Before you can create VMware Cloud on AWS cloud accounts, you must create a network connection and configure rules to support communication between your SDDC in vCenter and VMware Cloud on AWS cloud accounts in VMware Aria Automation.

To support communication between VMware Aria Automation and the VMware Cloud on AWS SDDC, configure the needed connections and rules. After you have configured required gateway access and firewall rules, you can continue with the process of creating a VMware Cloud on AWS cloud account.

Note: This procedure is only needed if your VMC SDDC resides outside of a US region. If your VMC SDDC resides within a US region, do not perform these tasks.

To facilitate the needed connection between your existing VMware Cloud on AWS host SDDC in vCenter and a VMware Cloud on AWS cloud account in VMware Aria Automation Automation Assembler, you must provide a network connection, and add firewall rules, by using a VPN or similar networking means.

The VMC administrator must use the SDDC VMware Cloud on AWS console to configure management rules and firewall rules that support access to required ports and protocols.

If you are using a cloud proxy because your SDDC data center is outside of a US region, you must create compute gateway rules that support outbound access to the following allowed URLs:
  • ci-data-collector.s3.amazonaws.com – enables Amazon Web Services S3 access for cloud proxy OVA download.
  • symphony-docker-external.jfrog.io – allows JFrog Artifactory to access Docker images.
  • data.mgmt.cloud.vmware.com – enables the data pipeline service connection to VMware Cloud services for secure data communication between cloud and on-premises elements. For Non-US regions, substitute the region value. For example, for the UK, use uk.data.mgmt.cloud.vmware.com and for Japan, use ja.data.mgmt.cloud.vmware.com.
  • api.mgmt.cloud.vmware.com – enables the Web API and cloud proxy service connection to the VMware Cloud service. For Non-US regions, substitute the region value. For example, for the UK, use uk.data.mgmt.cloud.vmware.com and for Japan, use ja.api.mgmt.cloud.vmware.com.
  • console.cloud.vmware.com – enables the Web API and cloud proxy service connection to the VMware Cloud service.

Perform the following procedure as a vCenter administrator using VMware Cloud on AWS administrator credentials in the VMware Cloud on AWS SDDC console.

  1. If you are using a cloud proxy, deploy the cloud proxy before proceeding with the next step. See Configure and use a cloud proxy for a VMware Cloud on AWS cloud account in VMware Aria Automation. If you are not using a cloud proxy (because your SDDC resides in a US region), skip this step.
  2. Open the Networking & Security tab in the VMware Cloud on AWS SDDC console.
  3. Configure needed firewall rules for the cloud proxy.
    You must configure management gateway firewall rules in the SDDC VMware Cloud on AWS console to support communication between the cloud and on-premises components. The rules must be in the Management Gateway firewall rules section. Create the firewall rules by using options on the Networking & Security tab in the SDDC console.
    • Limit network traffic to ESXi for HTTPS (TCP 443) services to the discovered IP address of the cloud proxy.
    • Limit network traffic to vCenter for ICMP (All ICMP), SSO (TCP 7444), and HTTPS (TCP 443) services to the discovered IP address of the cloud proxy.
    • Limit network traffic to the NSX Manager for HTTPS (TCP 443) services to the discovered IP address of the cloud proxy.
  4. Create a management rule to allow outbound access to the following URLs:
    • ci-data-collector.s3.amazonaws.com – enables Amazon Web Services S3 access for cloud proxy OVA download.
    • symphony-docker-external.jfrog.io – allows JFrog Artifactory to access Docker images.
    • data.mgmt.cloud.vmware.com – enables the data pipeline service connection to VMware Cloud services for secure data communication between cloud and on-premises elements. For Non-US regions, substitute the region value. For example, for the UK, use uk.data.mgmt.cloud.vmware.com and for Japan, use ja.data.mgmt.cloud.vmware.com.
    • api.mgmt.cloud.vmware.com – enables the Web API and cloud proxy service connection to the VMware Cloud service. For Non-US regions, substitute the region value. For example, for the UK, use uk.data.mgmt.cloud.vmware.com and for Japan, use ja.api.mgmt.cloud.vmware.com.
    • console.cloud.vmware.com – enables the Web API and cloud proxy service connection to the VMware Cloud service.