Configuring Hybrid Linked Mode with the vCenter Cloud Gateway Appliance

One of the use cases for VMware Cloud on AWS is extending your data center and taking advantage of hybrid cloud functionality. Configuring Hybrid Linked Mode (HLM), similar to Enhanced Linked Mode (ELM) on-premises, is an essential step and deploying the vCenter Cloud Gateway gives you some additional flexibility.

HLM allows you to bring together two different SSO domains while maintaining separation of permissions for vsphere.local on-premises, and vmc.local in VMware Cloud on AWS. Hybrid Linked Mode allows you to:

  • Manage your on-premises and VMware Cloud on AWS vSphere environments from a single pane of glass while maintaining separate SSO domains
  • Share tags and categories across vCenter servers
  • Migrate workloads back and forth between vCenter servers

William Lam published a good overview comparing ELM and HLM.

There are two options for configuring HLM. One option is to link your cloud SDDC vCenter back to your on-premises data center, creating a one-way trust, and adding your Active Directory server as an identity source. With this option, you will need to login to your cloud SDDC vCenter to take advantage of the features. Emad Younis published a very detailed configuration guide on this option.

The second option is to deploy the vCenter Cloud Gateway Appliance on-premises and use it to establish HLM. Using this method, you are no longer required to add Active Directory as an identity source. You can map Active Directory groups, or individual users, to the vSphere Cloud Admin group. It also allows you to login to the vSphere Client on-premises instead of in the cloud to take advantage of the features.

Prerequisites

  • Ensure both on-premises data center and cloud SDDC are synchronizing with an NTP service. A time skew maximum of 10 minutes can be tolerated.
  • Configure a Management Gateway IPsec VPN.
  • Ensure latency is less than 100ms RTT between environments.
  • Configure Management Gateway for on-premises DNS.
  • Ensure you have network connectivity between your VMware Cloud on AWS management Gateway and your on-premises SSO domain, as well as on-premises identity source.
  • Obtain login credentials for the on-premises SSO domain.
  • Your on-premises environment is running vSphere 6.5 patch d or later.
  • Ensure your on-premises Platform Services Controller (PSC) is configured to use HTTPS on port 443. If your PSC is configured to use a different port, then the appliance option will not work for your environment.
  • Create an Active Directory group that includes the users that should have access to the cloud SDDC. This is optional, but highly recommended.

Firewall Rules

With the first HLM configuration option, you need to allow traffic from VMware Cloud on AWS back to the on-premises Active Directory, PSC, and vCenter services.

Configuring firewall rules tends to be simpler with the vCenter Cloud Gateway approach. In this case, since the the Cloud Gateway appliance is on-premises and should already be able to talk to these services, we only need to allow traffic outbound from the Cloud Gateway to the cloud SDDC vCenter. If you plan to take advantage of vMotion, connectivity from the source ESXi host and target vCenter server must also be configured.

Deployment

Step 1: Login to your VMware Cloud on AWS console, click Tools, and Download.

Step 2: You’ll be redirected to the my.vmware.com download link, where you’ll need to login, and then download the ISO.

Step 3: Once downloaded, open the ISO and navigate to ui-installer\win32 and run the installer.

Step 4: You’re provided with a quick description of the vCenter Cloud Gateway. Click Get Started.

Step 5: You’ll begin with Stage 1, select start to configure and deploy the appliance.

Step 6: Accept the EULA, and click Next.

Step 7: Enter the ESXi or vCenter server where you wish to deploy the appliance on-premises, followed by the username and password to access the target.

Step 8: Enter a name for the appliance, and set a root password.

Step 9: Select a datastore to deploy the appliance to and, optionally, choose to enable Thin Disk Mode.

Step 10: Choose the virtual network your appliance should connect to, followed by the appropriate IP information for the appliance, FQDN, and DNS.

Step 11: Configure NTP.

Step 12: Enter the FQDN for the vCenter Server on-premises if using an embedded Platform Services Controller, or the PSC FQDN if using an external Platform Services Controller. Ensure you are using port 443, then enter the SSO domain name (typically vsphere.local) followed by the administrator@vsphere.local username and password.

Step 13: Optionally, choose to join Active Directory. This can be done later, but we’ll do it now to save time. Enter the AD domain name followed by the username and password of a domain user with access.

Once you click finish, the appliance will be deployed and configured. This will take a few minutes. Go grab a cup of coffee!

Step 14: Now that the appliance is up and running, we’ll configure Hybrid Linked Mode. Click Start to begin Stage 2.

Step 15: The screen gives you a quick overview of Hybrid Linked Mode and a link to the HLM prerequisites documentation. Click Next.

Step 16: Enter the FQDN of your cloud SDDC vCenter server followed by the cloudadmin username and password. Then, from the drop down, choose the Active Directory domain we configured earlier followed by the Active Directory Group(s) you wish to grant CloudAdmin access. Click Finish.

Step 17: After a couple of minutes, HLM will be configured and you can launch the vSphere Client.

Notice the URL when we launched the vSphere Client from the installer. We are pointing our browser at the FQDN of the vCenter Cloud Gateway. Here you will want to login with an Active Directory user that belongs to the AD group you assigned during installation.

Once we login we see multiple vCenter server instances. In this on-premises environment, we had two vCenters already in linked mode, part of the same SSO domain. Configuring HLM allows us to see all vCenters within the SSO domain on-premises as well as within our cloud SDDC.

At the top of the window, select Menu > Administration, then select Linked Domains from the left Navigation Pane. Here you can see our on-premises SSO Domain (vsphere.local) is linked with our cloud vCenter and SSO domain (vmc.local). You can also see the Active Directory Group(s) assigned to Cloud Admins.

From here you can add additional admins, unlink the domain, and even force a re-sync.

So, wait… now you have a lot of different vSphere clients you can access! Does this mean you can login to any vSphere Client and see all of your resources? Not exactly. Check out the table below to understand which resources you can access based on where you login. Remember, using this HLM option we are establishing a link from our on-premises environment OUTBOUND to our cloud environment.

Link FromLogin toAccess Resources
SDDCOn-premises vCenterOn-premises Only
SDDCCloud vCenterOn-premises & Cloud
ApplianceOn-premises vCenterOn-premises Only
ApplianceCloud vCenterCloud Only
AppliancevCenter Cloud GatewayOn-premises & Cloud

So you might be asking yourself – why not just embed the HLM functionality into the vCenter Server Appliance? The reason we don’t do this is because we handle updates for the vCenter Cloud Gateway. As patches, features, and upgrades become available, we will perform pushes to the vCenter Cloud Gateway. This helps ensure it always has the latest updates, and we certainly don’t want to push those to your production vCenter server on your behalf.