Hybrid Linked Mode
Hybrid linked mode is one of the coolest features of VMware cloud on AWS . using this we can manage our on-prem vCenter and VMC vCenter from one single console (Like enhanced linked mode). To achieve this we will have to establish a trust between onprem sso and VMC sso domain also we will add our on-prem Active directory server or LDAP server as an identity source to our VMC vCenter, by doing this you are opening a path for your active directory users to login to VMC vCenter URL. This will prevent us from sharing the firstname.lastname@example.org credentials with other admins and non-admin users.
Also getting both the vCenters in one single window enables you to vMotion your VM (cold and hot) from your onprem Environment to VMware cloud on aws and vice versa (for hot migration there are additional recommendations like Direct-x).
let's start with the prerequisites for HLM :
Prerequisites at Onprem side:
1) vSphere 6.5.0d or later.
2) You can link only one on-premises SSO domain
3) Configure a management gateway IPsec VPN connection between your on-premises data center and cloud SDDC. ( Click here to know how)
4) Ensure that you have network connectivity between your VMware Cloud on AWS management gateway and your on-premises ID source and
5) Ensure that the onprem firewall allows access to necessary ports from the VMC SDDC
On-premises vCenter Server Ports 443
On-premises Platform Services Controller Ports 389, 636
On-premises Active Directory server Ports 389, 636, 3268, 3269
On-premises DNS Port 53
6) Create an AD group on your onprem side to allow access on VMC
7) Ensure you have login credentials for your onprem SSO domain.
Prerequisites at VMC side:
1) Accessibility to onprem vCenter, DNS and AD server
2) Create firewall rule in management gateway (Update : We can now use firewall rule accelerator check this blog post)
SDDC vCenter access - HTTPS
vCenter SSO access - TCP 7444
Update : We can now use some cool new features of Running pre-checks and creating firewall rules with firewall rule accelerator check out this blog post )
See below Example :
3) Enter the onprem DNS server address in vmc management gateway to resolve the on-prem identity source and PSC.
4) Also make an entry for VMC vCenter private IP in your onprem DNS. we can find the private IP in support tab of the SDDC.
Let's start the HLM configuration
1) Login to the VMC vCenter by using the URL provided in support tab, and by supplying the credentials for email@example.com
2) Click on menu and select administration.
3) At the Left side pane click on Linked Domains
4) We get a form to fill-up with some onprem details Like on prem PSC Information, add the on-prem active directory or LDAP as identity
source and add the AD group which we want to allow access here.
a) First we filled up the information about onprem SSO and then we clicked on the drop-down of select identity source and selected Add Identity Source.
b) After Clicking on Add Identity Source it opens a new form for us and we fill in all the details here
Identity Source Type : select either Active Directory over LADAP or open LDAP
Identity Source Name : Give any name of your Choice
Base distinguished name for users & Base Base distinguished name for groups :
** we can get this info from Active directory users and computers By selecting the attribute editor option in the properties of the folder or OU (refer the image below)
Domain Name : Domain name of your onprem domain
username : domain admin username
password : domain admin password
Connect to : specify specific DC name or select first option
Rest all options are optional
5 - Click Add
6- Once this is added the onprem identity source will start reflecting in identity source section and once we start typing the Group names from
AD it will give you the results to add the groups in allowed list of VMC vCenter login. (in this example I have created VMCADMINS group in
7- Once the groups are added we can click on link button at the bottom (We may get a certificate warning click on continue)
8- And finally it says Domain has been linked :)
9- Clicking OK will log us out from firstname.lastname@example.org account
10- You can now login with an onprem ad user which is a part of allowed domain and has permission to access the onprem vCenter.
This is It ! we have successfully setup the Hybrid Linked mode and able to manage both the vCenters from one console.