Configure the network of the SDDC in
VMware Cloud on AWS

To allow pairing with
VMware Cloud Director Availability
in
VMware Cloud on AWS
, first configure the network settings of the SDDC.
The access to the resource pools is limited in
VMware Cloud on AWS
and the private IP addresses of all the cloud appliances of
VMware Cloud Director Availability
must be explicitly allowed as well as to access the management and infrastructure components in the management resource pool, like
vCenter Server
and
ESXi
.
VMware Cloud Director Availability
in
VMware Cloud on AWS
provides two services to the Internet. To use the two services in the configuration of the necessary NAT rules, you explicitly define them since both services internally use non-standard HTTPS ports. These two services in conjunction with the following two NAT rules translate the network traffic coming to the public IP address on the external port 443/TCP:
  • Towards the
    Cloud Director Replication Management Appliance
    , internally on port 8046/TCP for management interface network traffic to the
    Cloud Service
    .
  • Towards the
    Tunnel Appliance
    , internally on port 8048/TCP for replication data network traffic to the
    Public Service Endpoint
    .
  1. Log in to
    VMware Cloud on AWS
    at https://vmc.vmware.com.
  2. Add two new inventory SDDC services, for the management interface and for the
    Public Service Endpoint
    .
    1. In the VMC console, in the left pane click
      SDDCs
      .
    2. Under the SDDC click
      View Details
      and click the
      Networking & Security
      tab.
    3. In the left pane under the
      Inventory
      section, click
      Services
      .
      Repeat the following steps twice.
      • Add an inventory service for the management interface of the
        Cloud Director Replication Management Appliance
        .
      • Add another inventory service for the
        Public Service Endpoint
        of the
        Tunnel Appliance
        .
    4. To add an inventory SDDC service, click
      Add Service
      .
    5. Enter a name and optionally a description for each service.
    6. For each service, in the Service Entries column, click the
      Set Service Entries
      link.
    7. For each service, in the
      Set Service Entries
      window, from the
      Type
      drop down menu select
      Layer 3 and above
      .
    8. For each service, on the
      Port-Protocol
      tab click
      Add Service Entry
      , enter the details from the respective column, and click
      Apply
      .
      Option
      Management Interface Inventory Service
      Public Service Endpoint
      Inventory Service
      Name
      Enter a name for the service entry of the
      Cloud Director Replication Management Appliance
      management interface. For example, enter
      VCDA-Cloud-Service-Management
      .
      Enter a name for the service entry of the
      Tunnel Appliance
      Public Service Endpoint
      . For example, enter
      VCDA-Tunnel-Service-Endpoint
      .
      Service Type
      Select
      TCP
      .
      Select
      TCP
      .
      Additional Properties
      Leave the
      Source Ports
      text box blank.
      Leave the
      Source Ports
      text box blank.
      To access the management interface of the
      Cloud Director Replication Management Appliance
      in the
      Destination Ports
      text box, in enter port
      8046
      .
      To access the
      Public Service Endpoint
      of the
      Tunnel Appliance
      , in the
      Destination Ports
      text box enter port
      8048
      .
    9. To save each inventory service, click
      Save
      .
      On the
      Services
      page, both services show:
      Name
      Service Entries
      VCDA-Cloud-Service-Management
      TCP (Source: Any | Destination: 8046)
      VCDA-Tunnel-Service-Endpoint
      TCP (Source: Any | Destination: 8048)
  3. To later use in NAT rules, request two new public SDDC IP addresses.
    • Request a public IP address to access the initial setup wizard in the management interface of the
      Cloud Director Replication Management Appliance
      .
    • Request a public IP address to allow external pairing to the
      Public Service Endpoint
      of the
      Tunnel Appliance
      .
    1. On the
      Networking & Security
      tab, in the left pane under the
      System
      section click
      Public IPs
      .
    2. To request a public IP address for the
      Cloud Director Replication Management Appliance
      , click
      Request New IP
      , enter a note, and click
      Save
      .
      For example, as a note enter
      VCDA-Management-Public-IP-address
      .
    3. To request a public IP address for the
      Tunnel Appliance
      , click
      Request New IP
      , enter a note and click
      Save
      .
      For example, as a note enter
      VCDA-Tunnel-Public-IP-address
      .
  4. To forward the incoming network traffic to the correct cloud appliances and ports, add two new NAT rules.
    1. On the
      Networking & Security
      tab, in the left pane under the
      Network
      section click
      NAT
      .
      Repeat the following step twice.
      • Add a NAT rule for the management interface of the
        Cloud Director Replication Management Appliance
        .
      • Add another NAT rule for the incoming network traffic to the
        Public Service Endpoint
        of the
        Tunnel Appliance
        .
    2. To add a NAT rule, click
      Add NAT Rule
      , configure the following settings and click
      Save
      .
      Option
      Management Interface NAT
      Public Service Endpoint
      NAT
      Name
      Enter a name for the NAT rule for the
      Cloud Director Replication Management Appliance
      management interface. For example, enter
      VCDA Management Interface NAT
      .
      Enter a name for the NAT rule for the
      Tunnel Appliance
      Public Service Endpoint
      . For example, enter
      VCDA Tunnel Service Endpoint NAT
      .
      Public IP
      Select the
      VCDA-Management-Public-IP-address
      .
      Select the
      VCDA-Tunnel-Public-IP-address
      .
      Service
      Select the inventory service for the
      Cloud Director Replication Management Appliance
      management interface. For example, select
      VCDA-Cloud-Service-Management
      .
      Select the inventory service for the
      Tunnel Appliance
      Public Service Endpoint
      . For example, select
      VCDA-Tunnel-Service-Endpoint
      .
      Public Port
      Enter port
      443
      .
      Enter port
      443
      .
      Internal IP
      Enter the
      private-IP-address
      of the
      Cloud Director Replication Management Appliance
      .
      Enter the
      private-IP-address
      of the
      Tunnel Appliance
      .
      Internal Port
      8046 (non-editable)
      8048 (non-editable)
      Firewall
      Match Internal Address
      Match Internal Address
      After completing the initial configuration, to reduce the possible attack surface the NAT rule for the management interface can be disabled or removed.
      VMware Cloud Director Availability
      remains accessible from the
      Cloud Director instance
      by using the plug-in for
      VMware Cloud Director Availability
      .
  5. To later create a management group and use it in a management firewall rule, note the compute gateway source NAT
    public IP address
    of the SDDC.
    1. On the
      Networking & Security
      tab, in the left pane click
      Overview
      .
    2. Under
      Default Compute Gateway
      and under
      Workloads
      , note the
      Source NAT Public IP
      address of the SDDC.
  6. To prepare the cloud appliances access to the management gateway services like
    vCenter Server
    and
    ESXi
    , add two management groups.
    1. On the
      Networking & Security
      tab, in the left pane under the
      Inventory
      section click
      Groups
      .
    2. Click the
      Management Groups
      tab.
      Repeat the following steps two times.
      • Add a management group, containing the private IP addresses of all the deployed
        Replicator Appliance
        instances.
      • Add another management group, containing the compute gateway source NAT.
    3. To create a management group, click
      Add Group
      and for each group enter a management group name.
    4. To add trusted members to each management group, under the Compute Members column, click the
      Set Members
      link.
    5. In the
      Select Members
      window, on the
      IP Addresses
      tab enter the following IP addresses for each management group and click
      Apply
      .
      Management Group Name
      Management Group Trusted Members IP Addresses
      SNAT VCDA Management Group
      • Enter the compute gateway source NAT
        public-IP-address
        of the SDDC, as noted in the previous step.
      • Enter the subnet group of the
        VMware Cloud Director Availability
        appliances. For example, enter the
        vcda-network-segment
        .
      VCDA Replicators Management Group
      Enter the
      private-IP-addresses
      reserved within the
      vcda-network-segment
      for all the
      Replicator Appliance
      instances deployed in
      VMware Cloud on AWS
      . All
      Replicator Appliance
      instances must access the
      vCenter Server
      management gateways services for virtual machines provisioning and performing replication tasks with the
      ESXi
      hosts and datastores.
    6. To save each management group, click
      Save
      .
  7. To allow the internal communication from the cloud appliances to the
    vCenter Server
    and to the
    ESXi
    datastore in the management gateway, add two new management gateway firewall rules.
    1. On the
      Gateway Firewall
      page, click the
      Management Gateway
      tab.
      Repeat the following steps twice.
      • Add a management firewall rule for allowing the network traffic from the compute gateway source NAT to the management gateway
        vCenter Server
        .
      • Add another management firewall rule for allowing the
        Replicator Appliance
        instances writing in the destination
        ESXi
        datastore.
    2. To create a management firewall rule, click
      Add Rule
      .
    3. Configure each of the two management firewall rules and click
      Apply
      when prompted.
      Option
      vCenter Server
      Management Gateway Firewall Rule
      ESXi
      Hosts Management Gateway Firewall Rule
      Name
      Enter a name for the
      vCenter Server
      management gateway rule. For example, enter
      SNAT VCDA to vCenter Rule
      .
      Enter a name for the
      ESXi
      management gateway rule. For example, enter
      VCDA Replicators to ESXi Rule
      .
      Sources
      Click
      Any
      . In the
      Set Source
      window, select
      User Defined Groups
      and select the management group for the SNAT. For example, select
      SNAT VCDA Management Group
      and click
      Apply
      .
      Click
      Any
      . In the
      Set Source
      window, select
      User Defined Groups
      and select the management group for the private IP addresses of the
      Replicator Appliance
      instances. For example, select
      VCDA Replicators Management Group
      and click
      Apply
      .
      Destinations
      Click
      Any
      . In the
      Set Destination
      window under
      System Defined Groups
      , select
      vCenter
      and click
      Apply
      .
      Click
      Any
      . In the
      Set Destination
      window under
      System Defined Groups
      , select
      ESXi
      and click
      Apply
      .
      Services
      Click
      Any
      and select
      HTTPS (TCP 443)
      .
      To allow the
      Data Engine Service
      of the
      Replicator Appliance
      writing in the
      ESXi
      datastores, click
      Any
      and select
      HTTPS (TCP 443)
      and
      Provisioning & Remote Console (TCP 902)
      .
      Action
      Allow
      Allow
    4. After creating both management gateway firewall rules, click
      Publish
      .
  8. To prepare for accessing the compute gateway services in
    VMware Cloud on AWS
    , create four compute groups.
    1. On the
      Networking & Security
      tab, in the left pane under the
      Inventory
      section click
      Groups
      .
      Repeat the following steps four times.
      • Add a compute group for the trusted users that need access to the
        VMware Cloud Director Availability
        management interface.
      • Add a compute group for the
        Cloud Director Replication Management Appliance
        .
      • Add a compute group for all the
        Replicator Appliance
        instances.
      • Add a compute group for the
        Tunnel Appliance
        .
    2. To create a compute group, under the
      Compute Groups
      tab, click
      Add Group
      and enter a group name.
    3. To add trusted members to each compute group, under the Compute Members column, click the
      Set Members
      link.
    4. In the
      Select Members
      window, on the
      IP Addresses
      tab enter the following IP addresses for each compute group and click
      Apply
      .
      Compute Group Name
      Compute Group Trusted Members IP Addresses
      Trusted Compute Sources Group
      Enter the externally-facing
      public-IP-addresses
      of the users granted with access to the management interface of
      VMware Cloud Director Availability
      .
      Ensure that you add all the public IP addresses of each user allowed to access
      VMware Cloud Director Availability
      in
      VMware Cloud on AWS
      or the users have no access.
      VCDA Manager Compute Group
      Enter the
      private-IP-address
      of the
      Cloud Director Replication Management Appliance
      .
      VCDA Replicators Compute Group
      Enter the
      private-IP-addresses
      of all the
      Replicator Appliance
      instances.
      VCDA Tunnel Compute Group
      Enter the
      private-IP-address
      of the
      Tunnel Appliance
      .
    5. To save each compute group, click
      Save
      .
  9. To prepare for completing the initial setup wizard, allow accessing the
    VMware Cloud Director Availability
    management interface by the trusted compute sources. Also allow the cloud appliances outbound access, both by adding two new compute gateway firewall rules.
    1. On the
      Networking & Security
      tab, in the left pane under the
      Security
      section click
      Gateway Firewall
      .
      Repeat the following steps twice.
      • Add a compute gateway firewall rule for allowing the trusted compute sources access to the
        Cloud Director Replication Management Appliance
        for completing the initial setup wizard of
        VMware Cloud Director Availability
        .
      • Add a compute gateway firewall rule for allowing the
        VMware Cloud Director Availability
        appliances outbound network traffic from the compute gateway.
    2. On the
      Compute Gateway
      tab, click
      Add Rule
      .
    3. Configure each of the two compute firewall rules and click
      Apply
      when prompted.
      Option
      Inbound Compute Gateway Firewall Rule
      Outbound Compute Gateway Firewall Rule
      Name
      Enter a name for the inbound compute gateway rule. For example, enter
      VCDA Management from Trusted Compute Sources Rule
      .
      Enter a name for the outbound compute gateway rule. For example, enter
      VCDA Appliances Outbound Compute Rule
      .
      Sources
      Click
      Any
      . In the
      Set Source
      window, select the trusted compute sources group and click
      Apply
      . For example, select
      Trusted Compute Sources Group
      .
      Click
      Any
      . In the
      Set Source
      window select the three compute groups for the
      VMware Cloud Director Availability
      appliances and click
      Apply
      . For example, select all three
      VCDA Manager Compute Group
      ,
      VCDA Replicators Compute Group
      , and
      VCDA Tunnel Compute Group
      .
      Destinations
      Click
      Any
      . In the
      Set Destination
      window, select the
      Cloud Director Replication Management Appliance
      compute group and click
      Apply
      . For example, select
      VCDA Manager Compute Group
      .
      Any
      Services
      Click
      Any
      . In the
      Set Services
      window, select the
      Cloud Director Replication Management Appliance
      management interface service and click
      Apply
      . For example, select
      VCDA-Cloud-Service-Management
      TCP (Source: Any | Destination: 8046)
      .
      Any
      Applied To
      All Uplinks
      All Uplinks
      Action
      Allow
      Allow
    4. After creating both compute gateway firewall rules, click
      Publish
      .
The SDDC configuration in
VMware Cloud on AWS
is complete and ready for the initial configuration of
VMware Cloud Director Availability
. In summary, the SDDC network in
VMware Cloud on AWS
is configured with:
  • vcda-network-segment
    :
    A dedicated routed network for all the cloud appliances of
    VMware Cloud Director Availability
    .
  • Public IP addresses:
    Two requested public IP addresses, for the management interface of the
    Cloud Director Replication Management Appliance
    , and for the
    Public Service Endpoint
    of the
    Tunnel Appliance
    .
  • Management gateway:
    • Access from the compute gateway source NAT address to the management gateway
      vCenter Server
      , used for bridging the access from the compute gateway
      VMware Cloud Director Availability
      appliances.
    • Access from the
      Replicator Appliance
      to the management gateway
      ESXi
      datastore, used for destination of migrations.
  • Compute gateway:
    • Access from the
      Trusted Compute Sources Group
      to the management interface of the
      Cloud Service
      , used for completing the initial setup. Later, modifying the same rule allows access to all four types of management interfaces of
      VMware Cloud Director Availability
      . For more information, see Post-configure the SDDC networking in VMware Cloud on AWS.
    • Access from
      VMware Cloud Director Availability
      appliances to Internet, used for the external network traffic from the compute gateway.
For information about the summary of the SDDC network configuration, see SDDC network configuration summary.
You can now configure
VMware Cloud Director Availability
in
VMware Cloud on AWS
by completing the initial setup wizard of the
Cloud Director Replication Management Appliance
. For more information, see Configure VMware Cloud Director Availability in VMware Cloud on AWS.