Create VMware Cloud on AWS Firewall Rules for VMware Aria Operations for Networks

You must create VMware Cloud on AWS groups and firewall rules to build communication with VMware Aria Operations for Networks.

Prerequisites:

Deploy VMware Aria Operations for Networks platform and collector (for on-premise) or get the valid subscription (for cloud service).
You must have required privileges. See Add VMware Cloud on AWS - vCenter and Add VMware Cloud on AWS NSX Manager.
Deploy a VMware Cloud on AWS software-defined data center (SDDC) 1.8 and later with NSX-T networking.
Configure Firewall Rules for communication between VMware Aria Operations for Networks platform and collector.
For the port requirements of incoming traffic, see VMware Ports and Protocols.
Ensure you allow the HTTPS port 443 in the firewall to communicate from Collector to the following domains:
- *.vmc.vmware.com
- *.ni.vmware.com
- *.ni-onsaas.com

If you configure CSP with restricted access as per the VMware Cloud services documentation, you must allow list the following IP address to allow communication between region specific VMware Aria Operations for Networks and CSP:


Region	IP address
AU	3.104.98.208
CA	3.98.12.139
DE	3.70.31.146
JP	35.75.225.94
US	44.241.36.197
UK	18.168.184.20

Note: You can locate a region from the browser URL to access the service. For example, in the URL https://ca.www.mgmt.cloud.vmware.com/ni, ca indicates CA (Canada) region. Similarly in the URL https://us.www.mgmt.cloud.vmware.com/ni, us indicates the US region.

Configure Firewall Rules for communication between VMware Aria Operations for Networks platform and collector

Configuring firewall rules in VMware Cloud on AWS includes:

Creating a VMware Cloud on AWS group for VMware Aria Operations for Networks collector.
1. Log in to VMware Cloud on AWS at https://vmc.vmware.com.
2. On the Networking & Security tab, click Inventory > Groups.
3. On the Groups card, click COMPUTE GROUPS, then click ADD GROUP and give the group a Name and an optional Description.
4. Click Set Members to open the Select Members page.
5. Provide the VMware Aria Operations for Networks collector VM details.
  You use this group in the firewall rules that you create later to allow communication between VMware Cloud on AWS NSX Manager and VMware Aria Operations for Networks.
Create a firewall rule.
1. Log in to the VMC Console at https://vmc.vmware.com.
2. On the Networking & Security tab, click Gateway Firewall.
3. On the Gateway Firewall card, click Compute Gateway, then click ADD RULE and give the new rule a Name.
4. Enter the parameters for the new rule.
  - Sources: Enter the name of the VMware Cloud on AWS group containing the VMware Aria Operations for Networks collector IP address.
  - Destinations: Select Any.
  - Services: Select HTTPS, DNS, DNS-UDP, NTP, ICMP.
  - Action: Select Allow.
  - Applied To: Select Internet Interface.
  - Logging: Enable logging if required. Else this field is unchanged.
    
    The new rule is enabled by default. Slide the toggle to the left to deactivate it.
5. Click Publish.

Configure Firewall Rules for communication between collector and NSX Manager, and collector and vCenter

Log in to the VMC Console at https://vmc.vmware.com.
On the Networking & Security tab, click Gateway Firewall.
On the Gateway Firewall card, click Management Gateway, then click ADD RULE and give the new rule a Name.
Enter the parameters for the new rule.
- Sources: Enter the name of the VMware Cloud on AWS group containing the VMware Aria Operations for Networks collector IP address.
- Destinations: Select System Defined Groups, search for NSX Manager, and then select the NSX Manager entry.
- Services: Select HTTPS (443).
- Action: Select Allow.
- Logging: Enable logging if required.
  
  By default, the new rule is enabled. Slide the toggle to deactivate it.
Click Publish.
Perform the same steps to configure a rule for the VMware vCenter Server.
Note: Ensure to select VMware vCenter for the Destinations field in Step 4.