To be able to successfully manage the SDDC, you need to enable access to vCenter Server. vCenter Server can be accessed from the internet or a private address accessible from the VPN, DX, or AWS VPC connected to the SDDC. By default, the NSX firewalls block access to the vCenter Server from the internet. In the upper-right corner of the VMware Cloud SDDC console, click on OPEN VCENTER and a pop-up message with the following options will appear. Let’s click on FIREWALL RULE, as seen in the following screenshot:

Figure 4.29 – Open vCenter with access credentials

Now let’s enable access to vCenter from remote public IPs. By default, internet access to vCenter is blocked by the Management Gateway firewall. Navigate to the Networking & Security tab, and open the Gateway Firewall section, as seen in the following screenshot:

Figure 4.30 – Networking & Security – Gateway Firewall

The default NSX firewall ruleset does not allow access to vCenter from external IP addresses. Only outbound communication from vCenter or the ESXi hosts is allowed. First, let’s create a new rule allowing vCenter access from a specific IP address. Click on the + ADD RULE button and a new rule configuration will appear. Provide a descriptive name for the rule and click on the source Edit button, as seen in the following screenshot:

Figure 4.31 – Creating firewall rules

Here, we’ll create a user defined group that will represent connecting source IP addresses. After providing a descriptive name for the group, we’ll click on Set Members, as seen in the following screenshot:

Figure 4.32 – Creating a user defined group

In the new window, we’ll enter the source IP address to initiate the communication toward the vCenter Server. Multiple addresses and address ranges can be provided, as seen in the following screenshot:

Figure 4.33 – Define source IP addresses

First, make sure to click on SAVE to save the group (1), and check the steps are marked in the right order, and only then click APPLY (2), as shown in the following screenshot:

Figure 4.34 – Defining source IP addresses and saving the configuration

Lastly, it is important to select the destination and services we wish to enable. The destination field should be modified by selecting the predefined vCenter system defined group. Additionally, there are system-defined services that are predefined during the provisioning process. The service can be selected under Services | HTTPS and Allow under Actions, as shown in Figure 4.35.

Figure 4.35 – Publishing a rule

Do not forget to publish the rule on the upper right-hand side of the screen, otherwise, the configuration will not be applied.

Tip

Even though external public access to vCenter Server is supported, it is required to limit it to a specific IP address or range. Most enterprise organizations, for security reasons, prefer accessing the vCenter Server using private IP address access over a Site-to-Site VPN or AWS Direct Connect. Using Any as a source for the vCenter Server is not supported for security reasons.

After configuring the firewall rule, go back to the OPEN VCENTER button in the VMware Cloud SDDC console and click on SHOW CREDENTIALS.

The cloud admin credentials and the OPEN VCENTER button will appear. The credentials are predefined during the provisioning process and cannot be changed. Administrators and Operators can copy-paste the credentials from here.

Figure 4.36 – OPEN VCENTER

Let’s click on the OPEN VCENTER button and enter the credentials in the newly opened tab. The vSphere Web Client will open, as seen in the following screenshot:

Figure 4.37 – First vCenter access

The vCenter Server UI is no different from on-premises vCenter Server and uses the latest publicly available version of the vCenter software (for a greenfield SDDC).