After deploying and configuring VMware Cloud Director Availability and the external access, the next step is configuring from where VMware Cloud on AWS allows establishing pairings. Create an additional compute group with the public IP addresses allowed for pairing and an additional firewall rule allowing the access from this new group to the Service Endpoint.

To allow pairing with VMware Cloud Director Availability in VMware Cloud on AWS, in the compute group below add the public IP addresses of the Service Endpoint instances and the on-premises appliances.

Prerequisites

Procedure

  1. Log in to VMware Cloud on AWS at https://vmc.vmware.com.
  2. In the VMC console, in the left pane click SDDCs.
  3. Under the SDDC click View Details and click the Networking & Security tab.
  4. To allow accessing the Service Endpoint compute gateway service in VMware Cloud on AWS, create a compute group containing the remote sites IP addresses.
    1. On the Networking & Security tab, in the left pane under the Inventory section click Groups.
    2. To create the compute group, under the Compute Groups tab, click Add Group and enter a group name, for example enter VCDA Pairing Compute Group.
    3. To add trusted sites members to the compute group, under the Compute Members column, click the Set Members link.
    4. In the Select Members window, on the IP Addresses tab enter the IP addresses of the following site members and click Apply.
      • To allow each private cloud site backed by VMware Cloud Director pairing, add the Service Endpoint public-IP-address of the Cloud Tunnel Appliance in the private cloud site.
      • To allow each tenant pairing, add the public-IP-addresses of all their VMware Cloud Director Availability On-Premises Appliance instances.
      Important: Adding or removing IP addresses from this compute group controls which remote cloud sites and on-premises tenants can establish pairing with VMware Cloud Director Availability in VMware Cloud on AWS.

      Before VMware Cloud Director Availability pairs with another site, to allow the pair add the remote site IP address in the VCDA Pairing Compute Group.

    5. To save the pairing compute group, click Save.
  5. To allow access from the pairing compute group, create a compute gateway firewall rule.
    1. On the Networking & Security tab, in the left pane under the Security section, click Gateway Firewall.
    2. On the Compute Gateway tab, click Add Rule and configure the following settings.
      Option Description
      Name Enter a name for the compute gateway firewall rule, for example enter VCDA Pairing Compute Rule.
      Sources Click Any in the Sources column, then in the Set Source window select User Defined Groups, select the pairing IP addresses compute group, for example select VCDA Pairing Compute Group, and click Apply.
      Destinations Click Any in the Sources column, then in the Set Source window select User Defined Groups, select the Cloud Tunnel Appliance IP address compute group, for example select VCDA Tunnel Compute Group, and click Apply.
      Services In the Services column, click Any, then in the Set Source window, select the Service Endpoint service, for example select VCDA-Service-Endpoint TCP (Source: Any | Destination: 8048) and click Apply.
      Applied To All Uplinks
      Action Allow
      By default, the new compute gateway firewall rule is enabled, allowing the Cloud Tunnel Appliance Service Endpoint access from the pairing IP addresses compute group.
    3. To publish the new compute gateway firewall rule, click Publish.
      The new rule receives an integer ID value, used in the log entries that it generates.

Results

VMware Cloud Director Availability in VMware Cloud on AWS allows pairing with VMware Cloud Director Availability On-Premises Appliance instances and with VMware Cloud Director Availability instances in private cloud sites backed by VMware Cloud Director.

What to do next