To facilitate the connection between a VMware Cloud on AWS cloud account that you create in VMware Aria Automation and your VMware Cloud on AWS SDDC, you must use a cloud proxy if your source SDDC resides outside of a US region.
You can create a cloud proxy before you create a cloud account or during the process of creating a cloud account.
In this procedure, you create a cloud proxy first. Then you create a cloud account and associate the cloud account to that cloud proxy.
Unless otherwise indicated, the step values that you enter in this procedure are for this example workflow only.
Prerequisites
Note: If your VMware Cloud on AWS SDDC resides on a vCenter server in a data center within the United States (US Region), you can deploy and use an Automation Assembler agent in your SDDC, rather than an API token and an intermediary cloud proxy as described in this topic.
Noten: If you are creating a VMware Cloud on AWS cloud account in a VMware Aria Automation on AWS GovCloud (US) environment, see Getting Started with VMware Aria Automation on AWS GovCloud (US). Documentation about related products is available at the VMware vRealize Cloud Universal on AWS GovCloud (US) product documentation landing page.
- Verify that you have VMware Cloud on AWS CloudAdmin credentials for the target SDDC in vCenter. See Credentials required for working with cloud accounts in VMware Aria Automation.
- Verify that you have the cloud administrator user role in VMware Aria Automation. See What are the VMware Aria Automation user roles.
- Verify that the required SDDC gateway firewall rules are configured in the VMware Cloud on AWS console. The gateway firewall rules enable the cloud proxy VA to communicate with the VMware Cloud on AWS SDDC. See Configure a basic VMware Cloud on AWS workflow in VMware Aria Automation.
- To support the cloud proxy, you need access to the following domains.
- ci-data-collector.s3.amazonaws.com – Enables Amazon Web Services S3 access for cloud proxy OVA download.
- symphony-docker-external.jfrog.io – Enables JFrog Artifactory to access Docker images.
- console.cloud.vmware.com – Enables the Web API and cloud proxy service connection to the VMware Cloud service.
- data.mgmt.cloud.vmware.com – Enables the data pipeline service connection to VMware Cloud services for secure data communication between cloud and on-premises elements. For Non-US regions, substitute the region value. For example, for the UK, use uk.data.mgmt.cloud.vmware.com and for Japan, use ja.data.mgmt.cloud.vmware.com. Other Non-US region values include sg (Singapore), br (Brazil), and ca (Canada).
- api.mgmt.cloud.vmware.com – Enables the Web API and cloud proxy service connection to the VMware Cloud service. For Non-US regions, substitute the region value. For example, for the UK, use uk.api.mgmt.cloud.vmware.com and for Japan, use ja.api.mgmt.cloud.vmware.com. Other Non-US region values include sg (Singapore), br (Brazil), and ca (Canada).
- Before you add a VMware Cloud on AWS cloud account, configure management gateway firewall rules in the VMware Cloud on AWS console to support cloud proxy communication.
- Allow network traffic to ESXi for HTTPS (TCP 443) services to the discovered IP address of the cloud proxy.
- Allow network traffic to vCenter for ICMP (All ICMP), SSO (TCP 7444), and HTTPS (TCP 443) services to the discovered IP address of the cloud proxy.
- Allow network traffic to the NSX Manager for HTTPS (TCP 443) services to the discovered IP address of the cloud proxy.
If you are using a static IP address for the cloud proxy, you can create firewall rules that limit network traffic for the target vCenter and NSX Manager either before or after you deploy the cloud proxy.
For more information, see Understanding the VMware Cloud services cloud proxy.
Procedure
What to do next
To verify that the cloud proxy is running, see Verify that a cloud proxy is running on a target virtual machine.
You can now create the VMware Cloud on AWS cloud account. See Create a VMware Cloud on AWS cloud account in VMware Aria Automation in the workflow.