With VMware Live Cyber Recovery, you can connect your on-premises protected site to a recovery SDDC over the internet.
This diagram illustrates connecting a VMware Live Cyber Recovery protected site over the internet, represented by the red line in the following diagram:
Management Access
Any time a user creates an SDDC, by default it is secured by firewall rules that block any inbound traffic. If you configure a firewall rule on the recovery SDDC set to Allow Any to allow access by cloud administrators, then anyone can connect to the SDDC directly over the internet.
For this reason, do not use this type of connectivity. If for some reason someone creates an Allow Any rule, an email alert notification is sent daily to organization users who have access to the recovery SDDC.
Workload User Access
- Log in to VMware Cloud Services console using your VMware account at https://console.cloud.vmware.com and request public IP addresses based on the number of accessible services. You can share the same IP address among various services delivered by different VMs if the access port is different.
- From the console, configure both the NAT and the firewall rules to allow users to connect to those services. Consider the security implication of having Allow Any as a source in the firewall rule.
- Assuming that a public DNS domain exists, create the public entry for each accessible service.
There are different ways to improve security in this scenario, the most common being VPN and Remote Desktop Client (RDC). Both work to prevent exposing any service that does not require public access to the internet.
Instead, publish a VPN concentrator to allow all corporate users to access their data only using the VPN or remote desktop solutions like Horizon or Microsoft Remote Desktop.
Using a remote desktop client, users can reach a virtual desktop VM inside the recovery SDDC, and from there can access any service delivered inside the SDDC.