }
        ],
        "siteId": "my-site-id",
        "checks": [],
        "connectivityInfo": {
            "privateRouteServerPeerings": [
                "rsp-056b2b1727a51e956",
                "rsp-07f636c5150f171c3"
            ]
        },
        "vcfHostnames": {
            "vCenter": "vcf-vc01",
            "nsx": "vcf-nsx",
            "nsxManager1": "vcf-nsxm01",
            "nsxManager2": "vcf-nsxm02",
            "nsxManager3": "vcf-nsxm03",
            "nsxEdge1": "vcf-edge01",
            "nsxEdge2": "vcf-edge02",
            "sddcManager": "vcf-sddcm01",
            "cloudBuilder": "vcf-cb01"
        },
        "credentials": []
    }
}

Explicitly associate Amazon EVS VLAN subnets to a VPC route table

Explicitly associate each of the Amazon EVS VLAN subnets with a route table in your VPC. This route table is used to allow AWS resources to communicate with virtual machines on NSX network segments, running with Amazon EVS.

(Optional) Configure transit gateway route tables and Direct Connect prefixes for on-premises connectivity

If you are configuring on-premises network connectivity using AWS Direct Connect or AWS Site-to-Site VPN with a transit gateway, you must update the transit gateway route tables with the VPC CIDRs created within the Amazon EVS environment. For more information, see Transit gateway route tables in Amazon VPC Transit Gateways.

If you are using AWS Direct Connect, you may need to also update your Direct Connect prefixes to send and receive updated routes from the VPC. For more information, see Allows prefixes interactions for AWS Direct Connect gateways.

Create a network ACL to control Amazon EVS VLAN subnet traffic

Amazon EVS uses a network access control list (ACL) to control traffic to and from Amazon EVS VLAN subnets. You can use the default network ACL for your VPC, or you can create a custom network ACL for your VPC with rules that are similar to the rules for your security groups to add a layer of security to your VPC. For more information, see Create a network ACL for your VPC in the Amazon VPC User Guide.

Important

EC2 security groups do not function on elastic network interfaces that are attached to Amazon EVS VLAN subnets. To control traffic to and from Amazon EVS VLAN subnets, you must use a network access control list.

Retrieve VCF credentials and access VCF management appliances

Amazon EVS uses AWS Secrets Manager to create, encrypt, and store managed secrets in your account. These secrets contain the VCF credentials needed to install and access VCF management appliances such as vCenter Server, NSX, and SDDC Manager. For more information about retrieving secrets, see Get secrets from AWS Secrets Manager.

Note

Amazon EVS does not provide managed rotation of your secrets. We recommend that you rotate your secrets regularly on a set rotation window to ensure that secrets are not long-lived.

After you have retrieved your VCF credentials from AWS Secrets Manager, you can use them to log into your VCF management appliances. For more information, see Log in to the SDDC Manager User Interface and How to Use and Configure Your vSphere Client in the VMware product documentation.

Configure the EC2 Serial Console

By default, Amazon EVS enables the ESXi Shell on newly deployed Amazon EVS hosts. This configuration allows access to the Amazon EC2 instance’s serial port through the EC2 serial console, which you can use to troubleshoot boot, network configuration, and other issues. The serial console does not require your instance to have any networking capabilities. With the serial console, you can enter commands to a running EC2 instance as if your keyboard and monitor are directly attached to the instance’s serial port.

The EC2 serial console can be accessed using the EC2 console or the AWS CLI. For more information, see EC2 Serial Console for instances in the Amazon EC2 User Guide.

Note

The EC2 serial console is the only Amazon EVS supported mechanism to access the Direct Console User Interface (DCUI) to interact with an ESXi host locally.

Note

Amazon EVS disables remote SSH by default. For more information about enabling SSH to access the remote ESXi Shell, see Remote ESXi Shell Access with SSH in the VMware vSphere product documentation.

Connect to the EC2 Serial Console

To connect to the EC2 serial console and use your chosen tool for troubleshooting, certain prerequisite tasks must be completed. For more information, see Prerequisites for the EC2 Serial Console and Connect to the EC2 Serial Console in the Amazon EC2 User Guide.

Note

To connect to the EC2 serial console, your EC2 instance state must be running. You can’t connect to the serial console if the instance is in the pending, stopping, stopped, shutting-down, or terminated state. For more information about instance state changes, see Amazon EC2 instance state change in the Amazon EC2 User Guide.

Configure access to the EC2 Serial Console

To configure access to the EC2 serial console, you or your administrator must grant serial console access at the account level and then configure IAM policies to grant access to your users. For Linux instances, you must also configure a password-based user on every instance so that your users can use the serial console for troubleshooting. For more information, see Configure access to the EC2 Serial Console in the Amazon EC2 User Guide.

Clean up

Follow these steps to delete the AWS resources that were created.

Delete the Amazon EVS hosts and environment

Follow these steps to delete the Amazon EVS hosts and environment. This action deletes the VMware VCF installation that runs in your Amazon EVS environment.

Note

To delete an Amazon EVS environment, you must first delete all hosts within the environment. An environment cannot be deleted if there are hosts associated with the environment.

SDDC UI and Amazon EVS console

Go the to SDDC Manager user interface.
Remove the hosts from the vSphere cluster. This will unassign the hosts from the SDDC domain. Repeat this step for each host in the cluster. For more information, see Remove a Host from a vSphere Cluster in a Workload Domain in the VCF product documentation.
Decommission the unassigned hosts. For more information, see Decommission Hosts in the VCF product documentation.
Go to the Amazon EVS console.

Note
Amazon EVS operations triggered from the Amazon EVS console will not generate CloudTrail events.
In the navigation pane, choose Environment.
Select the environment that contains the hosts to delete.
Select the Hosts tab.
Select the host and choose Delete within the Hosts tab. Repeat this step for each host in the environment.
At the top of the Environments page, choose Delete and then Delete environment.

Note
Environment deletion also deletes the Amazon EVS VLAN subnets and AWS Secrets Manager secrets that Amazon EVS created. AWS resources that you create are not deleted. These resources may continue to incur costs.
If you have Amazon EC2 Capacity Reservations in place that you no longer require, ensure that you’ve canceled them. For more information, see Cancel a Capacity Reservation in the Amazon EC2 User Guide.

SDDC UI and AWS CLI

Open a terminal session.

Identify the environment that contains the host to delete.


aws evs list-environments

The following is a sample response.


{
    "environmentSummaries": [
        {
            "environmentId": "env-abcde12345",
            "environmentName": "testEnv",
            "vcfVersion": "VCF-5.2.1",
            "environmentState": "CREATED",
            "createdAt": "2025-04-13T14:42:41.430000+00:00",
            "modifiedAt": "2025-04-13T14:43:33.412000+00:00",
            "environmentArn": "arn:aws:evs:us-east-2:111122223333:environment/env-abcde12345"
        },
        {
            "environmentId": "env-edcba54321",
            "environmentName": "testEnv2",
            "vcfVersion": "VCF-5.2.1",
            "environmentState": "CREATED",
            "createdAt": "2025-04-13T13:39:49.546000+00:00",
            "modifiedAt": "2025-04-13T13:52:13.342000+00:00",
            "environmentArn": "arn:aws:evs:us-east-2:111122223333:environment/env-edcba54321"
        }
    ]
}

Go the to SDDC Manager user interface.
Remove the hosts from the vSphere cluster. This will unassign the hosts from the SDDC domain. Repeat this step for each host in the cluster. For more information, see Remove a Host from a vSphere Cluster in a Workload Domain in the VCF product documentation.
Decommission the unassigned hosts. For more information, see Decommission Hosts in the VCF product documentation.
Delete the hosts from the environment. Below is a sample aws evs delete-environment-host request.

Note
To be able to delete an environment, you must first delete all of the hosts that are contained in the environment.
```
aws evs delete-environment-host \
--environment-id env-abcde12345 \
--host esx01
```
Repeat the previous steps to delete the remaining hosts in your environment.
Delete the environment.
```
aws evs delete-environment --environment-id env-abcde12345
```
Note
Environment deletion also deletes the Amazon EVS VLAN subnets and AWS Secrets Manager secrets that Amazon EVS created. Other AWS resources that you create are not deleted. These resources may continue to incur costs.
If you have Amazon EC2 Capacity Reservations in place that you no longer require, ensure that you’ve canceled them. For more information, see Cancel a Capacity Reservation in the Amazon EC2 User Guide.

Delete the VPC Route Server components

For steps to delete the Amazon VPC Route Server components that you created, see Route Server cleanup in the Amazon VPC User Guide.

Delete the network access control list (ACL)

For steps to delete a network access control list, see Delete a network ACL for your VPC in the Amazon VPC User Guide.

Delete elastic network interfaces

For steps to delete elastic network interfaces, see Delete a network interface in the Amazon EC2 User Guide.

Disassociate and delete subnet route tables

For steps to disassociate and delete subnet route tables, see Subnet route tables in the Amazon VPC User Guide.

Delete subnets

Delete the VPC subnets, including the service access subnet. For steps to delete VPC subnets, see Delete a subnet in the Amazon VPC User Guide.

Note

If you’re using Route 53 for DNS, remove the inbound endpoints before you attempt to delete the service access subnet. Otherwise, you will not be able to delete the service access subnet.

Note

Amazon EVS deletes the VLAN subnets on your behalf when the environment is deleted. Amazon EVS VLAN subnets can only be deleted when the environment is deleted.

Delete the VPC

For steps to delete the VPC, see Delete your VPC in the Amazon VPC User Guide.

Next steps

Migrate your workloads to Amazon EVS using VMware Hybrid Cloud Extension (VMware HCX). For more information, see Migrate workloads to Amazon EVS using VMware Hybrid Cloud Extension (VMware HCX).

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Setting up Amazon Elastic VMware Service

Migration