To set up a successful hybrid cloud deployment, you must follow these connection and firewall rules.

Connection

Use the VMC Console in VMware Cloud on AWS to create a VPN in the SDDC management network to your on-premises management network, configure the management gateway with firewall rules, and specify DNS server addresses for the management network. Your networking team can configure the on-premises VPN using information you download form the SDDC.

You must configure the following VPN connections between components in the logical network:

  • Configure a VPN connection from the management component to the on-premises component.

  • Configure a VPN connection from the compute component to the on-premises component.

  • Configure a VPN connection from the compute component to the management component.

You can also use AWS Direct Connect to set up a connection between Horizon 7 and VMware Cloud on AWS. For more information on configuring VPNs or using AWS Direct Connect, see the VMware Cloud on AWS Getting Started document.

Firewall Rules

You can run the Firewall Rule Accelerator in VMware Cloud on AWS for all VPNs to create all the required firewall rules.

The following table describes firewall rules for the Management Gateway on VMware Cloud on AWS:

Table 1. Management Gateway Firewall Rules

Rule Name

Service Name

Ports

Action

Source

Destination

Any SSO

SSO (TCP 7444)

7444

Allow

Any

vCenter

vCenter (ANY) to Management-On-Prem

Any (All Traffic)

Any

Allow

vCenter

Compute/On-prem subnet

ESXi (ANY) to Management-On-Prem

Any (All Traffic)

Any

Allow

ESXi

Compute/On-prem subnet

Management-On-Prem to vCenter (HTTPS)

HTTPS (TCP 443)

443

Allow

Compute/On-prem subnet

vCenter

Management-On-Prem to vCenter (ICMP)

ICMP (All ICMP)

Any

Allow

Compute/On-prem subnet

vCenter

Management-On-Prem to ESXi (Provisioning)

Provisioning (TCP 902)

902

Allow

Compute/On-prem subnet

ESXi

Management-On-Prem to ESXi (Remote Console)

Remote Console (TCP 903)

903

Allow

Compute/On-prem subnet

ESXi

Management-On-Prem to ESXi (ICMP)

ICMP (All ICMP)

Any

Allow

Compute/On-prem subnet

ESXi

Default Deny All

Any (All Traffic)

Any

Deny

Any

Any

The following table describes firewall rules for the Compute Gateway on VMware Cloud on AWS:

Table 2. Compute Gateway Firewall Rules

Rule Name

Service Name

Ports

Action

Source

Destination

Compute (ANY) to Internet and VPN

Any (All Traffic)

Any

Allow

Any

All Internet and VPN

Management-On-Prem (ANY) to BackEnd

Any (All Traffic)

Any

Allow

On-Premises Management subnet

Management Subnet