AWS CLI Command Reference

[ aws . evs ]

create-environment

Description

Creates an Amazon EVS environment that runs VCF software, such as SDDC Manager, NSX Manager, and vCenter Server.

During environment creation, Amazon EVS performs validations on DNS settings, provisions VLAN subnets and hosts, and deploys the supplied version of VCF.

It can take several hours to create an environment. After the deployment completes, you can configure VCF according to your unique requirements.

Note

You cannot use the dedicatedHostId and placementGroupId parameters together in the same CreateEnvironment action. This results in a ValidationException response.

Note

EC2 instances created through Amazon EVS do not support associating an IAM instance profile.

See also: AWS API Documentation

Synopsis

  create-environment
[--client-token <value>]
[--environment-name <value>]
[--kms-key-id <value>]
[--tags <value>]
[--service-access-security-groups <value>]
--vpc-id <value>
--service-access-subnet-id <value>
--vcf-version <value>
--terms-accepted | --no-terms-accepted
--license-info <value>
--initial-vlans <value>
--hosts <value>
--connectivity-info <value>
--vcf-hostnames <value>
--site-id <value>
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]
[--no-cli-pager]
[--cli-auto-prompt]
[--no-cli-auto-prompt]

Options

--client-token (string)

Note

This parameter is not used in Amazon EVS currently. If you supply input for this parameter, it will have no effect.

A unique, case-sensitive identifier that you provide to ensure the idempotency of the environment creation request. If you do not specify a client token, a randomly generated token is used for the request to ensure idempotency.

--environment-name (string)

The name to give to your environment. The name can contain only alphanumeric characters (case-sensitive), hyphens, and underscores. It must start with an alphanumeric character, and can’t be longer than 100 characters. The name must be unique within the Amazon Web Services Region and Amazon Web Services account that you’re creating the environment in.

--kms-key-id (string)

A unique ID for the customer-managed KMS key that is used to encrypt the VCF credential pairs for SDDC Manager, NSX Manager, and vCenter appliances. These credentials are stored in Amazon Web Services Secrets Manager.

--tags (map)

Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don’t propagate to any other cluster or Amazon Web Services resources.

key -> (string)

value -> (string)

Shorthand Syntax:

KeyName1=string,KeyName2=string

JSON Syntax:

{"string": "string"
  ...}

--service-access-security-groups (structure)

The security group that controls communication between the Amazon EVS control plane and VPC. The default security group is used if a custom security group isn’t specified.

The security group should allow access to the following.

  • TCP/UDP access to the DNS servers
  • HTTPS/SSH access to the host management VLAN subnet
  • HTTPS/SSH access to the Management VM VLAN subnet

You should avoid modifying the security group rules after deployment, as this can break the persistent connection between the Amazon EVS control plane and VPC. This can cause future environment actions like adding or removing hosts to fail.

securityGroups -> (list)

The security groups that allow service access.

(string)

Shorthand Syntax:

securityGroups=string,string

JSON Syntax:

{
  "securityGroups": ["string", ...]
}

--vpc-id (string)

A unique ID for the VPC that connects to the environment control plane for service access.

Amazon EVS requires that all VPC subnets exist in a single Availability Zone in a Region where the service is available.

The VPC that you select must have a valid DHCP option set with domain name, at least two DNS servers, and an NTP server. These settings are used to configure your VCF appliances and hosts.

If you plan to use HCX over the internet, choose a VPC that has a primary CIDR block and a /28 secondary CIDR block from an IPAM pool. Make sure that your VPC also has an attached internet gateway.

Amazon EVS does not support the following Amazon Web Services networking options for NSX overlay connectivity: cross-Region VPC peering, Amazon S3 gateway endpoints, or Amazon Web Services Direct Connect virtual private gateway associations.

--service-access-subnet-id (string)

The subnet that is used to establish connectivity between the Amazon EVS control plane and VPC. Amazon EVS uses this subnet to validate mandatory DNS records for your VCF appliances and hosts and create the environment.

--vcf-version (string)

The VCF version to use for the environment. Amazon EVS only supports VCF version 5.2.1 at this time.

Possible values:

  • VCF-5.2.1

--terms-accepted | --no-terms-accepted (boolean)

Customer confirmation that the customer has purchased and maintains sufficient VCF software licenses to cover all physical processor cores in the environment, in compliance with VMware’s licensing requirements and terms of use.

--license-info (list)

The license information that Amazon EVS requires to create an environment. Amazon EVS requires two license keys: a VCF solution key and a vSAN license key. VCF licenses must have sufficient core entitlements to cover vCPU core and vSAN storage capacity needs.

VCF licenses can be used for only one Amazon EVS environment. Amazon EVS does not support reuse of VCF licenses for multiple environments.

VCF license information can be retrieved from the Broadcom portal.

(structure)

The license information that Amazon EVS requires to create an environment. Amazon EVS requires two license keys: a VCF solution key and a vSAN license key.

solutionKey -> (string)

The VCF solution key. This license unlocks VMware VCF product features, including vSphere, NSX, SDDC Manager, and vCenter Server.

vsanKey -> (string)

The VSAN license key. This license unlocks vSAN features.

Shorthand Syntax:

solutionKey=string,vsanKey=string ...

JSON Syntax:

[
  {
    "solutionKey": "string",
    "vsanKey": "string"
  }
  ...
]

--initial-vlans (structure)

The initial VLAN subnets for the environment. You must specify a non-overlapping CIDR block for each VLAN subnet.

vmkManagement -> (structure)

The VMkernel management VLAN subnet. This VLAN subnet carries traffic for managing ESXi hosts and communicating with VMware vCenter Server.

cidr -> (string)

The CIDR block that you provide to create a VLAN subnet. VLAN CIDR blocks must not overlap with other subnets in the VPC.

vmManagement -> (structure)

The VM management VLAN subnet. This VLAN subnet carries traffic for vSphere virtual machines.

cidr -> (string)

The CIDR block that you provide to create a VLAN subnet. VLAN CIDR blocks must not overlap with other subnets in the VPC.

vMotion -> (structure)

The vMotion VLAN subnet. This VLAN subnet carries traffic for vSphere vMotion.

cidr -> (string)

The CIDR block that you provide to create a VLAN subnet. VLAN CIDR blocks must not overlap with other subnets in the VPC.

vSan -> (structure)

The vSAN VLAN subnet. This VLAN subnet carries the communication between ESXi hosts to implement a vSAN shared storage pool.

cidr -> (string)

The CIDR block that you provide to create a VLAN subnet. VLAN CIDR blocks must not overlap with other subnets in the VPC.

vTep -> (structure)

The VTEP VLAN subnet. This VLAN subnet handles internal network traffic between virtual machines within a VCF instance.

cidr -> (string)

The CIDR block that you provide to create a VLAN subnet. VLAN CIDR blocks must not overlap with other subnets in the VPC.

edgeVTep -> (structure)

The edge VTEP VLAN subnet. This VLAN subnet manages traffic flowing between the internal network and external networks, including internet access and other site connections.

cidr -> (string)

The CIDR block that you provide to create a VLAN subnet. VLAN CIDR blocks must not overlap with other subnets in the VPC.

nsxUplink -> (structure)

The NSX uplink VLAN subnet. This VLAN subnet allows connectivity to the NSX overlay network.

cidr -> (string)

The CIDR block that you provide to create a VLAN subnet. VLAN CIDR blocks must not overlap with other subnets in the VPC.

hcx -> (structure)

The HCX VLAN subnet. This VLAN subnet allows the HCX Interconnnect (IX) and HCX Network Extension (NE) to reach their peers and enable HCX Service Mesh creation.

cidr -> (string)

The CIDR block that you provide to create a VLAN subnet. VLAN CIDR blocks must not overlap with other subnets in the VPC.

expansionVlan1 -> (structure)

An additional VLAN subnet that can be used to extend VCF capabilities once configured. For example, you can configure an expansion VLAN subnet to use NSX Federation for centralized management and synchronization of multiple NSX deployments across different locations.

cidr -> (string)

The CIDR block that you provide to create a VLAN subnet. VLAN CIDR blocks must not overlap with other subnets in the VPC.

expansionVlan2 -> (structure)

An additional VLAN subnet that can be used to extend VCF capabilities once configured. For example, you can configure an expansion VLAN subnet to use NSX Federation for centralized management and synchronization of multiple NSX deployments across different locations.

cidr -> (string)

The CIDR block that you provide to create a VLAN subnet. VLAN CIDR blocks must not overlap with other subnets in the VPC.

Shorthand Syntax:

vmkManagement={cidr=string},vmManagement={cidr=string},vMotion={cidr=string},vSan={cidr=string},vTep={cidr=string},edgeVTep={cidr=string},nsxUplink={cidr=string},hcx={cidr=string},expansionVlan1={cidr=string},expansionVlan2={cidr=string}

JSON Syntax:

{
  "vmkManagement": {
    "cidr": "string"
  },
  "vmManagement": {
    "cidr": "string"
  },
  "vMotion": {
    "cidr": "string"
  },
  "vSan": {
    "cidr": "string"
  },
  "vTep": {
    "cidr": "string"
  },
  "edgeVTep": {
    "cidr": "string"
  },
  "nsxUplink": {
    "cidr": "string"
  },
  "hcx": {
    "cidr": "string"
  },
  "expansionVlan1": {
    "cidr": "string"
  },
  "expansionVlan2": {
    "cidr": "string"
  }
}

--hosts (list)

The ESXi hosts to add to the environment. Amazon EVS requires that you provide details for a minimum of 4 hosts during environment creation.

For each host, you must provide the desired hostname, EC2 SSH key, and EC2 instance type. Optionally, you can also provide a partition or cluster placement group to use, or use Amazon EC2 Dedicated Hosts.

(structure)

An object that represents a host.

Note

You cannot use dedicatedHostId and placementGroupId together in the same HostInfoForCreate object. This results in a ValidationException response.

hostName -> (string)

The DNS hostname of the host. DNS hostnames for hosts must be unique across Amazon EVS environments and within VCF.

keyName -> (string)

The name of the SSH key that is used to access the host.

instanceType -> (string)

The EC2 instance type that represents the host.

placementGroupId -> (string)

The unique ID of the placement group where the host is placed.

dedicatedHostId -> (string)

The unique ID of the Amazon EC2 Dedicated Host.

Shorthand Syntax:

hostName=string,keyName=string,instanceType=string,placementGroupId=string,dedicatedHostId=string ...

JSON Syntax:

[
  {
    "hostName": "string",
    "keyName": "string",
    "instanceType": "i4i.metal",
    "placementGroupId": "string",
    "dedicatedHostId": "string"
  }
  ...
]

--connectivity-info (structure)

The connectivity configuration for the environment. Amazon EVS requires that you specify two route server peer IDs. During environment creation, the route server endpoints peer with the NSX edges over the NSX, providing BGP dynamic routing for overlay networks.

privateRouteServerPeerings -> (list)

The unique IDs for private route server peers.

(string)

Shorthand Syntax:

privateRouteServerPeerings=string,string

JSON Syntax:

{
  "privateRouteServerPeerings": ["string", ...]
}

--vcf-hostnames (structure)

The DNS hostnames for the virtual machines that host the VCF management appliances. Amazon EVS requires that you provide DNS hostnames for the following appliances: vCenter, NSX Manager, SDDC Manager, and Cloud Builder.

vCenter -> (string)

The VMware vCenter hostname.

nsx -> (string)

The VMware NSX hostname.

nsxManager1 -> (string)

The hostname for the first VMware NSX Manager virtual machine (VM).

nsxManager2 -> (string)

The hostname for the second VMware NSX Manager virtual machine (VM).

nsxManager3 -> (string)

The hostname for the third VMware NSX Manager virtual machine (VM).

nsxEdge1 -> (string)

The hostname for the first NSX Edge node.

nsxEdge2 -> (string)

The hostname for the second NSX Edge node.

sddcManager -> (string)

The hostname for SDDC Manager.

cloudBuilder -> (string)

The hostname for VMware Cloud Builder.

Shorthand Syntax:

vCenter=string,nsx=string,nsxManager1=string,nsxManager2=string,nsxManager3=string,nsxEdge1=string,nsxEdge2=string,sddcManager=string,cloudBuilder=string

JSON Syntax:

{
  "vCenter": "string",
  "nsx": "string",
  "nsxManager1": "string",
  "nsxManager2": "string",
  "nsxManager3": "string",
  "nsxEdge1": "string",
  "nsxEdge2": "string",
  "sddcManager": "string",
  "cloudBuilder": "string"
}

--site-id (string)

The Broadcom Site ID that is allocated to you as part of your electronic software delivery. This ID allows customer access to the Broadcom portal, and is provided to you by Broadcom at the close of your software contract or contract renewal. Amazon EVS uses the Broadcom Site ID that you provide to meet Broadcom VCF license usage reporting requirements for Amazon EVS.

--cli-input-json | --cli-input-yaml (string) Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. Similarly, if provided yaml-input it will print a sample input YAML that can be used with --cli-input-yaml. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command. The generated JSON skeleton is not stable between versions of the AWS CLI and there are no backwards compatibility guarantees in the JSON skeleton generated.

Global Options

--debug (boolean)

Turn on debug logging.

--endpoint-url (string)

Override command’s default URL with the given URL.

--no-verify-ssl (boolean)

By default, the AWS CLI uses SSL when communicating with AWS services. For each SSL connection, the AWS CLI will verify SSL certificates. This option overrides the default behavior of verifying SSL certificates.

--no-paginate (boolean)

Disable automatic pagination. If automatic pagination is disabled, the AWS CLI will only make one call, for the first page of results.

--output (string)

The formatting style for command output.

  • json
  • text
  • table
  • yaml
  • yaml-stream

--query (string)

A JMESPath query to use in filtering the response data.

--profile (string)

Use a specific profile from your credential file.

--region (string)

The region to use. Overrides config/env settings.

--version (string)

Display the version of this tool.

--color (string)

Turn on/off color output.

  • on
  • off
  • auto

--no-sign-request (boolean)

Do not sign requests. Credentials will not be loaded if this argument is provided.

--ca-bundle (string)

The CA certificate bundle to use when verifying SSL certificates. Overrides config/env settings.

--cli-read-timeout (int)

The maximum socket read time in seconds. If the value is set to 0, the socket read will be blocking and not timeout. The default value is 60 seconds.

--cli-connect-timeout (int)

The maximum socket connect time in seconds. If the value is set to 0, the socket connect will be blocking and not timeout. The default value is 60 seconds.

--cli-binary-format (string)

The formatting style to be used for binary blobs. The default format is base64. The base64 format expects binary blobs to be provided as a base64 encoded string. The raw-in-base64-out format preserves compatibility with AWS CLI V1 behavior and binary values must be passed literally. When providing contents from a file that map to a binary blob fileb:// will always be treated as binary and use the file contents directly regardless of the cli-binary-format setting. When using file:// the file contents will need to properly formatted for the configured cli-binary-format.

  • base64
  • raw-in-base64-out

--no-cli-pager (boolean)

Disable cli pager for output.

--cli-auto-prompt (boolean)

Automatically prompt for CLI input parameters.

--no-cli-auto-prompt (boolean)

Disable automatically prompt for CLI input parameters.

Output

environment -> (structure)

A description of the created environment.

environmentId -> (string)

The unique ID for the environment.

environmentState -> (string)

The state of an environment.

stateDetails -> (string)

A detailed description of the environmentState of an environment.

createdAt -> (timestamp)

The date and time that the environment was created.

modifiedAt -> (timestamp)

The date and time that the environment was modified.

environmentArn -> (string)

The Amazon Resource Name (ARN) that is associated with the environment.

environmentName -> (string)

The name of the environment.

vpcId -> (string)

The VPC associated with the environment.

serviceAccessSubnetId -> (string)

The subnet that is used to establish connectivity between the Amazon EVS control plane and VPC. Amazon EVS uses this subnet to perform validations and create the environment.

vcfVersion -> (string)

The VCF version of the environment.

termsAccepted -> (boolean)

Customer confirmation that the customer has purchased and maintains sufficient VCF software licenses to cover all physical processor cores in the environment, in compliance with VMware’s licensing requirements and terms of use.

licenseInfo -> (list)

The license information that Amazon EVS requires to create an environment. Amazon EVS requires two license keys: a VCF solution key and a vSAN license key.

(structure)

The license information that Amazon EVS requires to create an environment. Amazon EVS requires two license keys: a VCF solution key and a vSAN license key.

solutionKey -> (string)

The VCF solution key. This license unlocks VMware VCF product features, including vSphere, NSX, SDDC Manager, and vCenter Server.

vsanKey -> (string)

The VSAN license key. This license unlocks vSAN features.

siteId -> (string)

The Broadcom Site ID that is associated with your Amazon EVS environment. Amazon EVS uses the Broadcom Site ID that you provide to meet Broadcom VCF license usage reporting requirements for Amazon EVS.

environmentStatus -> (string)

Reports impaired functionality that stems from issues internal to the environment, such as impaired reachability.

checks -> (list)

A check on the environment to identify instance health and VMware VCF licensing issues.

(structure)

A check on the environment to identify environment health and validate VMware VCF licensing compliance.

type -> (string)

The check type. Amazon EVS performs the following checks.

  • KEY_REUSE : checks that the VCF license key is not used by another Amazon EVS environment. This check fails if a used license is added to the environment.
  • KEY_COVERAGE : checks that your VCF license key allocates sufficient vCPU cores for all deployed hosts. The check fails when any assigned hosts in the EVS environment are not covered by license keys, or when any unassigned hosts cannot be covered by available vCPU cores in keys.
  • REACHABILITY : checks that the Amazon EVS control plane has a persistent connection to SDDC Manager. If Amazon EVS cannot reach the environment, this check fails.
  • HOST_COUNT : Checks that your environment has a minimum of 4 hosts, which is a requirement for VCF 5.2.1. If this check fails, you will need to add hosts so that your environment meets this minimum requirement. Amazon EVS only supports environments with 4-16 hosts.

result -> (string)

The check result.

impairedSince -> (timestamp)

The time when environment health began to be impaired.

connectivityInfo -> (structure)

The connectivity configuration for the environment. Amazon EVS requires that you specify two route server peer IDs. During environment creation, the route server endpoints peer with the NSX uplink VLAN for connectivity to the NSX overlay network.

privateRouteServerPeerings -> (list)

The unique IDs for private route server peers.

(string)

vcfHostnames -> (structure)

The DNS hostnames to be used by the VCF management appliances in your environment.

For environment creation to be successful, each hostname entry must resolve to a domain name that you’ve registered in your DNS service of choice and configured in the DHCP option set of your VPC. DNS hostnames cannot be changed after environment creation has started.

vCenter -> (string)

The VMware vCenter hostname.

nsx -> (string)

The VMware NSX hostname.

nsxManager1 -> (string)

The hostname for the first VMware NSX Manager virtual machine (VM).

nsxManager2 -> (string)

The hostname for the second VMware NSX Manager virtual machine (VM).

nsxManager3 -> (string)

The hostname for the third VMware NSX Manager virtual machine (VM).

nsxEdge1 -> (string)

The hostname for the first NSX Edge node.

nsxEdge2 -> (string)

The hostname for the second NSX Edge node.

sddcManager -> (string)

The hostname for SDDC Manager.

cloudBuilder -> (string)

The hostname for VMware Cloud Builder.

kmsKeyId -> (string)

The Amazon Web Services KMS key ID that Amazon Web Services Secrets Manager uses to encrypt secrets that are associated with the environment. These secrets contain the VCF credentials that are needed to install vCenter Server, NSX, and SDDC Manager.

By default, Amazon EVS use the Amazon Web Services Secrets Manager managed key aws/secretsmanager . You can also specify a customer managed key.

serviceAccessSecurityGroups -> (structure)

The security groups that allow traffic between the Amazon EVS control plane and your VPC for service access. If a security group is not specified, Amazon EVS uses the default security group in your account for service access.

securityGroups -> (list)

The security groups that allow service access.

(string)

credentials -> (list)

The VCF credentials that are stored as Amazon EVS managed secrets in Amazon Web Services Secrets Manager.

Amazon EVS stores credentials that are needed to install vCenter Server, NSX, and SDDC Manager.

(structure)

A managed secret that contains the credentials for installing vCenter Server, NSX, and SDDC Manager. During environment creation, the Amazon EVS control plane uses Amazon Web Services Secrets Manager to create, encrypt, validate, and store secrets. If you choose to delete your environment, Amazon EVS also deletes the secrets that are associated with your environment. Amazon EVS does not provide managed rotation of secrets. We recommend that you rotate secrets regularly to ensure that secrets are not long-lived.

secretArn -> (string)

The Amazon Resource Name (ARN) of the secret.
© Copyright 2025, Amazon Web Services. Created using Sphinx.