If you want to use either Google Cloud VMware Engine, Azure VMware Solution, or on-premises infrastructure resources that are not publicly accessible and have only outbound access to the internet within your VMware Cloud Director service environment, you can set up a VMware Cloud Director instance to use VMware's proxy service.

To use the service, first you must configure and deploy a reverse-proxy client VM that connects with VMware Cloud Director service. Then, you can associate a VMware Cloud Director instance to the SDDC through the proxy connection.

Prerequisites

Verify that your infrastructure is backed either by Google Cloud VMware Engine, by Azure VMware Solution, or by an on-premises environment.

How Do I Configure and Download the VMware Reverse Proxy OVА

To use VMware Cloud Director service with VMware's proxy service, you must configure and download an OVА that, when deployed, acts as a reverse proxy client.

Prerequisites

  • Verify that you are assigned the network administrator service role. See Managing Roles and Permissions in Using VMware Cloud Services Console.
  • Generate a VMware Cloud API token that includes the network administrator service role in the organization in which the VMware Cloud Director is deployed and save the token credentials. See How Do I Generate an API Token.
  • If you are accessing VMware Cloud Director service through VMware Cloud Partner Navigator, verify that you are a Provider Service Manager user and that you have been assigned the provider:admin and provider:network service roles. See How do I change the roles of users in my organization in the VMware Cloud Partner Navigator documentation.
  • Note the IP address and the FQDN or the vCenter Server instance of the SDDC that you want to associate with VMware Cloud Director.
  • Verify that the SDDC uses NSX for networking.

Procedure

  1. Log in to the VMware Cloud Director service console at https://console.cloud.vmware.com.
  2. Click Cloud Director Instances.
  3. In the card of the VMware Cloud Director instance for which you want to configure a reverse proxy service, click Actions > Generate VMware Reverse Proxy OVА.
  4. Enter the VMware Cloud API token.
  5. Enter a name for the SDDC that you are going to associate and make a note of it.
    The name does not need to match the vCenter Server name of the SDDC but it must be unique for the VMware Cloud organization in which your VMware Cloud Director is deployed.
  6. Enter the FQDN for the vCenter Server instance.
  7. Enter the IP address for the vCenter Server instance.
  8. Enter the URI for the NSX Manager instance endpoint, including the https:// scheme component.
  9. Enter a list of any additional IP addresses that VMware Cloud Director must be able to access through the proxy, such as ESXi hosts to use for console proxy connection.
    Use new lines to separate list entries.
    Tip: To ensure that future additions of ESXi hosts don't require updates to the allowed targets, use a CIDR notation to enter the ESXi hosts in the allow list. This way, you can provide any new host with an IP address that is already allocated as part of the CIDR block.
  10. Click Generate VMware Reverse Proxy OVА.
  11. On the Activity Log tab, locate the task for generating an OVА and check its status.
  12. If the status of the task is displayed as Success, click the vertical ellipsis icon (Vertical ellipsis icon) and select View files.
  13. Download the OVА file.

What to do next

Deploy the Reverse Proxy Appliance

Deploying the Reverse Proxy Appliance

You must use the vSphere Client to deploy the reverse proxy appliance.

Prerequisites for Deploying the Reverse Proxy Appliance

  • Verify that you configured and downloaded the proxy appliance OVA
  • Verify that the virtual data center in which you are deploying the OVA meets the following criteria.
    • The data center instance is functioning.
    • Its datastore is accessible to all ESXi hosts.
    • The data center is connected to a network that is accessible to all ESXi hosts, and it has DHCP activated.
    • The cluster in which you are deploying the OVA is a direct child of the data center.
    • The data center has outbound access to the VMware Cloud Services console at console.cloud.vmware.com for authentication.
    • The data center has outbound access to the JFrog docker repository at vmwaresaas.jfrog.io.
    • The data center has outbound access to the proxy-host which is listed in the vApp properties of the OVA.

Deploying the Reverse Proxy Appliance

Use the vSphere Client to deploy the reverse proxy appliance OVA. For more information, see the Deploying OVF and OVA Templates chapter in vSphere Virtual Machine Administration Guide.

  • Tip: To ensure high availability, deploy the reverse proxy appliance OVA on at least two ESXi hosts.
  • Enter a meaningful name for the proxy appliance to facilitate locating it later.
  • During the deployment, set a root password for the reverse proxy appliance that meets the following criteria.
    • The password is 12 characters or longer.
    • The password includes letters, numbers and punctuation. To avoid the command line interpreting parts of the password incorrectly, limit the use of punctuation to the at sign (@), hyphen (-), equal sign (=), comma (,), period (.) underscore (_), plus (+), or slash (/).
    • The password includes no more than two consecutive letters, numbers, or punctuation marks.
After the deployment completes and the VM powers on, note its IP address.
  • Verify that your firewall settings allow outbound internet access to the appliance VM.
  • Verify that your firewall settings allow the appliance VM to access the SDDC resources, such as vCenter Server, NSX Manager and ESXi hosts.

How Do I Associate a VMware Cloud Director Instance with an SDDC via VMware Proxy

After you deploy the reverse proxy appliance in the SDDC that you want to associate with VMware Cloud Director, you can associate your infrastructure resources.

Prerequisites

  • Verify that you configured the proxy appliance.
  • Verify that you deployed the proxy appliance in the SDDC that you want to associate with VMware Cloud Director.
  • If you renamed the VMware Cloud Director instance that you want to associate after you generated the reverse proxy appliance, make note of the value for the vc-name property in the vApp properties of the reverse proxy VM.
  • If you are associating your VMware Cloud Director instance with an on-premises SDDC, choose one of the following options.
    • Verify that the default transport zone that you use in NSX Manager is visible to your on-premises vCenter Server instance.
    • In NSX Manager, create a network segment for the reverse proxy appliance to use. From the Connected Gateway drop-down menu for the segment, select Disconnected | Compute Gateway | Tier1, and provide a valid subnet CIDR. The network segment must be visible to your on-premises vCenter Server instance. For more details, see NSX Administration Guide.

Procedure

  1. Log in to the VMware Cloud Director service console at https://console.cloud.vmware.com.
  2. Click Cloud Director Instances.
  3. In the card of the VMware Cloud Director instance which you want to associate, click Actions > Associate a Data Center via VMware Proxy.
  4. Enter the name of the SDDC that you want to associate.
    The name must match the SDDC name that you entered when you generated the reverse proxy OVA.
  5. Enter the FQDN for your vCenter Server instance.
  6. Enter the URL for the NSX Manager instance and wait for a connection to establish.
  7. If you renamed the VMware Cloud Director instance that you want to associate after you generated the reverse proxy appliance, enter the value for the vc-name property of the proxy appliance VM.
    1. Click Advanced Settings.
    2. In the Proxy Username (Optional) field, enter the value for the vc-name property.
  8. Click Next.
  9. Under Credentials, enter your user name and password for the vCenter Server endpoint.
  10. Select how to authenticate NSX Manager and provide the necessary credentials.
  11. If you are association an on-premises SDDC and your default transport zone is not visible to your vCenter Server instance, click Advanced Settings and enter the name for the disconnected network segment that you created.
  12. Click Submit.

Results

The SDDC is securely associated with your VMware Cloud Director instance. When you open the VMware Cloud Director instance, the vCenter Server and the NSX Manager instances that you associated are visible in Infrastructure Resources.

A newly created Provider VDC is visible in Cloud Resources.