VMware Engine prerequisites

VMware Engine offers a VMware private cloud environment that is accessible for users and applications from on-premises environments, enterprise managed devices, and Google Cloud services like Virtual Private Cloud (VPC). Connectivity is delivered by using networking services (such as VPNs and dedicated interconnect attachments) supported by VMware Engine. Some network services require user-specified address ranges for enabling the functionality. To help you plan your deployment, this page lists the prerequisites and associated features.

Enable the VMware Engine API

  1. In the Cloud Console, select or create a project.

  2. Confirm that billing is enabled for your Google Cloud project.

  3. Go to the VMware Engine API page.

    Go to the VMware Engine API page

  4. Click Enable.

Requesting quota

To create a private cloud or a new cluster on your private cloud you need a minimum of three nodes. To request a quota of VMware Engine nodes for the project where you want to deploy your private cloud, complete the following steps:

  1. In the Google Cloud Console, go to the Quotas page.

    Go to the Quotas page

  2. On the Quotas page, filter by service for VMware Engine nodes.

  3. Select the region where you want to apply the quota for VMware Engine nodes.

  4. Click Edit Quotas.

  5. Fill out your name, email, and phone number, and click Next.

  6. Enter your request to increase your quota, and click Next.

  7. Submit your request.

CIDR requirements

The following tables describe the set of address ranges and corresponding services that use those ranges. Some of these are mandatory and some depend on the services that you plan to deploy. The address spaces must not overlap with any of your on-premises subnets, VPC subnets, or planned workload subnets.

IP address ranges required for initializing and creating a private cloud

Name/used for Description Address range
vSphere/vSAN CIDR Required for VMware Management networks. Must be specified during private cloud creation. /21, /22 , /23, or /24

IP address ranges required for HCX on your private cloud

Name/used for Description Address range
HCX deployment CIDR Required for deploying HCX networks. Optional during private cloud creation. /28 or larger

IP addresses required for private service access to VMware Engine

Name/used for Description Address range
Assigned address range Address range to be used for private service connection to Google Cloud services including VMware Engine. /24 or larger

IP address ranges for enabling Edge networking services provided by VMware Engine

Name/used for Description Address range
Gateway CIDR Required if optional edge services (point-to-site VPN, internet access, public IP) are enabled, on a per region basis. /26
Client subnet Required for point-to-site VPN. DHCP addresses are provided to the VPN connection from the client subnet. /24

Firewall port requirements

You can set up a connection from your on-premises network to your VMware private cloud by using site-to-site VPN or dedicated interconnect. Use the connection to access your VMware private cloud vCenter and any workloads you run in the private cloud. You can control what ports are opened on the connection by using a firewall in your on-premises network. This section lists common application port requirements. For port requirements for any other applications, see the documentation for that application.

Ports required for accessing vCenter

To access your private cloud vCenter and NSX-T manager, open the following ports on the on-premises firewall:

Port Source Destination Purpose
53 (UDP) On-premises DNS servers Private cloud DNS servers Required for forwarding DNS lookup of gve.goog to private cloud DNS servers from on-premises network.
53 (UDP) Private cloud DNS servers On-premises DNS servers Required for forwarding DNS lookup of on-premises domain names from private cloud vCenter to on-premises DNS servers.
80 (TCP) On-premises network Private cloud management network Required for redirecting vCenter URL from HTTP to HTTPS.
443 (TCP) On-premises network Private cloud management network Required for accessing vCenter and NSX-T manager from on-premises network.
8000 (TCP) On-premises network Private cloud management network Required for vMotion of virtual machines (VMs) from on-premises to private cloud.
8000 (TCP) Private cloud management port On-premises network Required for vMotion of VMs from private cloud to on-premises.

Common ports required for accessing workload VMs

Accessing workload VMs running on private cloud requires ports to be opened on your on-premises firewall. The following table lists common ports. For any application specific port requirements, see the application documentation.

Port Source Destination Purpose
522 (TCP) On-premises network Private cloud workload network Secure shell access to Linux VMs running on private cloud.
3389 (TCP) On-premises network Private cloud workload network Remote desktop to Windows VMs running on private cloud.
80 (TCP) On-premises network Private cloud workload network Access any web servers deployed on VMs running on private cloud.
443 (TCP) On-premises network Private cloud workload network Access any secure web servers deployed on VMs running on private cloud.
389 (TCP/UDP) Private cloud workload network On-premises active directory network Join Windows workload VMs to on-premises active directory domain.
53 (UDP) Private cloud workload network On-premises active directory network DNS service access for workload VMs to on-premises DNS servers.

What's next