Before you start deploying and configuring VMware Cloud Director Availability, ensure that the required network ports are opened and allow the VMware Cloud Director Availability services communication within a site and between cloud sites.

To get a list of the required firewall ports to be opened, see VMware Cloud Director Availability Network Ports.

The following network diagram shows the data flow direction and the data traffic type. The diagram also shows the required network ports for communication between the VMware Cloud Director Availability appliances and the disaster recovery infrastructure for a deployment with two cloud sites.

In both cloud sites, the Tunnel appliance is in the DMZ layer. VCD and the Replication management appliance are in the cloud management layer and the VC, PSC, ESXi, and Replicator appliances are in the compute layer.

VMware Cloud Director Availability components must be able to communicate with each other and with the disaster recovery infrastructure:

VMware Cloud Director Availability Appliances Connectivity

On an appliance-level, VMware Cloud Director Availability appliances must be able to communicate with each other and with the disaster recovery infrastructure:

  • The Cloud Replication Management Appliance must have a TCP access to all the Cloud Replicator Appliances in both local, and in remote sites, to VMware Cloud Director, and to the resource vCenter Server, where the resource vCenter Server Lookup service is hosted.
  • The Cloud Replicator Appliance must have a TCP access to the Cloud Replication Management Appliance, to the same resource vCenter Server, and to the same resource vCenter Server Lookup service.

VMware Cloud Director Availability Services Connectivity

On a service level, VMware Cloud Director Availability services must be able to communicate with each other and with the disaster recovery infrastructure:

  • The Cloud Service must have a TCP access to the Manager Service, to VMware Cloud Director, to vCenter Server, and to Platform Services Controller, depending on where the vCenter Server Lookup service is hosted.
  • The Manager Service must have a TCP access to all the Replicator Services in both local, and in remote sites and to the vCenter Server Lookup service.
  • All the Replicator Services must have a TCP access to the Manager Service, to vCenter Server, and to the vCenter Server Lookup service.
Note: The VMware Cloud Director Availability services use end-to-end encryption for the communication across sites. For example, when a Replicator Service on site 1 is communicating to a Replicator Service on site 2, VMware Cloud Director Availability expects that the TLS session is terminated at each Replicator Service.

VMware Cloud Director Availability does not support any TLS terminating products or solutions placed between the appliances, for example, VMware NSX® Edge™ instances, HAProxy, Nginx, Fortinet, and others. If such solutions are in place, they must be configured in pass-thru mode, also known as TCP mode, to prevent from interfering with the TLS traffic of VMware Cloud Director Availability.

Table 1. Firewall Rules for External Communication
Original Destination Translated Destination Original Destination Port DNAT Translated Port Protocol Description
Public Network/Uplink Interface Cloud Tunnel Appliance 443 8048 TCP Used for incoming replication management and replication data traffic from public networks to the Tunnel Service. This service then routes the traffic to the local services.