After installation or upgrade, use the manage-test-connection-denylist command of the cell management tool to block access to internal hosts before providing tenants with access to the VMware Cloud Director network.

Starting with VMware Cloud Director 10.1, service providers and tenants can use the VMware Cloud Director API to test connections to remote servers and to verify the server identity as part of an SSL handshake.

To protect the internal network in which a VMware Cloud Director instance is deployed from malicious attacks, system providers can configure a denylist of internal hosts that are unreachable to tenants.

This way, if a malicious attacker with tenant access attempts to use the connection testing VMware Cloud Director API to map the network in which VMware Cloud Director is installed, they won't be able to connect to the internal hosts on the denylist.

After installation or upgrade and before providing tenants with access to the VMware Cloud Director network, use the manage-test-connection-denylist command of the cell management tool to block tenant access to internal hosts.

Procedure

  1. Log in or SSH as root to the OS of the VMware Cloud Director cell.
  2. Run the command to add an entry to the denylist.
    /opt/vmware/vcloud-director/bin/cell-management-tool manage-test-connection-denylist option   
    Table 1. Cell Management Tool Options and Arguments, manage-test-connection-denylist Subcommand
    Option Argument Description
    --help (-h) None Provides a summary of available commands in this category.
    --add-ip IPv4 or IPv6 address Adds an IP address to the denylist.
    --add-name A subdomain or a fully qualified domain name for a host Adds a subdomain or a domain name to the denylist.
    --add-range IPv4 or IPv6 address range in either CIDR or hyphenated format Adds an IP address range to the denylist.
    --list None Lists all the existing entries with denied access.