After installation or upgrade, use the manage-test-connection-denylist command of the cell management tool to block access to internal hosts before providing tenants with access to the VMware Cloud Director network.
Starting with VMware Cloud Director 10.1, service providers and tenants can use the VMware Cloud Director API to test connections to remote servers and to verify the server identity as part of an SSL handshake.
To protect the internal network in which a VMware Cloud Director instance is deployed from malicious attacks, system providers can configure a denylist of internal hosts that are unreachable to tenants.
This way, if a malicious attacker with tenant access attempts to use the connection testing VMware Cloud Director API to map the network in which VMware Cloud Director is installed, they won't be able to connect to the internal hosts on the denylist.
After installation or upgrade and before providing tenants with access to the VMware Cloud Director network, use the manage-test-connection-denylist command of the cell management tool to block tenant access to internal hosts.