Use this checklist to guide you as you deploy VMware Cloud DR.

Longer Lead-Time Items

Let’s start off with a couple tasks that might require a longer lead time.
  • Open firewall ports. You need to open firewall ports to allow for communication between your production sites and VMware Cloud DR Components. This pre-requisite for production sites can take some time, so we recommend you do this first. View details about firewall port requirements here.
  • Set up AWS account, Virtual Private Cloud (VPC), and Subnet. An AWS account must be linked to your VMware Cloud (VMC) organization before you can deploy a new SDDC. Your AWS VPC subnet, and AWS account also must meet certain requirements, which you can view here.

Prior to Creating First Subscription

Choose between purchasing a 1-year or a 3-year term subscription. Not ready for a commitment? Try VMware Cloud DR on-demand by choosing a Pilot. For more information about pricing, see here.
Pre-deployment tip:
  • Knowing your AWS region, whether you’d like to pay upfront or in monthly installments, your seller of record, and how many TiB to purchase expedites creating your first term subscription.
  • Don’t know how many TiB to purchase? Check out the VMware Cloud DR Planner.

Prior to Activating First Recovery Region

All you need to do for this task is to decide what regions you’d like to recover your production site workloads to.

Pre-deployment tip:
  • The Recovery Region is the location where you will deploy the VMware Cloud DR Orchestrator and cloud file system.
  • If you already have a subscription created, or are planning on creating one in the future, be sure that the subscription region matches your Recovery Region location.

Prior to Deploying First Cloud File System

It is important that your cloud file system is deployed in the correct location. Make sure you have the following information prior to deployment.

Item Value


(If unsure, allow automatic selection)

Existing Recovery SDDC ID

(If applicable)

Existing Recovery SDDC AZ ID

(If applicable, should match Cloud File System AZ ID)

Existing production site SDDC ID

(If applicable)

Existing production site SDDC AZ ID

(If applicable, should not match Cloud File System AZ ID)

Pre-deployment tip:
  • If you are unsure of the AZ ID to deploy your Cloud File System to, allow automatic selection. Using auto-select prevents selecting the wrong AZ, which requires support assistance to change.
  • Your Recovery SDDC AZ ID must match your Cloud File System AZ ID.
  • Your production site SDDC AZ ID must not match Cloud File System AZ ID.
  • Your AWS VPC must be in the same AWS region and AZ as where you deploy your cloud file system. As a best practice, create a subnet in every AWS AZ you want to use before you deploy a cloud file system. For more information about VPCs and subnets, see here.

Prior to Setting Up First Protected Site

Does your protected site meet the following resource requirements?

Site Resource Value

VMware vCenter

Version 6.5 U2 or later

VMware vCenter for high-frequency snapshots

Version 7.0 U3 or later


8 GHz (reserved)


12 GiB (reserved)


100 GiB virtual disk

Pre-deployment tip:

Firewall ports

You also need to open firewall ports to allow for communication between your production sites and VMware Cloud DR Components.

Open port requirements for the DRaaS Connector.

Table 1. Open Ports Required for the DRaaS Connector
Protocol Port Source Destination Service Description Classification
Protected site
TCP 443 DRaaS Connector

vCenter Server

(on-prem site or SDDC)

vCenter web service Outbound
TCP 80 DRaaS Connector

vCenter Server

(on-prem site only)

vCenter web service Outbound
TCP 902 DRaaS Connector

ESXi Management IP address

(on-prem site only)

Reading/writing vdisks Outbound
TCP 1492 ESXi hosts

DRaaS Connector

(on-prem site or SDDC)

For high-frequency snapshots; reading/writing vdisks. Inbound
VMware Cloud DR
TCP 443 DRaaS Connector

Cloud file system

Encrypted tunnel for data transfers and metadata operations Outbound
TCP 443 DRaaS Connector Orchestrator Management service Outbound
TCP 443 DRaaS Connector VMware auto-support server Support service Outbound

See a complete list of ports required by different VMware products here.

To ensure optimum performance and behavior, we recommend not to exceed the round trip latencies shown in the following diagram.

Minimum latency requirements for the network where you deploy the DRaaS Connector.

To set up your protected sites, you’ll need the following informatiom, which slightly varies from setting up a VMC on AWS SDDC protected site.

On-Premises Protected Site

  • Determine whether to use public internet/Direct Connect (DX) Public VIF or DX Private VIF for your DRaaS Connector to cloud connection. The connection is responsible for the replication and recovery of snapshots. If you plan to use a DX Private VIF, here’s what you need to configure.
  • Select a time zone for your protection group schedules

While setting up your protected site, you also need to register vCenter.

On-premises vCenter Value

vCenter IP address

vCenter admin username and password

VMware Cloud on AWS SDDC Protected Site

VMC on AWS Protected SDDC item Value

SDDC name

SDDC version

Most aggressive RPO

VMC on AWS vCenter item Value

Total VMs managed by vCenter

You will need the following information per-connector:

Item Value

Protected site name

Connector VM name

Most aggressive RPO

Connector VM IP/netmask

(if not DHCP)

Network Gateway

DNS servers

Pre-deployment tip:
  • How many sites are managed by a single vCenter? If there are multiple physical locations per vCenter, contact VMware support.
  • Your total protected capacity should match what was purchased in your term subscription (if applicable).
  • Does your protected site exceed 1000 VMs? If so, you may experience some responsiveness issues with the VMware Cloud DR UI. These issues may include slow loading of pages when previewing protection group VM membership, creating and editing DR plans, and during plan compliance checks. Does your total protected VMs exceed 2500 per-Orchestrator? Refer to the Configuration Maximums tool to check.
  • Except for lab environments, we recommend at least 2 DRaaS Connectors per site for redundancy and for load balancing.

Prior to Recovery SDDC Creation or Attachment

An AWS account must be linked to your VMC organization before you can deploy a new SDDC. Find instructions about linking your AWS account here.

In addition, your AWS Virtual Private Cloud (VPC), subnet, and AWS account must also have the following:
  • Subnet must be in an AWS AZ where VMC on AWS is available.
  • Subnet must exist in the connected AWS account.
  • AWS account being linked must have sufficient capacity to create a minimum of 15 ENIs per SDDC, in each region where an SDDC is deployed.
  • More requirements are located here.
Pre-deployment tip:
  • We recommend that you dedicate a /26 CIDR block to each SDDC and do not use that subnet for any other AWS services or EC2 instances.
  • If your AWS account is not yet connected to your VMC organization, we recommend using the VMC Console to create your recovery SDDC for a smoother experience. You can attach this SDDC to your VMware Cloud DR instance in the VMware Cloud DR UI.

You can choose whether to leave your Recovery SDDCs on at all times (such as for a Pilot Light deployment), or launch more Recovery SDDCs as needed for testing or failover purposes. You can also specify the number of hosts for your recovery SDDC. During deployment, be ready to provide the following information:

Recovery SDDC Item Value

Management IP subnet

Compute IP subnet

Production site IP subnet

VMware Cloud DR proxy subnet

Pre-deployment tip:
  • If you are planning on purchasing Pilot Light hosts, you must purchase a separate VMware Cloud on AWS reserved instance subscription.
You need to identify the virtual networks from the Protected Site need to be mapped into the SDDC network configuration and the type of network as defined as follows:
  • Internal/Site isolated networks, which are not accessible from outside (public) or other sites (private).
  • External networks, which are accessible from the internet (public) without VPN.
  • Stretched networks between sites, which are accessible from other sites (internal) or from VPN into the SDDC.
Protected Site Network SDDC Network Network Type

Additional Suggested Items

To enable others in your organization appropriate access to the VMware Cloud Disaster Recovery UI, you need to invite them to your CSP organization with proper credentials and role assignment.

CSP Org ID User Email VMware Cloud DR Role

The user inivitation process requires that you assign roles to your users within your organization. Here is a full list of VMware Cloud DR user roles.

Additional Resources

Thank you for following the pre-deployment checklist! Please contact technical services if you run into any issues.