When a new NSX-T Cloud Connector is created on NSX Advanced Load Balancer Controller, create these rules if DFW is enabled. These rules need to be created only once per-NSX-T Cloud connecter.

Rule

Source

Destination

Service

Apply to

Action

The Controller UI Access

Note:

Required only if the Controller is connected to an NSX network segment.

Any

Can be changed to restrict UI/ API/ CLI access

The Controller management IPs and the Cluster IP (if configured) Use the auto created ControllerCluster NSGroup

TCP (22, 80, 443)

DFW

Allow

The Controller cluster communication

Note:

Required only if the Controller is connected to an NSX-network segment.

The Controller management IPs

Use the NSX-T Cloud Connector created ControllerCluster specific NSGroup

The Controller Management IPs

Use the auto created ControllerCluster NSGroup

TCP (22, 8443)

Use the auto created ControllerCluster Service

DFW

Allow

The Service Engines to the Controller Secure Channel.

Note:

The Service Engines initiates TCP connection for the secure channel to the Controllers.

The Service Engine management IPs

Use the auto created ServiceEngineMgmtIPs NSGroup

The Controller Management IPs

Use the auto created ControllerCluster NSGroup

TCP (22, 8443) and UDP (123)

Use the auto created ControllerCluster Service

The Service Engine Virtual Machines

Use the auto created <prefix>-ServiceEngines NSGroup

Allow

When a new NSX-T Cloud Connector is created on the Controller, create these rules if Gateway Firewall is enabled. These rules need to be created only once per-Cloud.

Rule

Source

Destination

Destination Port

Apply To

Action

The Service Engines to the Controller Secure Channel

Note:

The Service Engines initiates TCP connection for the secure channel to the Controllers

The Service Engine management IPs

Use the auto created ServiceEngineMgmtIPs NSGroup

The Controller management IPs and the Cluster IP (if configured)

Use the auto created ControllerCluster NSGroup

TCP (22, 8443) and UDP (123)

Use the auto created ControllerCluster Service

Tier-0 connected to the Service Engine Management Tier-1

Allow