To allow access to the management interfaces of the Manager Service, the Replicator Service instances and the Tunnel Service in VMware Cloud on AWS for performing administrative operations like certificate replacement, post-configure the network settings of the SDDC for the additional access to these three types of management interfaces.

By default, the access limited in VMware Cloud on AWS and the public IP addresses of all the cloud appliances of VMware Cloud Director Availability must be explicitly allowed for performing administrative operations.

VMware Cloud Director Availability appliances in VMware Cloud on AWS provide three types of management interfaces for performing administrative tasks like certificate replacement and others. To allow these management interfaces when configuring the necessary NAT rules, you explicitly define them since the three interfaces internally use non-standard HTTPS ports. These three services in conjunction with the following three NAT rules and a firewall rule translate and allow the network traffic coming to the public IP addresses of the appliances on the external port 443/TCP:

  • Towards the Cloud Replication Management Appliance, internally on port 8044/TCP for the management interface of the Manager Service.
  • Towards all Cloud Replicator Appliance instances, internally on port 8043/TCP for the management interfaces of the Replicator Service instances.
  • Towards the Cloud Tunnel Appliance, internally on port 8047/TCP for the management interface of the Tunnel Service.

Prerequisites

Procedure

  1. Log in to VMware Cloud on AWS at https://vmc.vmware.com.
  2. Add three new inventory SDDC services, for the management interfaces of the Manager Service, Replicator Service, and the Tunnel Service.
    1. In the VMC console, in the left pane click SDDCs.
    2. Under the SDDC click View Details and click the Networking & Security tab.
    3. In the left pane under the Inventory section, click Services.
      Repeat the following steps three times:
      • Add an inventory service for the Manager Service of the Cloud Replication Management Appliance.
      • Add another inventory service for the Replicator Service of the Cloud Replicator Appliance.
      • Add another inventory service for the Tunnel Service of the Cloud Tunnel Appliance.
    4. To add an inventory SDDC service, click Add Service.
    5. Enter a name and optionally a description for each service.
    6. For each service, in the Service Entries column, click the Set Service Entries link.
    7. For each service, in the Set Service Entries window, from the Type drop down menu select Layer 3 and above.
    8. For each service, on the Port-Protocol tab click Add Service Entry, enter the details from the respective column, and click Apply.
      Option Manager Service Inventory Service Replicator Service Inventory Service Tunnel Service Inventory Service
      Name Enter a name for the management interface service entry of the Cloud Replication Management Appliance Manager Service. For example, enter VCDA-Manager-Service-Management. Enter a name for the management interface service entry of the Cloud Replicator Appliance Replicator Service. For example, enter VCDA-Replicator-Service-Management. Enter a name for the management interface service entry of the Cloud Tunnel Appliance Tunnel Service. For example, enter VCDA-Tunnel-Service-Management.
      Service Type Select TCP. Select TCP. Select TCP.
      Additional Properties Leave the Source Ports text box blank. Leave the Source Ports text box blank. Leave the Source Ports text box blank.
      To access the management interface of the Manager Service in the Cloud Replication Management Appliance in the Destination Ports text box, in enter port 8044. To access the management interface of the Replicator Service in the Cloud Replicator Appliance, in the Destination Ports text box enter port 8043. To access the management interface of the Tunnel Service in the Cloud Tunnel Appliance, in the Destination Ports text box enter port 8047.
    9. To save each inventory service, click Save.
      On the Services page, the three new services show:
      Name Service Entries
      VCDA-Manager-Service-Management TCP (Source: Any | Destination: 8044)
      VCDA-Replicator-Service-Management TCP (Source: Any | Destination: 8043)
      VCDA-Tunnel-Service-Management TCP (Source: Any | Destination: 8047)
  3. To later use in NAT rules, request new public SDDC IP addresses for each of the three types of management interfaces.
    • Request a public IP address to access the management interface of the Manager Service in the Cloud Replication Management Appliance.
    • Request multiple public IP addresses to access the management interface of each Replicator Service in the Cloud Replicator Appliance instances.
    • Request a public IP address to access the management interface of the Tunnel Service in the Cloud Tunnel Appliance.
    1. On the Networking & Security tab, in the left pane under the System section click Public IPs.
    2. To request a public IP address for the Manager Service, click Request New IP, enter a note, and click Save.
      For example, as a note enter VCDA-Manager-Public-Management-IP-address.
      Repeat the following step for each instance of the Replicator Service deployed in the SDDC:
    3. To request a public IP address for each Replicator Service, click Request New IP, enter a note and click Save.
      For example, as a note enter VCDA-Replicator-Public-Management-IP-address. For more Replicator Service instances, for each requested public IP address enter VCDA-Replicator-X-Public-Management-IP-address, where X marks each instance.
    4. To request a public IP address for the Tunnel Service, click Request New IP, enter a note and click Save.
      For example, as a note enter VCDA-Tunnel-Public-Management-IP-address.
  4. To forward the incoming network traffic to the correct cloud appliances and ports, add new NAT rules.
    1. On the Networking & Security tab, in the left pane under the Network section click NAT.
      Repeat the following step three times:
      • Add a NAT rule for the management interface of the Manager Service in the Cloud Replication Management Appliance.
      • Add another NAT rule for the management interface of the Replicator Service in the Cloud Replicator Appliance. For each additional Replicator Service instance, add another NAT rule.
      • Add another NAT rule for the management interface of the Tunnel Service in the Cloud Tunnel Appliance.
    2. To add a NAT rule, click Add NAT Rule, configure the following settings then click Save.
      Option Manager Service NAT Replicator Service NAT Tunnel Service NAT
      Name Enter a name for the NAT rule for the management interface of the Cloud Replication Management Appliance Manager Service. For example, enter VCDA Replication Management NAT. Enter a name for the NAT rule for the management interface of the Cloud Replicator Appliance Replicator Service. For example, enter VCDA Replicator NAT. For more Replicator Service instances, for each NAT rule enter VCDA Replicator X NAT, where X marks each instance. Enter a name for the NAT rule for the management interface of the Cloud Tunnel Appliance Tunnel Service. For example, enter VCDA Replication Management NAT.
      Public IP Select the VCDA-Manager-Public-Management-IP-address. Select the VCDA-Replicator-Public-Management-IP-address. Select the VCDA-Tunnel-Public-Management-IP-address.
      Service Select the inventory service for the Cloud Replication Management ApplianceManager Service. For example, select VCDA-Manager-Service-Management. Select the inventory service for the Cloud Replicator Appliance Replicator Service. For example, select VCDA-Replicator-Service-Management. Select the inventory service for the Cloud Tunnel ApplianceTunnel Service. For example, select VCDA-Tunnel-Service-Management.
      Public Port Enter port 443. Enter port 443. Enter port 443.
      Internal IP Enter the private-IP-address of the Cloud Replication Management Appliance. Enter all private-IP-addresses of the Cloud Replicator Appliance instances. Enter the private-IP-address of the Cloud Tunnel Appliance.
      Internal Port 8044 (non-editable) 8043 (non-editable) 8047 (non-editable)
      Firewall Match Internal Address Match Internal Address Match Internal Address
  5. To allow accessing the VMware Cloud Director Availability management interfaces from the trusted compute sources, add the three new services and destinations in the inbound compute firewall rule.
    The compute rule VCDA Management from Trusted Compute Sources Rule is created first in Configure the Network of the SDDC in VMware Cloud on AWS.
    1. On the Networking & Security tab, in the left pane under the Security section click Gateway Firewall.
    2. On the Compute Gateway tab, click the already created VCDA Manager from Trusted Compute Sources Rule.
    3. Configure the compute firewall rule then click Apply when prompted.
      Option Compute Firewall Rule
      Name VCDA Management from Trusted Compute Sources Rule.
      Sources Trusted Compute Sources Group.
      Destinations Click Any. In the Set Destination window, select all the compute groups of the VMware Cloud Director Availability appliances and click Apply. For example, select all three:
      • VCDA Manager Compute Group
      • VCDA Replicators Compute Group
      • VCDA Tunnel Compute Group
      Services Click Any. In the Set Services window, select the three newly created inventory services in addition to the VCDA-Cloud-Service-Management TCP (Source: Any | Destination: 8046). For example, select additionally:
      • VCDA-Manager-Service-Management TCP (Source: Any | Destination: 8044)
      • VCDA-Replicator-Service-Management TCP (Source: Any | Destination: 8043)
      • VCDA-Tunnel-Service-Management TCP (Source: Any | Destination: 8047)
      When selected, all four management interface services are now present: Destination: 8046, Destination: 8044, Destination: 8043, and Destination: 8047.
      Applied To All Uplinks
      Action Allow
    4. After modifying the compute gateway firewall rule, click Publish.
      The compute firewall rule allows access to the four types of management interfaces of all services of VMware Cloud Director Availability:
      • Cloud Service
      • Manager Service
      • Each Replicator Service instance
      • Tunnel Service

Results

The SDDC configuration in VMware Cloud on AWS is complete and ready for administrative operations of the VMware Cloud Director Availability services.

What to do next

You can now perform administrative tasks for each VMware Cloud Director Availability service. For more information, see the Administration Guide for the version of VMware Cloud Director Availability deployed in the SDDC.