Network requirements and prerequisites in the Cloud Director site

For information about the required firewall ports to be opened, see VMware Cloud Director Availability Network Ports.

The following network diagram shows the data flow direction and the data traffic type. The diagram also shows the required network ports for communication between the VMware Cloud Director Availability appliances and the disaster recovery infrastructure for a deployment with two cloud sites.

In both cloud sites, the appliances reside in the DMZ layer, in the cloud management layer, and in the compute layer.

Production deployment architecture:

For an architecture diagram showing all services operating in a VMware Cloud Director Availability instance in a production Cloud Director site, see Production Deployment.
Multiple instances of VMware Cloud Director Availability:

For a diagram showing multiple VMware Cloud Director Availability instances per one VMware Cloud Director instance, see Deploying Multiple VMware Cloud Director Availability Instances in VMware Cloud Director.
Active-active mode Tunnel Appliance instances:

For a diagram showing two Tunnel Appliance instances in active-active mode behind a TCP load balancer, see Deploying Two Active-Active Tunnel Appliance Instances.

All the components of VMware Cloud Director Availability must be able to communicate with each other and with the disaster recovery infrastructure:

VMware Cloud Director Availability Appliances Connectivity

On appliances-level, the VMware Cloud Director Availability appliances must be able to communicate with each other and with the disaster recovery infrastructure:

The Cloud Director Replication Management Appliance must have TCP access to all the Replicator Appliance instances in both local, and in remote sites, to the local VMware Cloud Director, and to the resource vCenter Server, where the resource vCenter Server Lookup service is hosted.
The Replicator Appliance instances must have TCP access to the Cloud Director Replication Management Appliance, to the same resource vCenter Server, and to the same resource vCenter Server Lookup service.

VMware Cloud Director Availability Services Connectivity

For information about each service, see Services.

On services-level, the VMware Cloud Director Availability services must be able to communicate with each other and with the local disaster recovery infrastructure in the site backed by VMware Cloud Director:

The Cloud Service must have TCP access to the Manager Service, to the local VMware Cloud Director in the site, to the local vCenter Server and its Platform Services Controller, depending on where the vCenter Server Lookup service is hosted.
The Manager Service must have TCP access to all the Replicator Service instances in both local, and in remote sites and to the local vCenter Server Lookup service in the site.
All the Replicator Service instances must have TCP access to the Manager Service, to the local vCenter Server and to its vCenter Server Lookup service.

Important:

TLS termination proxy is not supported and SSL termination must not be used:: The VMware Cloud Director Availability services use end-to-end encryption for the communication across sites. For example, when a Replicator Service on site 1 is communicating to a Replicator Service on site 2, VMware Cloud Director Availability expects that the TLS session is terminated at each Replicator Service.
VMware Cloud Director Availability does not support any TLS terminating products or solutions placed between the appliances, for example, VMware NSX^® Edge™ instances, HAProxy, Nginx, Fortinet, and others. If such solutions are in place, they must be configured in pass-thru mode, also known as TCP mode, to prevent from interfering with the TLS traffic of VMware Cloud Director Availability. For information about the load balancer configuration, see Add a second Tunnel Appliance for HA in the Cloud Director site.

Firewall Rules for External Communication

Ensure that the firewall rules are correctly configured to allow site-to-site communication and pairing between the local and remote sites:


Original destination	Original destination port	Translated destination	DNAT translated port	Protocol	Description
Public network / Uplink interface	443	Tunnel Appliance	8048	TCP	Used for incoming replication management and replication data traffic from public networks to the Tunnel Service. This service then routes the traffic to the local services.

For information about the load balancer configuration for two Tunnel Appliance instances in active-active mode, see Add a second Tunnel Appliance for HA in the Cloud Director site.

For information about pairing remote Cloud Director sites in VMware Cloud Director Availability, see Managing pairing with Cloud Director sites in the Administration Guide.