SDDC Management Gateway Firewall Rules for Cold Migration
Ensure that the following SDDC management gateway firewall rules are configured. See Add or Modify Compute Gateway Firewall Rules in VMware Cloud on AWS Networking and Security.
| Use Cases | Source | Destination | Service |
|---|---|---|---|
| Provide on-premises vSphere Client and monitoring access to the SDDC vCenter. | remote (on-premises) vSphere Client IP address | vCenter | HTTPS |
| Allow outbound vCenter access to on-premises vCenter. | vCenter | remote (on-premises) vCenter IP address | Any (All Traffic) |
| Allow SSO to vCenter | remote (on-premises) Platform Services Controller IP address | vCenter | SSO (TCP 7444) |
| ESXi NFC traffic | remote (on-premises) ESXi VMkernel networks used for NFC. | ESXi | Provisioning (TCP 902) |
| Allow outbound ESXi access to on-premises ESXi | ESXi | remote (on-premises) ESXi management VMkernel networks | Any (All Traffic) |
On-Premises Firewall Rules for Cold Migration
Ensure that the following rules are configured in your on-premises firewall.
| Rule | Action | Source | Destination | Service | Ports |
|---|---|---|---|---|---|
| On-premises to vCenter | Allow | remote (on-premises) vSphere Client subnet | VMware Cloud on AWS vCenter IP address | HTTPS | 443 |
| Remote to ESXi provisioning | Allow | remote (on-premises) subnet | SDDC management subnet | TCP | 902 |
| Cloud SDDC to on-premises vCenter | Allow | CIDR block for cloud SDDC management network | On-premises vCenter | HTTPS | 443 |
| Cloud SDDC to ESXi Remote Console | Allow | CIDR block for cloud SDDC management network | VMware Cloud on AWS vCenter IP address | TCP | 902 |
| Cloud SDDC to Remote LDAP (Required for HLM only) | Allow | CIDR block for cloud SDDC management network | Remote LDAP Server | TCP | 389, 636 |
