If your VMware Cloud Services Organization has an authentication policy that blocks VMware Cloud Flex Storage IP addresses, you need to add exceptions to the policy to allow those IP addresses.

VMware Cloud Services provide authentication policies that enable you to set multi-factor authentication, IP authentication preferences, and user access at the domain level.

If you have been using VMware Cloud Flex Storage before July 2024, and your Organization's IP authentication policy blocks VMware Cloud Flex Storage IP addresses (there are three), then you must add exceptions to the policy to allow the three IP addresses in your policy, or you won't be able to:

If VMware Cloud Flex Storage IP addresses are being blocked by your Organization's authentication policy, you will see this error message when you try to recreate the OAuth app or activate a storage region. This message provides the three VMware Cloud Flex Storage IP addresses you need to add as exceptions to the policy:

Error message with VMware Cloud Flex Storage IP addresses

These IP addresses are used to communicate with VMware Cloud Flex Storage to perform tasks such as new activations, upgrades, monitoring, and deactivation. Without the ability to communicate through these IP addresses, VMware Cloud Flex Storage cannot deploy or manage your service instances or properly authenticate with your organization.

Additionally, you also need to add the main VMware Cloud Flex Storage IP address to your Organization's authentication policy allow list.

In the VMware Cloud Flex Storage UI, select Settings from the left navigation, and then click About VMware Cloud Flex Storage.

From the About VMware Cloud Flex Storage dialog box, take the FQDN and convert to an IP address:

Take the VMware Cloud Flex Storage FQDN and convert to IP address for the allow list.

How Do VMware Cloud Flex Storage IP Addresses Get Blocked?

Depending on the type of authentication policy configured for your organization, VMware Cloud Flex Storage IP address can be blocked by both Allow or Block policies.

For example, if VMware Cloud Flex Storage IP addresses are as follows:
  • 32.211.171.65
  • 54.186.195.111
  • 35.163.127.96
  • 190.0.2.10
And if your organization authentication policy is set to only Allow the following IP addresses:
  • 49.37.170.0/24
  • 44.55.66.77

Then you need to add the VMware Cloud Flex Storage IP addresses as exceptions to the policy to allow them.

Conversely, if your organization authentication policy is set to Block the following IP address ranges:
  • 34.211.171.0/24
  • 54.186.195.0/24
  • 35.163.127.0/24
  • 190.0.2.10/24

Then you need to add the VMware Cloud Flex Storage IP addresses as exceptions to the policy to allow them.

Procedure

  1. To edit the authentication policy IP/addresses list for your Organization, log in to the VMware Cloud Services console and navigate to the Organization > Authentication Policy page.
  2. Select the IP address/range tab, and then below click Add An Exception. In the example image below, the Organization authentication policy is set to Block IP, so you need to add an exception to allow the VMware Cloud Flex Storage IP address.
    Organization authentication poilicy list 'add an exception' link to add VMware Cloud Flex Storage IP addresses.
  3. In the Add exception dialog box, enter one of the IP addresses from the error message and Click Add.
    Add exception dialog box is where you add the VMware Cloud Flex Storage IP addresses.
  4. Next, repeat this step to add the other two IP addresses as exceptions to the policy.
    Your Organization authentication policy will now look something like this:
    Organization authentication policy with IP address exceptions added.
    It can take up to 30 minutes before the policy updates are applied. After 30 minutes, you can reattempt to recreate an OAuth app or activate a storage region.