Before you can create VMware Cloud on AWS cloud accounts, you must create a network connection and configure rules to support communication between your SDDC in vCenter and VMware Cloud on AWS cloud accounts in vRealize Automation.
To support communication between vRealize Automation and the VMware Cloud on AWS SDDC, configure the needed connections and rules. After you have configured required gateway access and firewall rules, you can continue with the process of creating a VMware Cloud on AWS cloud account.
To facilitate the needed connection between your existing VMware Cloud on AWS host SDDC in vCenter and a VMware Cloud on AWS cloud account in vRealize Automation Cloud Assembly, you must provide a network connection, and add firewall rules, by using a VPN or similar networking means.
The VMC administrator must use the VMware Cloud on AWS SDDC console to configure management rules and firewall rules that support access to required ports and protocols.
To facilitate the needed connection between your existing VMware Cloud on AWS host SDDC in vCenter and a VMware Cloud on AWS cloud account in vRealize Automation, you must provide a network connection between the two elements by using a VPN or similar networking means.
- Configure a VPN connection over the public Internet or AWS Direct connect.
See information about configuring VPN connectivity to the on-premises data center, as well as configuring AWS Direct Connect for VMware Cloud on AWS, in VMware Cloud on AWS Networking and Security at VMware Cloud on AWS Documentation.
- Verify that the vCenter Server FQDN is resolvable at a private IP address on the management network.
See information about setting the vCenter Server FQDN resolution address in VMware Cloud on AWS Networking and Security at VMware Cloud on AWS Documentation.
- Configure needed firewall rules.
You must configure management gateway firewall rules in the VMware Cloud on AWS SDDC console to support communication. The rules must be in the Management Gateway firewall rules section. Create the firewall rules by using options on the Networking & Security tab in the SDDC console.
- Limit network traffic to ESXi for HTTPS (TCP 443) services to the discovered IP address of the vRealize Automation appliance/server or vRealize Automation load balancer VIP.
- Limit network traffic to vCenter for ICMP (All ICMP), SSO (TCP 7444), and HTTPS (TCP 443) services to the discovered IP address of the vRealize Automation appliance/server or vRealize Automation load balancer VIP.
- Limit network traffic to the NSX-T Manager for HTTPS (TCP 443) services to the discovered IP address of the vRealize Automation appliance/server or vRealize Automation load balancer VIP.
The required firewall rules are summarized in the following table.
Table 1. Required Management Gateway Firewall Rules Summary Name Source Destination Service vCenter CIDR block of on-premises data center vCenter Any (All Traffic) vCenter Any vCenter ICMP (All ICMP) NSX Manager CIDR block of on-premises data center NSX Manager Any (All Traffic) On pemises to ESXi ping CIDR block of on-premises data center ESXi Management Only ICMP (All ICMP) On Premises to ESXi remote console and provisioning CIDR block of on-premises data center ESXi Management Only TCP 902 On-premises to SDDC VM CIDR block of on-premises data center CIDR block of SDDC logical network Any (All Traffic) SDDC VM to on premises CIDR block of SDDC logical network CIDR block of on-premises data center Any (All Traffic) For related information, see VMware Cloud on AWS Networking and Security and VMware Cloud on AWS Operations Guide at VMware Cloud on AWS Documentation.