eccl1213
Enthusiast
Enthusiast

VMC on AWS Compute profile with HCX

We are looking to see how we can create a custom compute profile on VMC for HCX.

We have a business that wants to send some VM's up to our VMC SDDC.  However, we have a need to restrict them to a particular VM folder/Resource Pools.  When we pair with cloudadmin, its possible for them to enumerate all the remote VMs which is a no go.

Is there anyway to restrict what VMs HCX can access at the VMC site?  With a custom compute profile we can limit the remote site but don't see a way to do this in VMC.

4 Replies
E5C6
VMware Employee
VMware Employee

Are you wanting to create a custom resource pool in VMC and have HCX move them from custom pool on prem for custom pool in VMC?

vaibhavt
VMware Employee
VMware Employee

Hello eccl1213

Please correct me if I am wrong, your requirement is

  • HCX Migration (( OnPrem to Cloud )) should be restricted to specific Resource Pool/VM Folder on VMC
  • Is there anyway to restrict what VMs HCX can access at the VMC site , please elaborate

Thanks,

Vaibhav

0 Kudos
A13xxx
Enthusiast
Enthusiast

Could you not restrict the access to an account other than cloudadmin?

0 Kudos
eccl1213
Enthusiast
Enthusiast

Correct, hcx should be able to restrict which vms can be seen or replicated and where they can be placed.

Essentially, hcx permissions should be able to be set at the remote side and the vmc side

Currently, if you create a new hcx login it will be able to replicate and see all vms.  Even if that login can not see the vm via vicenter gui.

Here is our scenerio,. Hcx is installed to allow a sub business unit to place workloads in vmc.  Their side hcx is controlled by them .  Nothing can stop them from replicating the HR server sitting in vmc from corporate down to thier vcenter.  The service profile for replicatation allows all or nothing.

We did test this.  Created a new login and restrict it to a single resource pool/VM folder.  From vcenter you can not browse other vms...they are hidden from view.

But that login must have hcx permissions.  And once you grant that permission you can browse and replicate all vms from inside the hcx interface.

0 Kudos