VMware Cloud Foundation (VCF) deployment fails during the vCenter Server deployment phase. SDDC Manager (<IP-address>) cannot reach the target vCenter network (<IP-address>).

The VCF Installer shows the following or similar error messaging:

vCenter installation failed. Check logs under /var/log/vmware/vcf/domainmanager/ci-installer-##### for more details.

VMware Cloud Foundation 9.0.x
VMware vCenter Server 9.0.x
VMware SDDC Manager 9.0.x

Traffic is being dropped by an upstream physical firewall or Layer 3 gateway preventing bidirectional communication between the management subnet of the VCF Fleet and the target vCenter subnet.

• Engage the network administration team to verify routing tables on the Top of Rack (ToR) switches or upstream Layer 3 gateways. Ensure explicit routes exist between the Management subnet and the vCenter subnet.

• Verify that no Access Control Lists (ACLs) or perimeter firewall policies are dropping the deployment traffic.

• Configure the upstream network to allow bidirectional traffic for the following required ports and protocols:

  • TCP 22 (SSH)

  • TCP 443 (HTTPS)

  • TCP 5480 (VAMI)

  • ICMP (Echo Request and Echo Reply)

• Confirm the physical switch ports connected to the target ESXi host uplinks are configured to trunk and pass the required vCenter VLAN.

• Once bidirectional network reachability is validated, retry the vCenter Server deployment workflow from the VCF Installer appliance UI.

Security Design for the Management Domain for VMware Cloud Foundation