As part of setting up access to the vSphere+ / vSAN+ Cloud Service, a vCenter Cloud Gateway (VCGW) is deployed into your on-premises infrastructure and serves as a gateway between your vCenter Server(s) and the VMware Cloud Console.
If the VCGW has connectivity issues to the VMware Cloud Console for whatever reason, your infrastructure and workloads continue to run but you will not be able to perform any operations through the VMware Cloud Console until connectivity is restored.
UPDATE (06/21/23) - The period in which VMware declares a VCGW unreachable has been updated from 24hrs to 7 days. This means even if your VCGW loses connectivity, you will still be able to login to your on-premises vCenter Server and/or SDDC Manager without needing to go to emergency URL.
However, if you attempt to login into your on-premises vCenter Server(s) using the vSphere UI, you may be surprised to find the following error message.
The message may looking alarming at first about not being able to login, but can still login even if connectivity between the VCGW and VMware Cloud Console has been lost.
While I will agree the user experience may not very intuitive, the hint is in the URL link below where it says "Still having connection problems?"
If you click on the link, you will be taken to the following VMware KB 83798 which outlines the issue, troubleshooting steps and most importantly a workaround to access the vSphere Client in an "Offline" mode via the emergency URL which is simply https://[VCSA]/ui/emergency
Before you can login, you will need to first request access for a vCenter Server user who has the vSphere Client->VMware Cloud offline login privilege, which by default, the administrator[at]vsphere[dot]local user will have and you can assign that to additional users if needed.
Once access has been granted to that user, you can then login to vSphere UI using the normal URL and provide your credentials to vCenter Server.
Once connectivity has been restored, this emergency URL is no longer needed and login to your vCenter Server(s) using the standard vSphere UI URL will work as before.
I also want to mention that the use of the emergency URL can also be audited like any other login to vCenter Server and a specific vCenter Event is emited called com.vmware.vsphere.client.security.LoginConnectivityCheckEvent, which can be seen in the Events tab as shown in the screenshot below.
Johannes says
That *protected email* user is probably the administrator at vsphere dot local, right?
William Lam says
Yes. Sorry, my blog has plugin which hides anything that looks like an email 🙂
SSO Administrator account has the role but you can also specify additional users if required