SDDC Activation Precheck

Before activating your SDDC, ensure that you fulfil the activation precheck tasks. You must also be aware of the VeloCloud Orchestrator (VCO) and VeloCloud Gateway (VCG) IP addresses for configuring your firewall rules. See the

VCO Services

and

VCG Services

sections in this topic.

Activation Precheck Tasks

Task	Description
Main power circuit	Ensure that the main power circuit is ready to connect to the rack PDUs.
Keep the overpack box ready at the deployment location	You receive an overpack box containing extra cables and transceivers along with the rack. Handover the box to the deployment engineer if the engineer requires it.
Power off rack devices	Ensure that all equipment in the rack is powered off.
Copper Or fiber VeloCloud uplink connections	Determine whether to use copper or fiber for the VeloCloud 1 GbE uplink connections and ensure that the cables are available when deploying SDDC.
Top of Rack switch uplink speed	Determine whether to use 10 Gb or 25 Gb uplink from ToR to your L2 uplink switch.
Top of Rack switch uplink configuration (For information on configuring an uplink connection, see Configure Uplink Connections).	Determine whether you need standard or butterfly configuration from the rack to your L2 uplink switch. Standard configuration: Each ToR switch needs 1 uplink connection to the core L2 uplink switch. Butterfly configuration: Each ToR switch needs 2 uplink connections to the core L2 uplink switch. Butterfly TOR uplink configuration is supported only for static routing.
Uplink configuration on the day of activation	Confirm if you want to configure the uplink connection on the day-1 deployment.
L2 switch technician availability	Ensure that a technician who is aware of the configuration and parameters of the core L2 switch is available during deployment. The technician must be involved in the activation process.
VeloCloud port enablement	The two VeloCloud devices configured in the primary/secondary high availability (HA) mode on the VMware Cloud on Dell EMC rack provide remote access capabilities. The VMware Cloud on Dell EMC SRE manages the rack using a separate communication path other than the paths (2 x ToRs) used by the SDDC and workloads on the rack. For the VeloCloud to function properly, you must configure the following: During the deployment activities, the VeloCloud switches must access the VeloCloud Orchestrator (VCO) service as well as the VeloCloud Gateway (VCG) services. Configure the following ports for outbound communications: UDP 2426 (for IPSec tunnel): The IP addresses associated with the VCG services should be reachable through the firewall. TCP 443 (for activation and management): The IP addresses associated with the VCO should be reachable through the firewall. Ensure that the VeloCloud devices have outbound access to UDP port 53 on IP addresses 8.8.8.8 and 8.8.4.4 (Google DNS).
User provisioning	The deployment engineer who assists the deployment must be provisioned with the required roles. Ensure that the deployment engineer can log in into console. See Account Creation and Management.
Role assignment	Ensure that you enable necessary roles for the deployment engineer. See Assign a Role to an Organization Member.
DNS configuration	After you configure uplink connections, allow NSX Compute Gateway DNS forwarder and Management Gateway DNS forwarder to reach the upstream DNS servers on UDP port 53. This communication is between TORs and your uplink routers. You can use the compute gateway DNS forwarder for your VMs and workloads. The management VM uses the Management Gateway DNS forwarder. For network addressing information, see Configure SDDC Network Addresses.
vCenter reachability to vSAN insight analytics end point	You must allow vCenter Management IP to reach vcsa.vmware.com through FQDN on HTTPS port 443. This communication does not go through proxy servers and is established directly. Your vCenter Management IP is available on the Settings page under vCenter Internal IP . For network addressing information, see Configure SDDC Network Addresses. If you have set up any firewall rules, you must update the rules to allow traffic to vcsa.vmware.com .
HCX endpoint reachability (This task is applicable only if you are activating and deploying HCX on SDDC).	You must allow the vCenter Management IP to reach connect.hcx.vmware.com and hybridity-depot.vmware.com on the HTTPS port 443. This communication is established directly through your uplink connection and does not go through proxy servers. Your vCenter Management IP is available on the Settings page under vCenter Internal IP . If you have set up any firewall rules, you must update the rules to allow traffic to the sites, connect.hcx.vmware.com and hybridity-depot.vmware.com . hybridity-depot.vmware.com is a CDN backend with a dynamic IP and therefore you must configure it appropriately.
Add VCO service URLs to L7 firewall URL filtering module allowlist	If you are using the URL filtering module in an L7 firewall, you must add the following VCO160 URLs firewall allowlist: https://vco160-usca1.velocloud.net/ https://vco129-usvi1.velocloud.net/
IP allowlist for vCenter access through the Internet	You can manage your vCenter through Intranet or Internet. To manage your vCenter through Internet, you must specify the IP allowlist before the deployment. See Add IP Allowlist for Accessing vCenter and NSX Manager. The default policy for IPs allowed to perform vCenter management is Deny All.
After you configure the uplink connection, verify that the CSP portal uplink ping test is successful	An HTTP test or a ping test, provided ICMP is not blocked, detects any routing or rendering issues, such as an overlap between ToR and core switches.
Management gateway	Navigate to the Network & Security tab of the Order VMware Cloud on Dell EMC SDDC form and verify that the management gateway is connected to Internet. If your SDDC version is 1.16 or later, the Networking & Security tab is unavailable. Log in to NSX Manager to manage your SDDC networks.

VCO Services

In each

rack, there are two VeloCloud devices operating in High Availability (HA) mode. These VeloCloud devices allow an out-of-band communication path between the

SDDC and VMware, independent of the uplinks from the ToR switches in the

SDDC to your network. This ToR uplink path is used by workloads to communicate back and forth to services operating anywhere else on your network, and to the Internet if the workload requires it.

Without the VeloCloud connectivity, VMware can’t access the rack to perform remote management, and can’t receive monitoring data from the rack that alerts VMware to any incidents, and to verify that the rack is operating within its Service Level Objectives.

The VeloCloud Edge 620 devices communicates with a VCO service instance in the VeloCloud cloud service. VCO manages the VeloCloud, it provides a control plane for the VeloCloud devices. The following VCO service instances are assigned for use by the VeloCloud in the

racks:

VCO160 (52.53.138.251)

VCO129 (54.173.111.227)

Each VCO service instance is associated with a pool of VeloCloud Gateway IP addresses. The pool represents the SD-WAN endpoints that consist of the data plane for providing the following:

Data flow from the

rack

Inbound connectivity during SRE jump host interactions with the

rack

VCG Services

Each VeloCloud Edge uses a particular VCG service instance based on its geographic location. For example, if the

Edges are in a rack deployed in Oklahoma City, and the customer is assigned to VCO129, the VeloClouds in the rack will be directed to use the VCO129 VCG service instance located in the same region, in Texas (216.221.31.57).

The VMware Customer Success team will inform you regarding the VCO service to which your VeloCloud Edges are assigned, whether it’s VCO160 or VCO129. All the

racks in your environment use the same VCO service instance, either VCO160 or VCO129. For proper management and monitoring of the

rack, your firewall must be configured to allow outbound communication as follows:

TCP to port 443 on the VCO service instance IP address

UDP to port 2426 on any IP address in the VCG pool

VeloCloud routinely expands the number of VCG service instances in the VCO160 and VCO129 pools. Therefore, when new IP addresses are added to the pool by VeloCloud, you must allow communication outbound to the new IP addresses in the pool and this implies that you must update the firewall allowlist IP addresses. Request your VMware Customer Success team to verify the VCG IP address list and supply any latest IP addresses that are added.

For example, if you are assigned VCO160 and you create the firewall rules allowing UDP communication to port 2426 to each of the specific VCG IP addresses for VCO160, every time a new IP address is added to the VCO160 pool, a network engineer will need to create a new firewall rule allowing UDP port 2426 connectivity to that IP.

Without the new firewall rule for the new IP addresses in the pool, VCO160 might direct the VeloCloud Edge 620 to connect to one of the new VCG IP addresses. In this case, the VeloCloud may not be able to reach the Internet and the rack is isolated until the firewall rule is created.

The following are the three options for firewall rule configuration to allow access to VCG IP addresses:

Allow UDP on port 2426 to any IP address: Whenever a new IP is added to the VCG pool, you need not create a new firewall rule

VMware recommends you follow the preceding option where the firewall rule allows UDP communication to port 2426 on any IP address. This configuration is preferred as it saves VeloCloud outbound communication firewall rule from repeatedly updating each time a new IP is added to the VCO 52.53.138.251 or VCO 54.173.111.227 pool.

Allow UDP on port 2426 to all known VCG IPs for either VCO160 or VCO129: Whenever a new IP is added to the VCG pool, you should create a new firewall rule for that IP address

Allow UDP on port 2426 to all subnets within VMware ASN53766 (ASN assigned to VeloCloud): Whenever a new IP is added to the VCG pool, the existing firewall rules allow communication to all the newly added IP addresses

The following VCG IP addresses are specific to VCO160 (52.53.138.251):

	IP Address		IP Address		IP Address
1.	192.40.64.104	21.	159.100.165.45	41.	159.100.175.32
2.	159.100.164.66	22.	169.38.70.30	42.	159.100.171.70
3.	104.193.29.93	23.	216.221.31.104	43.	216.221.25.86
4.	159.100.160.62	24.	216.221.25.104	44.	216.221.29.103
5.	104.193.30.93	25.	159.100.173.32	45.	216.221.31.45
6.	104.193.28.91	26.	216.221.29.33	46.	64.186.29.44
7.	159.100.168.81	27.	216.221.25.33	47.	64.186.31.51
8.	159.100.161.52	28.	216.221.27.34	48.	64.186.27.86
9.	104.193.31.81	29.	64.186.27.39	49.	136.144.103.94
10.	104.193.30.145	30.	159.100.175.41	50.	216.221.31.78
11.	216.221.31.64	31.	159.100.171.45	51	103.48.253.60
12.	168.128.69.22	32.	216.221.27.49	52	136.144.97.52
13.	52.68.66.124	33.	64.186.25.53	53	136.144.99.60
14.	35.182.90.236	34.	216.221.29.57	54	159.100.171.92
15.	18.136.6.49	35.	216.221.27.64	55	159.100.173.85
16.	3.10.86.209	36.	64.186.25.78	56	207.66.113.70
17.	15.188.112.82	37.	169.38.66.123	57	216.221.27.122
18.	18.229.103.223	38.	159.100.165.36	58	64.186.25.103
19.	107.155.76.14	39.	136.144.103.47
20.	13.235.28.38	40.	136.144.97.40

The following VCG IP addresses are specific to VCO129 (54.173.111.227):

	IP Address		IP Address
1.	159.100.160.124	21.	216.221.29.89
2.	159.100.163.125	22.	159.100.168.106
3.	104.193.28.146	23.	159.100.164.106
4.	104.193.30.164	24.	104.193.31.106
5.	192.40.64.172	25.	159.100.161.124
6.	104.193.29.175	26.	216.221.27.92
7.	159.100.165.113	27.	216.221.27.94
8.	18.167.45.121	28.	216.221.29.117
9.	15.228.2.144	29.	103.48.253.58
10.	52.194.15.47	30.	136.144.103.77
11.	64.186.27.35	31.	159.100.171.80
12.	159.100.175.37	32.	159.100.171.90
13.	159.100.171.38	33.	216.221.25.101
14.	159.100.173.40	34.	216.221.27.103
15.	64.186.25.43	35.	216.221.31.115
15.	64.186.27.44	36.	216.221.31.26
17.	64.186.25.51	37.	64.186.27.88
18.	216.221.31.57
19.	216.221.27.66
20.	216.221.25.77

SDDC Activation

Content feedback and comments

VMware Cloud on Dell

SDDC Activation Precheck

Activation Precheck Tasks

VCO Services

VCG Services