Feature Brief: Hybrid Linked Mode


Hybrid Linked Mode (HLM) provides the ability to extend an administrator’s management view from on-premises to VMware Cloud on AWS. Using Hybrid Linked Mode, you can: 

  • View and manage the inventories of both your on-premises and VMware Cloud on AWS data centers from a single vSphere Client interface, accessed using your on-premises credentials. 
  • Migrate workloads between your on-premises data center and cloud SDDC. 
  • Share tags and tag categories from your vCenter Server instance to your cloud SDDC. 

Hybrid Linked Mode is based on the Enhanced Linked Mode feature that’s a part of vSphere when deployed in your on-prem environment.  However, there are key differences, and the rest of this article will go over this feature in detail.


HLM is a flexible solution that allows us to jointly manage both the VMware Cloud on AWS and on-premises SSO domains. HLM provides a one-way trust from on-premises to VMware Cloud on AWS (i.e. VMware Cloud on AWS trusts the on-premises users) and gives us the option to link and unlink as needed. It also retains the separation between on-premises and VMware Cloud on AWS permissions to avoid difficulties if we need to break the two environments apart. Once HLM is established, on-premises workloads can be migrated to VMware Cloud on AWS. The added bonus is that the migration works both ways and workloads can be migrated back from VMware Cloud on AWS to on-premises.

When a Cloud SDDC is deployed (a Cloud SDDC is an SDDC consisting of vCenter Server, ESXi, vSAN, and NSX deployed in the VMware Cloud on AWS service) and configured it is setup as its own stand-alone vSphere Single Sign-On domain. In order to manage both a VMware Cloud on AWS and your on-premises vSphere SSO domain together, these two separate SSO domains need to establish a trust. They also need to continue to retain their autonomy since HLM has the flexibility to be created and destroyed at will. For example, if we create HLM between a Cloud SDDC and an on-premises vSphere environment, we don’t want the two environments to become fundamentally dependent on each other. This gives us the ability to tear down HLM without breaking permissions.


The requirements for HLM can be found in the product documentation.  There are also a few prerequisites which need to be in place prior to configuration.


A VPN connection must be established between the VMware Cloud on AWS management gateway and the on-premises environment.


By default, the firewall in the VMware Cloud on AWS console is set to deny all. The assumption here is your on-premises vSphere environment already has the necessary firewall ports opened. The required firewall ports for HLM to properly work are documented in Hybrid Linked Mode Prerequisites.


Enter the on-premises DNS server(s) in the VMware Cloud on AWS management gateway to resolve the on-premises identity source and Platform Services Controller which will be used when configuring HLM.

A screenshot of a cell phone

Description automatically generated

Note: make sure you can resolve the VMware Cloud on AWS vCenter Server in your on-premises environment.

Deployment and Configuration

To configure Hybrid Linked Mode, the admin deploys the Cloud Gateway virtual appliance into the on-premises data center and runs the Cloud Gateway installer. This establishes the connection between your SDDC and the data center.

After successfully deploying the Cloud Gateway, the actual HLM configuration consists of three steps. 

  • Step 1 – Add Identity Source. You can use native Active Directory (Integrated Windows Authentication) domain or an OpenLDAP directory service. 
  • Step 2- Add Cloud Administrators Group. This group can be an existing one or a newly created group of members that are separate from your on-premises vSphere administrators group.
  • Step 3 – Link to On-Prem Domain.  The third and final step is adding information from your on-premises vSphere SSO domain.

HLM Management 

From the hosts and clusters view you can see and manage both your vSphere on-premises and cloud SDDC environments in a single view while retaining separate permissions.

A screenshot of a social media post

Description automatically generated

We can now move workloads via cold migration between our on-premises and cloud SDDC by simply right clicking on a single VM or multiple and selecting migrate. The same migration wizard that you use today on-premises is used, which is another benefit of VMware Cloud on AWS. Now your current on-premises vSphere skills translate to the cloud and you can just focus on the important piece – workload management – while VMware takes care of the rest.

Filter Tags

General Document Feature Brief Overview