Required Firewall Rules for vMotion

This topic summarizes the firewall rules required for migration with vMotion, both in your on-premises and cloud data centers.

VMC on AWS Firewall Rules for vMotion

Configure the following firewall rules.


Use Cases	Source	Destination	Service
Provide access to vCenter Server from the on premises. Use for general vSphere Client access as well as for monitoring vCenter Server	remote (on-premises) vSphere Client IP address	vCenter	HTTPS
Allow outbound vCenter Server access to on-premises vCenter Server.	vCenter	remote (on-premises) vCenter Server IP address	Any (All Traffic)
Allow SSO vCenter Server	remote (on-premises) Platform Services Controller IP address	vCenter	SSO (TCP 7444)
ESXi NFC traffic	remote (on-premises) ESXi VMkernel networks used for NFC.	ESXi	Provisioning (TCP 902)
Allow outbound ESXi access to on-premises .	ESXi	remote (on-premises) ESXi management VMkernel networks	Any (All Traffic)
Allow vMotion traffic.	remote (on-premises) ESXi vMotion VMkernel networks	ESXi	vMotion (TCP 8000)

Ensure that the following firewall rules are configured in your on-premises firewall.


Rule	Action	Source	Destination	Service	Ports
On-premises to vCenter Server	Allow	remote (on-premises) vSphere Client subnet	VMware Cloud on Public Cloud vCenter Server IP address	HTTPS	443
Remote to ESXi provisioning	Allow	remote (on-premises) subnet		TCP 902	902
Cloud SDDC to on-premises vCenter ServerAllow	Allow	CIDR block for cloud SDDC management network	On-premises vCenter Server, PSC, Active Directory subnet	HTTPS	443
Cloud SDDC toESXi Remote Console	Allow	CIDR block for cloud SDDC management network	VMware Cloud on Public Cloud vCenter Server IP address
Cloud SDDC to Remote LDAP	Allow	CIDR block for cloud SDDC management network	Remote LDAP Server	TCP	389, 636
Cloud SDDC to ESXi vMotion	Allow	CIDR block for cloud SDDC management network	Remote ESXi host subnet	TCP	8000