Architecting a vCloud Availability for vCloud Director Solution : vCloud Availability Management Components : 4.3 Cloud Proxy : 4.3.1 From-the-Cloud Tunnel
   
4.3.1 From-the-Cloud Tunnel
The from-the-cloud replication is a complex process that involves a control connection, initiated by the on-premises vSphere Replication vCloud Tunneling Agent, and replication data coming from the vSphere Replication agent (on the cloud ESXi host) to internally load balance cloud proxies. To properly “stitch” external and internal parts of the tunnel, the following mechanism is used:
1. The vSphere Replication vCloud Tunneling Agent opens a control connection (based on CloudProxyBaseUri set in vCloud API /hybrid/settings. (See Appendix F – Undocumented HybridSettings vCloud API.) The connection is forwarded by a cloud proxy load balancer to a cloud proxy (in Figure 7, it is Cloud Proxy 2).
2. The ESXi host starts a vSphere Replication session for a given replication group-id.
3. An internal load balancer forwards the TCP connection to an arbitrary cloud proxy (based on CloudProxyFromCloudTunnelHost configured in vCloud API /hybrid/settings). In Figure 7, it is Cloud Proxy 1.
4. The cloud proxy (through the vSphere Replication content-aware plug-in) decodes the group-id and requests the vSphere Replication Cloud Service to resolve it to a destination-id and tenant-id. (The cloud proxy acts as the vSphere Replication destination and “fabricates” the replication reply frames expected by the ESXi host until the real replication connection from the on-premises vSphere Replication Agent, relayed by the vSphere Replication vCloud Tunneling Agent joins.)
5. The cloud proxy broadcasts a reverse connection request over the internal message bus for the resolved tunnel (destination-id, tenant-id). It provides reverse Fully Qualified Domain Name (FQDN) based on global.properties override. See Figure 8.
6. Cloud Proxy 2 detects that it has a control connection corresponding to the given destination-id.
7. Cloud Proxy 2 sends a reverse connection request to the specific vSphere Replication vCloud Tunneling Agent over the corresponding control connection and announces the FQDN of Cloud Proxy 1 to connect.
8. The vSphere Replication vCloud Tunneling Agent opens the requested reverse connection (to the specific Cloud Proxy 1 FQDN).
9. Firewall forwards (Destination NAT) to specific Cloud Proxy 1.
10. Cloud Proxy 1 “stitches” the incoming vSphere Replication vCloud Tunneling Agent reverse connection with the pending context and will check that the corresponding stitched replication sessions are consistent with each other.
Figure 7. From-the-Cloud Tunnel Workflow
 
Figure 8. Cloud Proxy global.properties FQDN Override