Setting up a protected site for your VMware Cloud on AWS SDDC requires creating firewall rules for the DRaaS Connector.

As you set up your protected sites, you must decide if you want VMware Cloud DR to create the firewall rules needed for the DRaaS Connector (recommended). Or, if you want to create the filewall rules manually.

If you allow VMware Cloud DR to automatically create firewall rules for your protected site, you must create a dedicated network segment to use for the DRaaS Connector on the SDDC. This is recommended as a best practice.

If you wish to create your own firewall rules to allow the DRaaS Connector to communicate with your SDDC, follow these guidelines:
  • SDDC vCenter outbound on TCP port 443
  • Cloud file system outbound on TCP port 443
  • Orchestrator outbound on TCP ports 443
  • VMware Cloud DR auto-support server outbound on TCP port 443
  • Protected site vCenter outbound on TCP 443
  • ESXi hosts inbound on TCP 1492
Note: See Service Public IP Addresses for how to find VMware Cloud DR public IP addresses.
Note: VMware Cloud DR does not support an internet proxy server between the DRaaS Connector and the cloud.

You can open these ports by configuring firewall rules for the SDDC's Compute Gateway as described here: Add or Modify Compute Gateway Firewall Rules.