vRealize Suite Lifecycle Manager 1.2 Ports and Protocols, Feature URLs, and Service Account Privileges¶
Behind the scenes in VMware R&D I have been working closely with the product management and engineering team for vRealize Suite Lifecycle Manager to improve the experience and workflows.
Three questions that I'm often asked are:
- What ports and protocols does vRealize Suite Lifecycle Manager use for communications?
- What URLs must be accessible by my organization to use some vRealize Suite Lifecycle Manager Features (e.g., My VMware, Marketplace, Product Updates, and the in-product Compatibility Guide)?
- What permissions are required for a custom role that can be used as a service account for vRealize Suite Lifecycle Manager to vSphere communications?
Well, you're in luck. I can answer this where the documentation currently falls short.
Ports and Protocols¶
Below are the ports and protocols used for system-to-system or system-to-service communications:
vRealize Suite Upstream Communications¶
| Destination | Protocol | Port |
|---|---|---|
| My VMware | TCP | 443 |
| VMware Solutions Exchange | TCP | 443 |
| Product Updates | TCP | 443 |
| VMware Compatibility Guide | TCP | 443 |
User to vRealize Suite Lifecycle Manager¶
| Destination | Protocol | Port |
|---|---|---|
| UI and API Gateway | TCP | 443 |
| Secure Shell (Disabled by Default) | TCP | 22 |
vRealize Suite Lifecycle Manager to vRealize Suite Product Communications¶
| Destination | Protocol | Port |
|---|---|---|
| vRealize Automation Appliance | TCP | 443 |
| vRealize Automation Appliance | TCP | 5480 |
| vRealize Automation Appliance | TCP | 22 |
| vRealize Automation IaaS Servers | TCP | 443 |
| vRealize Automation IaaS Proxy | TCP | 443 |
| vRealize Orchestrator | TCP | 8281 |
| vRealize Business for Cloud | TCP | 443 |
| vRealize Business for Cloud | TCP | 5480 |
| vRealize Business for Cloud | TCP | 22 |
| vRealize Operations Analytics Node | TCP | 443 |
| vRealize Operations Analytics Node | TCP | 22 |
| vRealize Operations Remote Collector | TCP | 443 |
| vRealize Operations Remote Collector | TCP | 22 |
| vRealize Log Insight Appliance Node | TCP | 443 |
| vRealize Log Insight Appliance Node | TCP | 9543 |
| vRealize Log Insight Appliance Node | TCP | 16520 |
| vRealize Log Insight Appliance Node | TCP | 22 |
| Identity Manager Appliance | TCP | 8443 |
| Identity Manager Appliance | TCP | 443 |
vRealize Suite Lifecycle Manager to vSphere Communications¶
| Destination | Protocol | Port |
|---|---|---|
| vCenter Server | TCP | 443 |
vRealize Suite Lifecycle Manager to Content Management Endpoint¶
| Destination | Protocol | Port |
|---|---|---|
| Content Management Endpoint (e.g., GitLab) | TCP | 443 |
URLs for Feature Support¶
The following are defined in /opt/vmware/vrlcm/config/lcm.properties config:
- https://vapp-updates.vmware.com
- https://my.vmware.com
- https://myvmware.com
- https://apigw.vmware.com
- https://vconnect.vmware.com
- https://simservice.vmware.com
- https://marketplace.vmware.com
Note, however, that Akamai is accessed as the CDN when downloading products and AWS Cloudfront accessed for the marketplace downloads.
The Akamai URL is provided in runtime by My VMware and depends on your region. Hence you can use the patterns, as follows:
apigw.vmware.comdownload2.vmware.com*.akamaiedge.net
The Marketplace patterns are as follows:
marketplace.vmware.comdrd6c1w7be.execute-api.us-west-1.amazonaws.com
The Marketplace intermediate URLs are region specific and may be different at runtime.
Service Account Role and Privledges Permissions¶
Simply define a role on labeled "vRealize Suite Lifecycle Manager User" with the following privileges and assight a user to the role on your management vCenter Server instance. For example, [email protected].
Datastore.Allocate SpaceDatastore.Browse DatastoreDatastore.Update Virtual Machine FilesHost.Local.Operations.Add Host to vCenterHost.Local.Operations.Create Virtual MachineHost.Local.Operations.Delete Virtual MachineHost.Local.Operations.Reconfigure Virtual MachineNetwork.Assign NetworkResource.Assign vApp to Resource PoolResource.Assign Virtual Machine to Resource PoolvApp.*(All privileges.)Virtual Machine.*(All privileges.)
In vRealize Suite Lifecycle Manager, simply use this service account for the communications to the management vCenter Server endpoints across your environments. Viola!
Disclaimer
This is not an official VMware by Broadcom document. This is a personal blog post. The information is provided as-is with no warranties and confers no rights. It is not intended to replace official documentation. Please, refer to official documentation for the most up-to-date information.