Pre-deployment Checklist

Before You Start

VMware Cloud DR does not support organization level IP Allow List authentication policies. If IP Allow Lists are enabled in your organization, it might prevent you from configuring an API token in the VMware Cloud DR UI, or connecting a cloud file system to a recovery SDDC. If your organization leverages the organization level IP Allow List feature, contact support prior to deployment for assistance.

Longer Lead-Time Items

Let’s start off with a couple tasks that might require a longer lead time.

Open firewall ports. You need to open firewall ports to allow for communication between your production sites and VMware Cloud DR components. This pre-requisite for production sites can take some time, so we recommend you do this first. View details about firewall port requirements here.
Set up AWS account, Virtual Private Cloud (VPC), and Subnet. An AWS account must be linked to your VMware Cloud organization before you can deploy a new SDDC. Your AWS VPC subnet, and AWS account also must meet certain requirements, which you can view here.

Prior to Creating First Subscription

Choose between purchasing a 1-year or a 3-year term subscription, and pay either monthly or on-demand. For more information about pricing, see here.

Pre-deployment tip:

Knowing your AWS region, whether you’d like to pay upfront or in monthly installments, your seller of record, and how many TiB to purchase expedites creating your first term subscription.
Don’t know how many TiB to purchase? Check out the VMware Cloud DR Planner.

Prior to Activating First Recovery Region

All you need to do for this task is to decide what regions you’d like to recover your production site workloads to.

Pre-deployment tip:

The recovery region is the location where you want to deploy the VMware Cloud DR Orchestrator and cloud file system.
If you already have a subscription created, or are planning on creating one in the future, be sure that the subscription region matches your recovery region location.

Prior to Deploying First Cloud File System

It is important that your cloud file system is deployed in the correct location. Make sure you have the following information prior to deployment.


Item	Value
AZ ID (If unsure, allow automatic selection)
Existing Recovery SDDC ID (If applicable)
Existing Recovery SDDC AZ ID (If applicable, should match cloud file system AZ ID)
Existing production site SDDC ID (If applicable)
Existing production site SDDC AZ ID (If applicable, should not match cloud file system AZ ID)

Pre-deployment tip:

If you are unsure of the AZ ID to deploy your cloud file system to, allow automatic selection. Using auto-select prevents selecting the wrong AZ, which requires support assistance to change.
Your recovery SDDC AZ ID must match your cloud file system AZ ID.
Your production site SDDC AZ ID must not match cloud file system AZ ID.
Your AWS VPC must be in the same AWS region and AZ as where you deploy your cloud file system. As a best practice, create a subnet in every AWS AZ you want to use before you deploy a cloud file system. For more information about VPCs and subnets, see here.

Prior to Setting Up First Protected Site

Does your protected site meet the following resource requirements?


Site Resource	Value
VMware vCenter	Version 7.0 or later
VMware vCenter for high-frequency snapshots	Version 7.0 U3 or later
CPU	8 GHz (reserved)
RAM	12 GiB (reserved)
Disk	100 GiB virtual disk

Pre-deployment tip:

How do other components of your production site measure up to the requirements? Refer to the VMware Interoperability Matrix.
If you plan to use ransomware recovery or take quiesced snapshots, make sure those VMs have the latest versions of VMware Tools installed on them.
All protected VMware Cloud on AWS SDDCs must reside in the same VMware Cloud Organization as VMware Cloud DR.
VMware Cloud DR does not support an internet proxy server between the DRaaS Connector and the cloud.

Firewall ports

You also need to open firewall ports to allow for communication between your production sites and VMware Cloud DR components.

Open port requirements for the DRaaS Connector.

Table 1. Open Ports Required for the DRaaS Connector
Protocol	Port	Source	Destination	Service Description	Classification
Protected site
TCP	443	DRaaS Connector	vCenter Server (on-premises site or SDDC)	vCenter Server web service	Outbound
TCP	80	DRaaS Connector	vCenter Server (on-premises site only)	vCenter Server web service	Outbound
TCP	902	DRaaS Connector	ESXi Management IP address (on-premises site only)	Reading/writing vdisks	Outbound
TCP	1492	ESXi hosts	DRaaS Connector (For on-premises sites. For VMware Cloud on AWS SDDCs, this outbound rule for ESXi hosts is already configured.)	For high-frequency snapshots, reading/writing vdisks.	Inbound
VMware Cloud DR
TCP	443	DRaaS Connector	Cloud file system	Encrypted tunnel for data transfers and metadata operations	Outbound
TCP	443	DRaaS Connector	Orchestrator	Management service	Outbound
TCP	443	DRaaS Connector	VMware auto-support server	Support service	Outbound

See a complete list of ports required by different VMware products here.

To ensure optimum performance and behavior, we recommend not to exceed the round trip latencies shown in the following diagram.

Minimum latency requirements for the network where you deploy the DRaaS Connector.

To set up your protected sites, you’ll need the following information, which slightly varies from setting up an SDDC protected site.

On-Premises Protected Site

Determine whether to use public internet/Direct Connect (DX) Public VIF or Direct Connect Private VIF for your DRaaS Connector to cloud connection. The connection is responsible for the replication and recovery of snapshots. If you plan to use a Direct Connect Private VIF, here’s what you need to configure.
Select a time zone for your protection group schedules.

While setting up your protected site, you also need to register vCenter.

Note: Use the vSphere calculator to determine if your most aggressive RPO can be supported, given your network link.


On-premises vCenter	Value
vCenter IP address
vCenter admin username and password

VMware Cloud on AWS SDDC Protected Site


VMC on AWS Protected SDDC item	Value
SDDC name
SDDC version
Most aggressive RPO


VMC on AWS vCenter item	Value
Total VMs managed by vCenter

You need the following information per-connector:


Item	Value
Protected site name
Connector VM name
Most aggressive RPO
Connector VM IP/netmask (if not DHCP)
Network Gateway
DNS servers

Pre-deployment tip:

How many sites are managed by a single vCenter? If there are multiple physical locations per vCenter, contact VMware support.
Your total protected capacity should match what was purchased in your term subscription (if applicable).
If you are purchasing a subscription to avoid on-demand overages, your total protected capacity should not exceed what was purchased in your term subscription (subscriptions are optional but offer better commercial terms for long-term use).
Does your protected site exceed 1000 VMs? If so, you might experience some responsiveness issues with the VMware Cloud DR UI. These issues might include slow loading of pages when previewing protection group VM membership, creating and editing Recovery Plans, and during plan compliance checks. Does your total protected VMs exceed 2500 per-Orchestrator? Refer to the Configuration Maximums tool to check.
Except for lab environments, we recommend at least two DRaaS Connectors per site for redundancy and for load balancing.

Prior to Recovery SDDC Creation or Attachment

An AWS account must be linked to your VMware Cloud organization before you can deploy a new SDDC. Find instructions about linking your AWS account here.

In addition, your AWS Virtual Private Cloud (VPC), subnet, and AWS account must also have the following:

Subnet must be in an AWS AZ where VMC on AWS is available.
Subnet must exist in the connected AWS account.
AWS account being linked must have sufficient capacity to create a minimum of 15 ENIs per SDDC, in each region where an SDDC is deployed.
More requirements are located here.

Pre-deployment tip:

We recommend that you dedicate a /26 CIDR block to each SDDC and do not use that subnet for any other AWS services or EC2 instances.
If your AWS account is not yet connected to your VMC organization, we recommend using the VMware Cloud console to create your recovery SDDC for a smoother experience. You can attach this SDDC to your VMware Cloud DR instance in the VMware Cloud DR UI.

You can choose whether to leave your recovery SDDCs always on (such as for a Pilot Light deployment), or launch more recovery SDDCs as needed for testing or failover purposes. You can also specify the number of hosts for your recovery SDDC. During deployment, be ready to provide the following information:


recovery SDDC Item	Value
Management IP subnet
Compute IP subnet
VMware Cloud DR proxy subnet

Pre-deployment tip:

If you are planning on purchasing Pilot Light hosts, you must purchase a separate VMware Cloud on AWS reserved instance subscription.

You need to identify the virtual networks from the Protected Site need to be mapped into the SDDC network configuration and the type of network as defined as follows:

Internal/Site isolated networks, which are not accessible from outside (public) or other sites (private).
External networks, which are accessible from the internet (public) without VPN.
Stretched networks between sites, which are accessible from other sites (internal) or from VPN into the SDDC.


Protected Site Network	SDDC Network	Network Type

Additional Suggested Items

To enable others in your organization appropriate access to the VMware Cloud DR UI, you need to invite them to your CSP organization with proper credentials and role assignment.


CSP Org ID	User Email	VMware Cloud DR Role

The user invitation process requires that you assign roles to your users within your organization. Here is a full list of VMware Cloud DR user roles.

Additional Resources

Thank you for following the pre-deployment checklist. Contact technical services if you run into any issues.