Before you start deploying and configuring vCloud Availability, ensure that the required network ports are opened and allow the vCloud Availability services communication within a site and between cloud sites.

To get a list of the required firewall ports to be opened, see vCloud-Availability Network Ports.

The following diagram shows the direction of the data flow, the data traffic type, and the required network ports for the communication between the vCloud Availability services and the disaster recovery infrastructure for a typical deployment in two cloud sites.

In both cloud sites, the Tunnel appliance is in the DMZ layer. VCD and the Replication management appliance are in the cloud management layer and the VC, PSC, ESXi, and Replicator appliances are in the compute layer.

Services Connectivity

  • The vCloud Availability vApp Replication Manager must have a TCP access to vCloud Director, vCloud Availability Replication Manager, vCenter Server, and to the Platform Services Controller, depending on where the vCenter Server Lookup service is hosted.
  • The vCloud Availability Replication Manager must have a TCP access to the vCenter Server Lookup service and all the vCloud Availability Replicator instances in both local, and in remote sites.
  • The vCloud Availability Replicator must have a TCP access to the vCloud Availability Replication Manager, vCenter Server, and the vCenter Server Lookup service.
Note: The vCloud Availability services use end-to-end encryption for the communication across sites. For example, when a vCloud Availability Replicator on site 1 is communicating to a vCloud Availability Replicator on site 2, vCloud Availability expects that the TLS session is terminated at each vCloud Availability Replicator.

vCloud Availability does not support any TLS terminating products or solutions placed between the appliances, for example, VMware NSX® Edge™ instances, HAProxy, Nginx, Fortinet, and others. If such solutions are in place, they must be configured in pass-thru mode, also known as TCP mode, to prevent from interfering with the TLS traffic of vCloud Availability.

The following table lists the required network ports to be opened for the external communication with the vCloud Availability services.
Table 1. Firewall Rules for External Communication
Original Destination Translated Destination Original Destination Port DNAT Translated Port Protocol Description
Public Network/Uplink Interface vCloud Availability Cloud Tunnel Appliance 443 8048 TCP Used for incoming replication management and replication data traffic from public networks to vCloud Availability Tunnel. The tunnel then routes the traffic to the local services.