Setting up a protected site for your VMware Cloud on AWS SDDC requires creating firewall rules for the Cyber Recovery connector.

As you set up your protected sites, you must decide if you want VMware Live Cyber Recovery to create the firewall rules needed for the Cyber Recovery connector (recommended). Or, if you want to create the firewall rules manually.

If you allow VMware Live Cyber Recovery to automatically create firewall rules for your protected site, you must create a dedicated network segment to use for the Cyber Recovery connector on the SDDC. This is recommended as a best practice.

If you wish to create your own firewall rules to allow the Cyber Recovery connector to communicate with your protected SDDC, follow these guidelines:
  • Protected SDDC vCenter Server outbound on TCP port 443
  • Cloud file system outbound on TCP port 443
  • Orchestrator outbound on TCP ports 443
  • VMware Live Cyber Recovery auto-support server outbound on TCP port 443
  • ESXi hosts inbound on TCP port 1492 and outbound on TCP port 902 (only needed if these ports are closed on the SDDC)
Note: See Service Public IP Addresses for how to find VMware Live Cyber Recovery public IP addresses.
Note: VMware Live Cyber Recovery does not support an internet proxy server between the Cyber Recovery connector and the cloud.

You can open these ports by configuring firewall rules for the SDDC's Compute Gateway as described here: Add or Modify Compute Gateway Firewall Rules.