VMC on AWS Firewall Rules for Cold Migration

Ensure that the following firewall rule are configured in the VMC Console.

Use Cases

Source

Destination

Service

Provide access to vCenter Server from the on premises.

Use for general vSphere Client access as well as for monitoring vCenter Server

remote (on-premises) vSphere Client IP address

vCenter

HTTPS

Allow outbound vCenter Server access to on-premises vCenter Server.

vCenter

remote (on-premises) vCenter Server IP address

Any (All Traffic)

Allow SSO vCenter Server

remote (on-premises) Platform Services Controller IP address

vCenter

SSO (TCP 7444)

ESXi NFC traffic

remote (on-premises) ESXi VMkernel networks used for NFC.

ESXi

Provisioning (TCP 902)

Allow outbound ESXi access to on-premises ESXi

ESXi

remote (on-premises) ESXi management VMkernel networks

Any (All Traffic)

On-Premises Firewall Rules for Cold Migration

Ensure that the following firewall rules are configured in your on-premises firewall.

Rule

Action

Source

Destination

Service

Ports

On-premises to vCenter Server

Allow

remote (on-premises) vSphere Client subnet

VMware Cloud on AWS vCenter Server IP address

HTTPS

443

Remote to ESXi provisioning

Allow

remote (on-premises) subnet

TCP 902

902

Cloud SDDC to on-premises vCenter ServerAllow

Allow

CIDR block for cloud SDDC management network

On-premises vCenter Server, PSC, Active Directory subnet

HTTPS

443

Cloud SDDC toESXi Remote Console

Allow

CIDR block for cloud SDDC management network

VMware Cloud on AWS vCenter Server IP address

Cloud SDDC to Remote LDAP (Required for HLM only)

Allow

CIDR block for cloud SDDC management network

Remote LDAP Server

TCP

389, 636