VMware Engine is upgrading existing private clouds to use newer VMware components. See Service announcements for more details.

VMware Engine prerequisites

Google Cloud VMware Engine offers a private cloud environment that's accessible to users and applications from on-premises environments, enterprise-managed devices, and Google Cloud services like Virtual Private Cloud (VPC). To establish connectivity between VMware Engine private clouds and other networks, you use networking services such as Cloud VPN and Cloud Interconnect.

Some network services require user-specified address ranges for enabling the functionality. To help you plan your deployment, this page lists the prerequisites and associated features.

Enable the VMware Engine API

  1. In the Google Cloud Console, select or create a Google Cloud project.
  2. Confirm that billing is enabled for your Cloud project
  3. Go to the VMware Engine API page.

    Go to VMware Engine API

  4. Click Enable.

Enable VMware Engine node quota

You must assign a quota of nodes to the Cloud project in which you want to deploy a VMware Engine private cloud. Assign VMware Engine nodes quota per project, per region. To create a private cloud, you must assign a minimum of three nodes.

The default quota assigned to a project is zero nodes. To request a quota of nodes for the project where you want to deploy your private cloud, see Quotas and limits.

CIDR requirements

The following tables describe the set of address ranges and corresponding services that use those ranges. Some of these are mandatory and some depend on the services that you plan to deploy. The address spaces must not overlap with any of your on-premises subnets, VPC subnets, or planned workload subnets.

IP address ranges required for initializing and creating a private cloud

Name/used for Description Address range
vSphere/vSAN CIDR Required for VMware management networks. Must be specified during private cloud creation. /21, /22 , /23, or /24

IP address ranges required for HCX on your private cloud

Name/used for Description Address range
HCX deployment CIDR Required for deploying HCX networks. Optional during private cloud creation. /27 or larger

IP addresses required for private service access to VMware Engine

Name/used for Description Address range
Assigned address range Address range to be used for private service connection to Google Cloud services including VMware Engine. /24 or larger

IP address ranges for enabling edge networking services provided by VMware Engine

Name/used for Description Address range
Edge Services CIDR Required if optional edge services, such as point-to-site VPN, internet access, and public IP, are enabled, on a per region basis. /26
Client subnet Required for point-to-site VPN. DHCP addresses are provided to the VPN connection from the client subnet. /24

Firewall port requirements

You can set up a connection from your on-premises network to your private cloud by using site-to-site VPN or dedicated interconnect. Use the connection to access your VMware private cloud vCenter and any workloads you run in the private cloud.

You can control what ports are opened on the connection by using a firewall in your on-premises network. This section lists common application port requirements. For port requirements for any other applications, see the documentation for that application.

Ports required for accessing vCenter

To access vCenter Server and NSX-T Manager in your private cloud, open the following ports on the on-premises firewall:

Port Source Destination Purpose
53 (UDP) On-premises DNS servers Private cloud DNS servers Required for forwarding DNS lookup of gve.goog to private cloud DNS servers from on-premises network.
53 (UDP) Private cloud DNS servers On-premises DNS servers Required for forwarding DNS lookup of on-premises domain names from private cloud vCenter to on-premises DNS servers.
80 (TCP) On-premises network Private cloud management network Required for redirecting vCenter URL from HTTP to HTTPS.
443 (TCP) On-premises network Private cloud management network Required for accessing vCenter and NSX-T manager from on-premises network.
8000 (TCP) On-premises network Private cloud management network Required for vMotion of virtual machines (VMs) from on-premises to private cloud.
8000 (TCP) Private cloud management port On-premises network Required for vMotion of VMs from private cloud to on-premises.

Common ports required for accessing workload VMs

Accessing workload VMs running on private cloud requires ports to be opened on your on-premises firewall. The following table lists common ports. For any application-specific port requirements, see the application documentation.

Port Source Destination Purpose
22 (TCP) On-premises network Private cloud workload network Secure shell access to Linux VMs running on private cloud.
3389 (TCP) On-premises network Private cloud workload network Remote desktop to Windows Server VMs running on private cloud.
80 (TCP) On-premises network Private cloud workload network Access any web servers deployed on VMs running on private cloud.
443 (TCP) On-premises network Private cloud workload network Access any secure web servers deployed on VMs running on private cloud.
389 (TCP/UDP) Private cloud workload network On-premises active directory network Join Windows Server workload VMs to on-premises active directory domain.
53 (UDP) Private cloud workload network On-premises active directory network DNS service access for workload VMs to on-premises DNS servers.

VMware Engine private cloud connectivity

To access a Virtual Private Cloud from a VMware Engine private cloud, you must set up private service access. This process is also required for connecting to your on-premises environment from VMware Engine.

To access your VMware Engine private cloud from on-premises or a remote site, you use Cloud VPN or Cloud Interconnect. Choose and follow the appropriate setup instructions for Cloud VPN and Cloud Interconnect based on your needs.

What's next