If your VMware Cloud Services Organization has an authentication policy that blocks VMware Live Cyber Recovery IP addresses, you need to add exceptions to the policy to allow those IP addresses.

VMware Cloud Services provide authentication policies that enable you to set multi-factor authentication, IP authentication preferences, and user access at the domain level.

If your Organization's IP authentication policy blocks VMware Live Cyber Recovery IP addresses (there are three), then you must add exceptions to the policy to allow the three IP addresses in your policy, or you won't be able to Set Up VMware Live Cyber Recovery and deploy a recovery region.

If VMware Live Cyber Recovery IP addresses are being blocked by your Organization's authentication policy, you will see this error message when you try to recreate the OAuth app or activate a recovery region. This message provides the three VMware Live Cyber Recovery IP addresses you need to add as exceptions to the policy:

Error message with VMware Live Cyber Recovery IP addresses

These IP addresses are used by VMware Cloud Services to communicate with VMware Live Cyber Recovery to perform tasks such as new activations, upgrades, monitoring, and deactivation. Without the ability to communicate through these IP addresses, VMware Live Cyber Recovery cannot deploy or manage your service instances or properly authenticate with your organization.

Additionally, you also need to add the main VMware Live Cyber Recovery IP address to your Organization's authentication policy allow list.

In the VMware Live Cyber Recovery UI, select Settings from the left navigation, and then click About VMware Live Cyber Recovery.

From the About VMware Live Cyber Recovery dialog box, take the Orchestrator FQDN and convert to an IP address:

Convert the VMware Live Cyber Recovery Orchestrator FQDN to IP address for the allow list.

How Do VMware Live Cyber Recovery IP Addresses Get Blocked?

Depending on the type of authentication policy configured for your organization, VMware Live Cyber Recovery IP address can be blocked by both Allow or Block policies.

For example, if VMware Live Cyber Recovery IP addresses are as follows:
  • 32.211.171.65
  • 54.186.195.111
  • 35.163.127.96
And if your organization authentication policy is set to only Allow the following IP addresses:
  • 49.37.170.0/24
  • 44.55.66.77

Then you need to add the VMware Live Cyber Recovery IP addresses as exceptions to the policy to allow them.

Conversely, if your organization authentication policy is set to Block the following IP address ranges:
  • 34.211.171.0/24
  • 54.186.195.0/24
  • 35.163.127.0/24

Procedure

  1. To edit the authentication policy IP/addresses list for your Organization, log in to the VMware Cloud Services console and navigate to the Organization > Authentication Policy page.
  2. Select the IP address/range tab, and then below click the Add link. For example, in this image the Organization authentication policy is set to Allow IP, which means you should add the Orchestrator IP address to the allow list. (If your Organization's authentication policy is set to Block IP, then you would add the Orhcestrator IP address as an exception.
    Organization authentication poilicy list 'add an exception' link to add VMware Live Cyber Recovery IP addresses.
  3. In the Add exception dialog box, enter one of the IP addresses from the error message and Click Add.
  4. In the Add allow IP address/range dialog box, enter the Orchestrator IP address.
    Add dialog box is where you add the VMware Live Cyber Recovery IP addresses.
  5. Next, repeat this step to add the other two IP addresses as exceptions to the policy.
    It can take up to 30 minutes before the policy updates are applied. After 30 minutes, you can reattempt to recreate an OAuth app or activate a storage region.