EVS HCX Migration & Connectivity

This migration guide for Amazon Elastic VMware Service demonstrates VMware HCX deployment with private or public internet connectivity for workload migration to AWS. The guide addresses a dual-audience challenge: AWS architects need VMware HCX context, while VMware administrators need AWS networking guidance spanning VPC, Transit Gateway, AWS Direct Connect, Site-to-Site VPN, IPAM, and Elastic IP configuration. I worked with EVS product and engineering teams throughout 2024-2025 to develop the migration guide, performing in-depth cross-service research to document public internet connectivity as an alternative to private dedicated connections. The documentation strategy compares architectural trade-offs between connectivity options and surfaces Elastic IP association requirements upfront, addressing customer decision-making needs before deployment. This work shipped with the EVS HCX public connectivity feature launch in Q3 2025.

Deliverables & Impact

Documentation Produced:

HCX migration workflow with connectivity architecture options
Private connectivity architecture (AWS Direct Connect, Site-to-Site VPN)
Public connectivity architecture with EIP association procedures
Connectivity decision framework (comparison table)
Network ACL and route table configuration guidance

Strategic Impact:

Cost Optimization: Enabled a lower-cost migration tier by documenting the “Public Internet” path, removing the barrier of expensive Direct Connect circuits for smaller customers.
Architectural Enablement: Documented critical trade-offs between private and public connectivity, providing the technical decision matrix used to validate customer deployment models.

Documentation Samples

Live Documentation:

Documentation excerpt (curated)

HCX connectivity options

You can migrate workloads to Amazon EVS using private connectivity with AWS Direct Connect or Site-to-Site VPN connection, or using public connectivity.

Depending on your situation and connectivity options, you may prefer to use public or private connectivity with HCX. For example, some sites may have private connectivity with greater performance consistency, but lower throughput due to VPN encryption or limited link speeds. Likewise, you may have high throughput public internet connectivity that has more variance in performance. With Amazon EVS, you have the choice to use whichever connectivity option works best for you.

The following table compares the differences between HCX private and public connectivity.

Aspect	Private connectivity	Public connectivity
Overview	Uses only private connections within the VPC. You can optionally use AWS Direct Connect or Site-to-Site VPN with a transit gateway for external network connectivity.	Uses public internet connectivity with Elastic IP addresses, enabling migrations without a dedicated private connection.
Best suited for	• Time-sensitive vMotion operations • Large-scale migrations • Applications sensitive to latency/jitter • High-volume data transfers • Organizations with existing AWS Direct Connect/AWS Site-to-Site VPN	• Locations without AWS Direct Connect/AWS Site-to-Site VPN • Cost-sensitive projects
Key benefits	• Consistent low-latency connectivity • Dedicated bandwidth allocation • More reliable network performance • Default HCX encryption can be disabled for private environments to optimize performance • No public IP management required	• Faster setup than private connectivity • Cost-effective for smaller migrations
Key considerations	• More complex initial setup • Higher upfront infrastructure costs • Longer implementation timeline • No direct internet connectivity for any HCX component	• More variable network performance • Bandwidth limitations are possible • Higher latency than private connectivity • Each component requires a dedicated Elastic IP address allocated from the public IPAM pool • EIP associations enable direct internet connectivity for each HCX component

HCX private connectivity architecture

The HCX private connectivity solution integrates several components:

Amazon EVS network components:

Uses only private VLAN subnets for secure communication, including a private HCX VLAN.
Supports network ACLs for traffic control.
Supports dynamic BGP propagation of routes through a private VPC route server.

AWS managed network transit options for on-premises connectivity:

AWS Direct Connect + AWS Transit Gateway enables you to connect your on-premises network to Amazon EVS over a private dedicated connection. For more information, see AWS Direct Connect + AWS Transit Gateway.
AWS Site-to-Site VPN + AWS Transit Gateway enables you to connect your on-premises network to Amazon EVS over an encrypted IPsec VPN tunnel. For more information, see AWS Site-to-Site VPN + AWS Transit Gateway.

HCX public internet connectivity architecture

HCX networking requirements and DNAT

HCX has specific networking constraints that affect how you set up public internet access.

HCX does not support Destination Network Address Translation (DNAT). Instead, HCX requires the uplink network to be routable with a default gateway IP address.

Amazon EVS VLAN subnets include a default gateway IP address like other VPC subnets. However, these subnets are always private subnets, even when you use CIDR blocks outside the RFC1918 address range.

Enabling HCX internet connectivity

To enable internet connectivity without DNAT, Amazon EVS uses a specific CIDR configuration approach:

Internet routable CIDR requirement: Amazon EVS requires an internet routable CIDR that matches your HCX VLAN subnet CIDR.
IPAM allocation: Amazon EVS uses a public IPAM-allocated CIDR with a minimum netmask length of /28 as the internet routable CIDR.
VPC configuration: You must manually add the public IPAM-allocated CIDR to your VPC as a secondary VPC CIDR.
VLAN subnet deployment: After IPAM and VPC are configured, you can use the public IPAM-allocated CIDR in the HCX VLAN subnet during Amazon EVS deployment.
Elastic IP configuration: Amazon EVS requires the following configuration:
- Allocate Elastic IPs: You allocate Elastic IPs from the IPAM allocated CIDR. You must allocate at least two Elastic IP addresses (EIPs) from the IPAM pool for the HCX Manager and HCX Interconnect (HCX-IX) appliances. Allocate an additional Elastic IP address for each HCX network appliance that you need to deploy.
- Associate with VLAN: You associate each Elastic IP that you want to use with an HCX appliance to the HCX VLAN subnet. Use the Amazon EVS console or AWS CLI for this association.
- Configure gateway address: The first usable address from the CIDR becomes the gateway address that you configure in your HCX appliance.
- Traffic routing: Traffic for each associated Elastic IP routes directly to the destination HCX appliance with the same IP address, without DNAT.

For steps to configure HCX with internet connectivity for Amazon EVS environment deployment, see Setting up Amazon Elastic VMware Service and Getting started with Amazon Elastic VMware Service.

Operation considerations

The HCX public VLAN CIDR block must have a /28 netmask length.
EIPs can be associated with or disassociated from the HCX public VLAN after deployment using the Amazon EVS console or AWS CLI, but they must be from the same IPAM pool.
Each EIP association has its own unique association ID.
You can have up to 13 EIPs from a public IPAM pool associated with the /28 HCX public VLAN. You cannot associate the first two EIPs or the last EIP from the public IPAM-allocated CIDR block with the HCX public VLAN subnet. These EIPs are reserved as network, default gateway, and broadcast addresses and cannot be associated with the VLAN.

Security considerations

Network access control lists (ACLs) still apply to traffic flowing through the HCX public VLAN subnet.
Security group rules do not apply to traffic on HCX public VLAN subnets. Use network ACLs for traffic control.

Associate an Elastic IP address with HCX VLAN

Prerequisites

Ensure that you have the following:

Elastic IP address is allocated from the Amazon-owned public IPAM pool.
Amazon EVS environment is already created.

Associate EIP using AWS CLI

To associate an Elastic IP address with a VLAN, use the example associate-eip-to-vlan command.

environment-id - The ID of your Amazon EVS environment.
vlan-name - Must be hcx. Amazon EVS only supports EIP association with the HCX VLAN at this time.
allocation-id - The allocation ID of the Elastic IP address.

aws evs associate-eip-to-vlan \
  --environment-id "env-xxxxxxxxxx" \
  --vlan-name "hcx" \
  --allocation-id "eipalloc-xxxxxxxxxxxxxxxxx"