Ensure that you have met the following prerequisites before configuring Hybrid Linked Mode.

  • Ensure that your on-premises data center meets the following requirements.

    • Your on-premises vCenter Server system is running vSphere 6.5 patch d and later.

    • You can link only one on-premises SSO domain.

  • Configure a management gateway IPsec VPN connection between your on-premises data center and cloud SDDC.

  • Ensure that you have network connectivity between your VMware Cloud on AWS management gateway and your on-premises ID source and SSO domain. If necessary, create firewall rules in the VMC Console as shown below.

    Use Cases




    SDDC vCenter Server access


    IP address or CIDR block from on-premises data center


    vCenter Single Sign-On access


    IP address or CIDR block, either public or from an on-premises data center connected by a VPN tunnel


  • Ensure that an on-premises DNS server is configured for your management gateway so that it can resolve the FQDN for the identity source.

  • Ensure that your on-premises gateway or firewall allows access to the necessary ports from your SDDC for the following services.



    On-premises vCenter Server


    On-premises Platform Services Controller

    389, 636

    On-premises Active Directory server

    389, 636, 3268, 3269

    On-premises DNS


  • Decide which of your on-premises users you want to grant Cloud Administrator permissions to. Add these users to a group within your identity source.

  • Ensure that you have login credentials for a user who has a minimum of read-only access to the Base DN for users and groups in your on-premises environment.

  • Ensure that you have the login credentials for your on-premises vSphere SSO domain.