Before activating your SDDC, ensure that you fulfil the activation precheck tasks. You must also be aware of the VeloCloud Orchestrator (VCO) and VeloCloud Gateway (VCG) IP addresses for configuring your firewall rules. See the VCO Services and VCG Services sections in this topic.

Activation Precheck Tasks

Task Description
Main power circuit Ensure that the main power circuit is ready to connect to the rack PDUs.
Keep the overpack box ready at the deployment location You receive an overpack box containing extra cables and transceivers along with the rack. Handover the box to the deployment engineer if the engineer requires it.
Power off rack devices Ensure that all equipment in the rack is powered off.
Copper Or fiber VeloCloud uplink connections Determine whether to use copper or fiber for the VeloCloud 1 GbE uplink connections and ensure that the cables are available when deploying SDDC.
Top of Rack switch uplink speed Determine whether to use 10 Gb or 25 Gb uplink from ToR to your L2 uplink switch.
Top of Rack switch uplink configuration

(For information on configuring an uplink connection, see Configure Uplink Connections).

 Determine whether you need standard or butterfly configuration from the VMware Cloud on Dell EMC rack to your L2 uplink switch.
  • Standard configuration: Each ToR switch needs 1 uplink connection to the core L2 uplink switch.
  • Butterfly configuration: Each ToR switch needs 2 uplink connections to the core L2 uplink switch.
Note: Butterfly TOR uplink configuration is supported only for static routing.
Uplink configuration on the day of activation Confirm if you want to configure the uplink connection on the day-1 deployment.
L2 switch technician availability Ensure that a technician who is aware of the configuration and parameters of the core L2 switch is available during deployment. The technician must be involved in the activation process.
VeloCloud port enablement The two VeloCloud devices configured in the primary/secondary high availability (HA) mode on the VMware Cloud on Dell EMC rack provide remote access capabilities. The VMware Cloud on Dell EMC SRE manages the rack using a separate communication path other than the paths (2 x ToRs) used by the SDDC and workloads on the rack. For the VeloCloud to function properly, you must configure the following:
  1. During the VMware Cloud on Dell EMC deployment activities, the VeloCloud switches must access the VeloCloud Orchestrator (VCO) service as well as the VeloCloud Gateway (VCG) services.

    Configure the following ports for outbound communications:

    • UDP 2426 (for IPSec tunnel): The IP addresses associated with the VCG services should be reachable through the firewall.
    • TCP 443 (for activation and management): The IP addresses associated with the VCO should be reachable through the firewall.
  2. Ensure that the VeloCloud devices have outbound access to UDP port 53 on IP addresses 8.8.8.8 and 8.8.4.4 (Google DNS).
User provisioning The deployment engineer who assists the deployment must be provisioned with the required roles. Ensure that the deployment engineer can log in into VMware Cloud on Dell EMC console. See Account Creation and Management.
Role assignment Ensure that you enable necessary roles for the deployment engineer. See Assign a Role to an Organization Member.
DNS configuration

After you configure uplink connections, allow NSX Compute Gateway DNS forwarder and Management Gateway DNS forwarder to reach the upstream DNS servers on UDP port 53. This communication is between VMware Cloud on Dell EMC TORs and your uplink routers.

You can use the compute gateway DNS forwarder for your VMs and workloads. The VMware Cloud on Dell EMC management VM uses the Management Gateway DNS forwarder.
Note: For network addressing information, see Configure SDDC Network Addresses.
vCenter reachability to vSAN insight analytics end point
  • You must allow vCenter Management IP to reach vcsa.vmware.com through FQDN on HTTPS port 443. This communication does not go through proxy servers and is established directly.
    Note: Your vCenter Management IP is available on the Settings page under vCenter Internal IP.

    For network addressing information, see Configure SDDC Network Addresses.

  • If you have set up any firewall rules, you must update the rules to allow traffic to vcsa.vmware.com.
HCX endpoint reachability

(This task is applicable only if you are activating and deploying HCX on VMware Cloud on Dell EMC SDDC).
  • You must allow the vCenter Management IP to reach connect.hcx.vmware.com and hybridity-depot.vmware.com on the HTTPS port 443. This communication is established directly through your uplink connection and does not go through proxy servers.
    Note: Your vCenter Management IP is available on the Settings page under vCenter Internal IP.
  • If you have set up any firewall rules, you must update the rules to allow traffic to the sites, connect.hcx.vmware.com and hybridity-depot.vmware.com.
Note: hybridity-depot.vmware.com is a CDN backend with a dynamic IP and therefore you must configure it appropriately.
Add VCO service URLs to L7 firewall URL filtering module allowlist If you are using the URL filtering module in an L7 firewall, you must add the following VCO160 URLs firewall allowlist:
IP allowlist for vCenter access through the Internet
You can manage your vCenter through Intranet or Internet. To manage your vCenter through Internet, you must specify the IP allowlist before the deployment. See Add IP Allowlist for Accessing vCenter and NSX Manager.
Note: The default policy for IPs allowed to perform vCenter management is Deny All.
After you configure the uplink connection, verify that the CSP portal uplink ping test is successful An HTTP test or a ping test, provided ICMP is not blocked, detects any routing or rendering issues, such as an overlap between ToR and core switches.
Management gateway Navigate to the Network & Security tab of the Order VMware Cloud on Dell EMC SDDC form and verify that the management gateway is connected to Internet.
Important: If your SDDC version is 1.16 or later, the Networking & Security tab is unavailable. Log in to NSX Manager to manage your SDDC networks.

VCO Services

In each VMware Cloud on Dell EMC rack, there are two VeloCloud devices operating in High Availability (HA) mode. These VeloCloud devices allow an out-of-band communication path between the VMware Cloud on Dell EMC SDDC and VMware, independent of the uplinks from the ToR switches in the VMware Cloud on Dell EMC SDDC to your network. This ToR uplink path is used by workloads to communicate back and forth to services operating anywhere else on your network, and to the Internet if the workload requires it.

Without the VeloCloud connectivity, VMware can’t access the rack to perform remote management, and can’t receive monitoring data from the rack that alerts VMware to any incidents, and to verify that the rack is operating within its Service Level Objectives.

The VeloCloud Edge 620 devices communicates with a VCO service instance in the VeloCloud cloud service. VCO manages the VeloCloud, it provides a control plane for the VeloCloud devices. The following VCO service instances are assigned for use by the VeloCloud in the VMware Cloud on Dell EMC racks:
  • VCO160 (52.53.138.251)
  • VCO129 (54.173.111.227)
Each VCO service instance is associated with a pool of VeloCloud Gateway IP addresses. The pool represents the SD-WAN endpoints that consist of the data plane for providing the following:
  • Data flow from the VMware Cloud on Dell EMC rack
  • Inbound connectivity during SRE jump host interactions with the VMware Cloud on Dell EMC rack

VCG Services

Each VeloCloud Edge uses a particular VCG service instance based on its geographic location. For example, if the VMware Cloud on Dell EMC Edges are in a rack deployed in Oklahoma City, and the customer is assigned to VCO129, the VeloClouds in the rack will be directed to use the VCO129 VCG service instance located in the same region, in Texas (216.221.31.57).

The VMware Customer Success team will inform you regarding the VCO service to which your VeloCloud Edges are assigned, whether it’s VCO160 or VCO129. All the VMware Cloud on Dell EMC racks in your environment use the same VCO service instance, either VCO160 or VCO129. For proper management and monitoring of the VMware Cloud on Dell EMC rack, your firewall must be configured to allow outbound communication as follows:
  • TCP to port 443 on the VCO service instance IP address
  • UDP to port 2426 on any IP address in the VCG pool
Note: VeloCloud routinely expands the number of VCG service instances in the VCO160 and VCO129 pools. Therefore, when new IP addresses are added to the pool by VeloCloud, you must allow communication outbound to the new IP addresses in the pool and this implies that you must update the firewall allowlist IP addresses. Request your VMware Customer Success team to verify the VCG IP address list and supply any latest IP addresses that are added.

For example, if you are assigned VCO160 and you create the firewall rules allowing UDP communication to port 2426 to each of the specific VCG IP addresses for VCO160, every time a new IP address is added to the VCO160 pool, a network engineer will need to create a new firewall rule allowing UDP port 2426 connectivity to that IP.

Without the new firewall rule for the new IP addresses in the pool, VCO160 might direct the VeloCloud Edge 620 to connect to one of the new VCG IP addresses. In this case, the VeloCloud may not be able to reach the Internet and the rack is isolated until the firewall rule is created.

The following are the three options for firewall rule configuration to allow access to VCG IP addresses:

  • Allow UDP on port 2426 to any IP address: Whenever a new IP is added to the VCG pool, you need not create a new firewall rule
    Note: VMware recommends you follow the preceding option where the firewall rule allows UDP communication to port 2426 on any IP address. This configuration is preferred as it saves VeloCloud outbound communication firewall rule from repeatedly updating each time a new IP is added to the VCO 52.53.138.251 or VCO 54.173.111.227 pool.
  • Allow UDP on port 2426 to all known VCG IPs for either VCO160 or VCO129: Whenever a new IP is added to the VCG pool, you should create a new firewall rule for that IP address
  • Allow UDP on port 2426 to all subnets within VMware ASN53766 (ASN assigned to VeloCloud): Whenever a new IP is added to the VCG pool, the existing firewall rules allow communication to all the newly added IP addresses
The following VCG IP addresses are specific to VCO160 (52.53.138.251):
IP Address IP Address IP Address
1. 192.40.64.104 21. 159.100.165.45 41. 159.100.175.32
2. 159.100.164.66 22. 169.38.70.30 42. 159.100.171.70
3. 104.193.29.93 23. 216.221.31.104 43. 216.221.25.86
4. 159.100.160.62 24. 216.221.25.104 44. 216.221.29.103
5. 104.193.30.93 25. 159.100.173.32 45. 216.221.31.45
6. 104.193.28.91 26. 216.221.29.33
7. 159.100.168.81 27. 216.221.25.33
8. 159.100.161.52 28. 216.221.27.34
9. 104.193.31.81 29. 64.186.27.39
10. 104.193.30.145 30. 159.100.175.41
11. 216.221.31.64 31. 159.100.171.45
12. 168.128.69.22 32. 216.221.27.49
13. 52.68.66.124 33. 64.186.25.53
14. 35.182.90.236 34. 216.221.29.57
15. 18.136.6.49 35. 216.221.27.64
16. 3.10.86.209 36. 64.186.25.78
17. 15.188.112.82 37. 169.38.66.123
18. 18.229.103.223 38. 159.100.165.36
19. 107.155.76.14 39. 136.144.103.47
20. 13.235.28.38 40. 136.144.97.40
The following VCG IP addresses are specific to VCO129 (54.173.111.227):
IP Address IP Address
1. 159.100.160.124 21. 216.221.29.89
2. 159.100.163.125 22. 159.100.168.106
3. 104.193.28.146 23. 159.100.164.106
4. 104.193.30.164 24. 104.193.31.106
5. 192.40.64.172 25. 159.100.161.124
6. 104.193.29.175 26. 216.221.27.92
7. 159.100.165.113 27. 216.221.27.94
8. 18.167.45.121
9. 15.228.2.144
10. 52.194.15.47
11. 64.186.27.35
12. 159.100.175.37
13. 159.100.171.38
14. 159.100.173.40
15. 64.186.25.43
15. 64.186.27.44
17. 64.186.25.51
18. 216.221.31.57
19. 216.221.27.66
20. 216.221.25.77