To allow pairing with VMware Cloud Director Availability in VMware Cloud on AWS, first configure the network settings of the SDDC.

The access to the resource pools is limited in VMware Cloud on AWS and the private IP addresses of all the cloud appliances of VMware Cloud Director Availability must be explicitly allowed as well as to access the management and infrastructure components in the management resource pool, like vCenter Server and ESXi.

VMware Cloud Director Availability in VMware Cloud on AWS provides two services to the Internet. To use the two services in the configuration of the necessary NAT rules, you explicitly define them since both services internally use non-standard HTTPS ports. These two services in conjunction with the following two NAT rules translate the network traffic coming to the public IP address on the external port 443/TCP:

  • Towards the Cloud Director Replication Management Appliance, internally on port 8046/TCP for management interface network traffic to the Cloud Service.
  • Towards the Tunnel Appliance, internally on port 8048/TCP for replication data network traffic to the Public Service Endpoint.

Prerequisites

Procedure

  1. Log in to VMware Cloud on AWS at https://vmc.vmware.com.
  2. Add two new inventory SDDC services, for the management interface and for the Public Service Endpoint.
    1. In the VMC console, in the left pane click SDDCs.
    2. Under the SDDC click View Details and click the Networking & Security tab.
    3. In the left pane under the Inventory section, click Services.
      Repeat the following steps twice.
      • Add an inventory service for the management interface of the Cloud Director Replication Management Appliance.
      • Add another inventory service for the Public Service Endpoint of the Tunnel Appliance.
    4. To add an inventory SDDC service, click Add Service.
    5. Enter a name and optionally a description for each service.
    6. For each service, in the Service Entries column, click the Set Service Entries link.
    7. For each service, in the Set Service Entries window, from the Type drop down menu select Layer 3 and above.
    8. For each service, on the Port-Protocol tab click Add Service Entry, enter the details from the respective column, and click Apply.
      Option Management Interface Inventory Service Public Service Endpoint Inventory Service
      Name Enter a name for the service entry of the Cloud Director Replication Management Appliance management interface. For example, enter VCDA-Cloud-Service-Management. Enter a name for the service entry of the Tunnel AppliancePublic Service Endpoint. For example, enter VCDA-Tunnel-Service-Endpoint.
      Service Type Select TCP. Select TCP.
      Additional Properties Leave the Source Ports text box blank. Leave the Source Ports text box blank.
      To access the management interface of the Cloud Director Replication Management Appliance in the Destination Ports text box, in enter port 8046. To access the Public Service Endpoint of the Tunnel Appliance, in the Destination Ports text box enter port 8048.
    9. To save each inventory service, click Save.
      On the Services page, both services show:
      Name Service Entries
      VCDA-Cloud-Service-Management TCP (Source: Any | Destination: 8046)
      VCDA-Tunnel-Service-Endpoint TCP (Source: Any | Destination: 8048)
  3. To later use in NAT rules, request two new public SDDC IP addresses.
    • Request a public IP address to access the initial setup wizard in the management interface of the Cloud Director Replication Management Appliance.
    • Request a public IP address to allow external pairing to the Public Service Endpoint of the Tunnel Appliance.
    1. On the Networking & Security tab, in the left pane under the System section click Public IPs.
    2. To request a public IP address for the Cloud Director Replication Management Appliance, click Request New IP, enter a note, and click Save.
      For example, as a note enter VCDA-Management-Public-IP-address.
    3. To request a public IP address for the Tunnel Appliance, click Request New IP, enter a note and click Save.
      For example, as a note enter VCDA-Tunnel-Public-IP-address.
  4. To forward the incoming network traffic to the correct cloud appliances and ports, add two new NAT rules.
    1. On the Networking & Security tab, in the left pane under the Network section click NAT.
      Repeat the following step twice.
      • Add a NAT rule for the management interface of the Cloud Director Replication Management Appliance.
      • Add another NAT rule for the incoming network traffic to the Public Service Endpoint of the Tunnel Appliance.
    2. To add a NAT rule, click Add NAT Rule, configure the following settings and click Save.
      Option Management Interface NAT Public Service Endpoint NAT
      Name Enter a name for the NAT rule for the Cloud Director Replication Management Appliance management interface. For example, enter VCDA Management Interface NAT. Enter a name for the NAT rule for the Tunnel AppliancePublic Service Endpoint. For example, enter VCDA Tunnel Service Endpoint NAT.
      Public IP Select the VCDA-Management-Public-IP-address. Select the VCDA-Tunnel-Public-IP-address.
      Service Select the inventory service for the Cloud Director Replication Management Appliancemanagement interface. For example, select VCDA-Cloud-Service-Management. Select the inventory service for the Tunnel AppliancePublic Service Endpoint. For example, select VCDA-Tunnel-Service-Endpoint.
      Public Port Enter port 443. Enter port 443.
      Internal IP Enter the private-IP-address of the Cloud Director Replication Management Appliance. Enter the private-IP-address of the Tunnel Appliance.
      Internal Port 8046 (non-editable) 8048 (non-editable)
      Firewall Match Internal Address Match Internal Address
      After completing the initial configuration, to reduce the possible attack surface the NAT rule for the management interface can be disabled or removed. VMware Cloud Director Availability remains accessible from the Cloud Director instance by using the plug-in for VMware Cloud Director Availability.
  5. To later create a management group and use it in a management firewall rule, note the compute gateway source NAT public IP address of the SDDC.
    1. On the Networking & Security tab, in the left pane click Overview.
    2. Under Default Compute Gateway and under Workloads, note the Source NAT Public IP address of the SDDC.
  6. To prepare the cloud appliances access to the management gateway services like vCenter Server and ESXi, add two management groups.
    1. On the Networking & Security tab, in the left pane under the Inventory section click Groups.
    2. Click the Management Groups tab.
      Repeat the following steps two times.
      • Add a management group, containing the private IP addresses of all the deployed Replicator Appliance instances.
      • Add another management group, containing the compute gateway source NAT.
    3. To create a management group, click Add Group and for each group enter a management group name.
    4. To add trusted members to each management group, under the Compute Members column, click the Set Members link.
    5. In the Select Members window, on the IP Addresses tab enter the following IP addresses for each management group and click Apply.
      Management Group Name Management Group Trusted Members IP Addresses
      SNAT VCDA Management Group
      • Enter the compute gateway source NAT public-IP-address of the SDDC, as noted in the previous step.
      • Enter the subnet group of the VMware Cloud Director Availability appliances. For example, enter the vcda-network-segment.
      VCDA Replicators Management Group Enter the private-IP-addresses reserved within the vcda-network-segment for all the Replicator Appliance instances deployed in VMware Cloud on AWS. All Replicator Appliance instances must access the vCenter Server management gateways services for virtual machines provisioning and performing replication tasks with the ESXi hosts and datastores.
    6. To save each management group, click Save.
  7. To allow the internal communication from the cloud appliances to the vCenter Server and to the ESXi datastore in the management gateway, add two new management gateway firewall rules.
    1. On the Gateway Firewall page, click the Management Gateway tab.
      Repeat the following steps twice.
      • Add a management firewall rule for allowing the network traffic from the compute gateway source NAT to the management gateway vCenter Server.
      • Add another management firewall rule for allowing the Replicator Appliance instances writing in the destination ESXi datastore.
    2. To create a management firewall rule, click Add Rule.
    3. Configure each of the two management firewall rules and click Apply when prompted.
      Option vCenter Server Management Gateway Firewall Rule ESXi Hosts Management Gateway Firewall Rule
      Name Enter a name for the vCenter Server management gateway rule. For example, enter SNAT VCDA to vCenter Rule. Enter a name for the ESXi management gateway rule. For example, enter VCDA Replicators to ESXi Rule.
      Sources Click Any. In the Set Source window, select User Defined Groups and select the management group for the SNAT. For example, select SNAT VCDA Management Group and click Apply. Click Any. In the Set Source window, select User Defined Groups and select the management group for the private IP addresses of the Replicator Appliance instances. For example, select VCDA Replicators Management Group and click Apply.
      Destinations Click Any. In the Set Destination window under System Defined Groups, select vCenter and click Apply. Click Any. In the Set Destination window under System Defined Groups, select ESXi and click Apply.
      Services Click Any and select HTTPS (TCP 443). To allow the Data Engine Service of the Replicator Appliance writing in the ESXi datastores, click Any and select HTTPS (TCP 443) and Provisioning & Remote Console (TCP 902).
      Action Allow Allow
    4. After creating both management gateway firewall rules, click Publish.
  8. To prepare for accessing the compute gateway services in VMware Cloud on AWS, create four compute groups.
    1. On the Networking & Security tab, in the left pane under the Inventory section click Groups.
      Repeat the following steps four times.
      • Add a compute group for the trusted users that need access to the VMware Cloud Director Availability management interface.
      • Add a compute group for the Cloud Director Replication Management Appliance.
      • Add a compute group for all the Replicator Appliance instances.
      • Add a compute group for the Tunnel Appliance.
    2. To create a compute group, under the Compute Groups tab, click Add Group and enter a group name.
    3. To add trusted members to each compute group, under the Compute Members column, click the Set Members link.
    4. In the Select Members window, on the IP Addresses tab enter the following IP addresses for each compute group and click Apply.
      Compute Group Name Compute Group Trusted Members IP Addresses
      Trusted Compute Sources Group Enter the externally-facing public-IP-addresses of the users granted with access to the management interface of VMware Cloud Director Availability.
      Important: Ensure that you add all the public IP addresses of each user allowed to access VMware Cloud Director Availability in VMware Cloud on AWS or the users have no access.
      VCDA Manager Compute Group Enter the private-IP-address of the Cloud Director Replication Management Appliance.
      VCDA Replicators Compute Group Enter the private-IP-addresses of all the Replicator Appliance instances.
      VCDA Tunnel Compute Group Enter the private-IP-address of the Tunnel Appliance.
    5. To save each compute group, click Save.
  9. To prepare for completing the initial setup wizard, allow accessing the VMware Cloud Director Availability management interface by the trusted compute sources. Also allow the cloud appliances outbound access, both by adding two new compute gateway firewall rules.
    1. On the Networking & Security tab, in the left pane under the Security section click Gateway Firewall.
      Repeat the following steps twice.
      • Add a compute gateway firewall rule for allowing the trusted compute sources access to the Cloud Director Replication Management Appliance for completing the initial setup wizard of VMware Cloud Director Availability.
      • Add a compute gateway firewall rule for allowing the VMware Cloud Director Availability appliances outbound network traffic from the compute gateway.
    2. On the Compute Gateway tab, click Add Rule.
    3. Configure each of the two compute firewall rules and click Apply when prompted.
      Option Inbound Compute Gateway Firewall Rule Outbound Compute Gateway Firewall Rule
      Name Enter a name for the inbound compute gateway rule. For example, enter VCDA Management from Trusted Compute Sources Rule. Enter a name for the outbound compute gateway rule. For example, enter VCDA Appliances Outbound Compute Rule.
      Sources Click Any. In the Set Source window, select the trusted compute sources group and click Apply. For example, select Trusted Compute Sources Group. Click Any. In the Set Source window select the three compute groups for the VMware Cloud Director Availability appliances and click Apply. For example, select all three VCDA Manager Compute Group, VCDA Replicators Compute Group, and VCDA Tunnel Compute Group.
      Destinations Click Any. In the Set Destination window, select the Cloud Director Replication Management Appliance compute group and click Apply. For example, select VCDA Manager Compute Group. Any
      Services Click Any. In the Set Services window, select the Cloud Director Replication Management Appliance management interface service and click Apply. For example, select VCDA-Cloud-Service-Management TCP (Source: Any | Destination: 8046). Any
      Applied To All Uplinks All Uplinks
      Action Allow Allow
    4. After creating both compute gateway firewall rules, click Publish.

Results

The SDDC configuration in VMware Cloud on AWS is complete and ready for the initial configuration of VMware Cloud Director Availability. In summary, the SDDC network in VMware Cloud on AWS is configured with:
  • vcda-network-segment:
    A dedicated routed network for all the cloud appliances of VMware Cloud Director Availability.
  • Public IP addresses:
    Two requested public IP addresses, for the management interface of the Cloud Director Replication Management Appliance, and for the Public Service Endpoint of the Tunnel Appliance.
  • Management gateway:
    • Access from the compute gateway source NAT address to the management gateway vCenter Server, used for bridging the access from the compute gateway VMware Cloud Director Availability appliances.
    • Access from the Replicator Appliance to the management gateway ESXi datastore, used for destination of migrations.
  • Compute gateway:
    • Access from the Trusted Compute Sources Group to the management interface of the Cloud Service, used for completing the initial setup. Later, modifying the same rule allows access to all four types of management interfaces of VMware Cloud Director Availability. For more information, see Post-configure the SDDC networking in VMware Cloud on AWS.
    • Access from VMware Cloud Director Availability appliances to Internet, used for the external network traffic from the compute gateway.
For information about the summary of the SDDC network configuration, see SDDC network configuration summary.

What to do next

You can now configure VMware Cloud Director Availability in VMware Cloud on AWS by completing the initial setup wizard of the Cloud Director Replication Management Appliance. For more information, see Configure VMware Cloud Director Availability in VMware Cloud on AWS.