For a customer I was doing a POC where we had to link the vCenter form the VMware on AWS offering from VMware with an AD that we created in a VPC in AWS. At the moment we where doing the POC there was no really good documentian besides Configuring Hybrid Linked Mode (HLM) for VMware Cloud on AWS.This helped me but was missing steps like setting up the VPN between a VPC and VMware Cloud on AWS Management Gateway.

Following steps need to be executed.


VMware on AWS


AD in Amazon AWS

AD account


Step by step

Steps taken on Amazon AWS

Activate AD


Create accounts in AD

Before this can be done you need to create a EC2 instance with AD features activated to access the AD and create user accounts. Detailed step by step can be found here:

Create a VPN connection on AWS

This is done in 3 steps

Customer gateway

On your VPC configuruation page you can create a Customer gateway


During the creation of this customer gateway you have to specify the public IP address you can find in your VMWare on AWS console for the vCenter in the Management Gateway

Virtual Private Gateway

Here you create a entry that points to your VPC

VPN Connection

Here you link your Customer Gateway with your Virtual Private gateway.


During the configuration of your VPN connection in AWS you need to specify the subnet of your vCenter. This can be found on the VMware on AWS console


Now you can download the configuration file. I used the Microsoft Windows format as that was for me the most readable


In this document you find the 2 public IP addresses of you AWS VPC that can be used to create redundant VPN connection to your vCenter Management Gateway on your VMware on AWS console

Also the Passphrase needed to setup on the VMware on AWS side can be found in this configuration file


Steps taken on VMware on AWS console

Create IP SEC VPN connection on the Management Gateway on VMware on AWS Console. Use the public AWS ip address and Passphrase you find in the configuration file downloaded in previous step.


If requited a second VPN can be setup with the second AWS ip address found in the configuration file for redundancy.


Steps taken on the vCenter console

Login in the vCenter console


Go to Administration


Go to Linked Domains


Before you can can add an Identity Source you need to know the Distinguished Names (DN) for the groups and users. This can be found using the AD Users and Groups tool you can find on the machine used to manage AD users and groups


Now you know the DN, you can start linking the domain using an AD over LDAP connection


The ip address of the DNS can be found on your configuration page of AD on AWS


Now just a Administrator group of the AD needs to selected and you are up and running to grant permissions on the users or groups created in your AD.









Some screenshots are taken from Configuring Hybrid Linked Mode (HLM) for VMware Cloud on AWS.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.