Ensure that you have met the following prerequisites before configuring Hybrid Linked Mode.

  • Ensure that your on-premises data center meets the following requirements.

    • Your on-premises vCenter Server system is running one of the following:

      • vSphere 6.0 Update 3 patch c and later.

        Hybrid Linked Mode supports on-premises vCenter Server systems running 6.0 Update 3 patch c and later with either embedded or external Platform Services Controller (both Windows and vCenter Server Appliance). vCenter Server systems with external Platform Services Controller instances linked in Enhanced Linked Mode are also supported, up to the scale limits documented in https://www.vmware.com/pdf/vsphere6/r60/vsphere-60-configuration-maximums.pdf.

      • vSphere 6.5 patch d and later.

    • You can link only one on-premises SSO domain.

  • Ensure that your on-premises data center and your cloud SDDC are synchronized to an NTP service or other authoritative time source. When using Hybrid Linked Mode, VMware Cloud on AWS can tolerate a time skew of up to ten minutes between the on-premises data center and the cloud SDDC.

  • Configure a management gateway IPsec VPN connection between your on-premises data center and cloud SDDC.

  • Ensure that you have network connectivity between your VMware Cloud on AWS management gateway and your on-premises ID source and SSO domain. If necessary, create firewall rules in the VMC Console as shown below.

    Use Cases




    SDDC vCenter Server access


    IP address or CIDR block from on-premises data center


    vCenter Single Sign-On access


    IP address or CIDR block, either public or from an on-premises data center connected by a VPN tunnel


  • Ensure that an on-premises DNS server is configured for your management gateway so that it can resolve the FQDN for the identity source.

  • Ensure that your on-premises gateway or firewall allows access to the necessary ports from your SDDC for the following services.



    On-premises vCenter Server


    On-premises Platform Services Controller

    389, 636

    On-premises Active Directory server

    389, 636, 3268, 3269

    On-premises DNS


  • The maximum latency between your cloud SDDC and on-premises data center must be 100 msec roundtrip.

  • Run the Connectivity Validator tests to check that network connectivity is correctly established for Hybrid Linked Mode. See Validate Network Connectivity for Hybrid Linked Mode.

  • Decide which of your on-premises users you want to grant Cloud Administrator permissions to. Add these users to a group within your identity source. Ensure that this group has access to your on-premises environment.

  • Ensure that you have login credentials for a user who has a minimum of read-only access to the Base DN for users and groups in your on-premises environment.

  • Ensure that you have the login credentials for your on-premises vSphere SSO domain.