SDDC Management Gateway Firewall Rules for Cold Migration

Ensure that the following SDDC management gateway firewall rules are configured. See Add or Modify Compute Gateway Firewall Rules in VMware Cloud on AWS Networking and Security.

Use Cases Source Destination Service
Provide on-premises vSphere Client and monitoring access to the SDDC vCenter Server. remote (on-premises) vSphere Client IP address vCenter HTTPS
Allow outbound vCenter Server access to on-premises vCenter Server. vCenter remote (on-premises) vCenter Server IP address Any (All Traffic)
Allow SSO to vCenter Server remote (on-premises) Platform Services Controller IP address vCenter SSO (TCP 7444)
ESXi NFC traffic remote (on-premises) ESXi VMkernel networks used for NFC. ESXi Provisioning (TCP 902)
Allow outbound ESXi access to on-premises ESXi ESXi remote (on-premises) ESXi management VMkernel networks Any (All Traffic)

On-Premises Firewall Rules for Cold Migration

Ensure that the following rules are configured in your on-premises firewall.

Rule Action Source Destination Service Ports
On-premises to vCenter Server Allow remote (on-premises) vSphere Client subnet VMware Cloud on AWS vCenter Server IP address HTTPS 443
Remote to ESXi provisioning Allow remote (on-premises) subnet SDDC management subnet TCP 902
Cloud SDDC to on-premises vCenter Server Allow CIDR block for cloud SDDC management network On-premises vCenter Server HTTPS 443
Cloud SDDC to ESXi Remote Console Allow CIDR block for cloud SDDC management network VMware Cloud on AWS vCenter Server IP address TCP 902
Cloud SDDC to Remote LDAP (Required for HLM only) Allow CIDR block for cloud SDDC management network Remote LDAP Server TCP 389, 636