Control Plane Distributed Firewall Rule Configuration

When a new NSX-T Cloud Connector is created on NSX Advanced Load Balancer Controller, create these rules if DFW is enabled. These rules need to be created only once per-NSX-T Cloud connecter.

Rule	Source	Destination	Service	Apply to	Action
The Controller UI Access Note: Required only if the Controller is connected to an NSX network segment.	Any Can be changed to restrict UI/ API/ CLI access	The Controller management IPs and the Cluster IP (if configured) Use the auto created `ControllerCluster` NSGroup	TCP (22, 80, 443)	DFW	Allow
The Controller cluster communication Note: Required only if the Controller is connected to an NSX-network segment.	The Controller management IPs Use the NSX-T Cloud Connector created `ControllerCluster` specific NSGroup	The Controller Management IPs Use the auto created `ControllerCluster` NSGroup	TCP (22, 8443) Use the auto created `ControllerCluster` Service	DFW	Allow
The Service Engines to the Controller Secure Channel. Note: The Service Engines initiates TCP connection for the secure channel to the Controllers.	The Service Engine management IPs Use the auto created `ServiceEngineMgmtIPs` NSGroup	The Controller Management IPs Use the auto created `ControllerCluster` NSGroup	TCP (22, 8443) and UDP (123) Use the auto created `ControllerCluster` Service	The Service Engine Virtual Machines Use the auto created `<prefix>-ServiceEngines` NSGroup	Allow

Rule

Source

Destination

Service

Apply to

Action

The Controller UI Access

Note:

Required only if the Controller is connected to an NSX network segment.

Any

Can be changed to restrict UI/ API/ CLI access

The Controller management IPs and the Cluster IP (if configured) Use the auto created ControllerCluster NSGroup

TCP (22, 80, 443)

DFW

Allow

The Controller cluster communication

Note:

Required only if the Controller is connected to an NSX-network segment.

The Controller management IPs

Use the NSX-T Cloud Connector created ControllerCluster specific NSGroup

The Controller Management IPs

Use the auto created ControllerCluster NSGroup

TCP (22, 8443)

Use the auto created ControllerCluster Service

DFW

Allow

The Service Engines to the Controller Secure Channel.

Note:

The Service Engines initiates TCP connection for the secure channel to the Controllers.

The Service Engine management IPs

Use the auto created ServiceEngineMgmtIPs NSGroup

The Controller Management IPs

Use the auto created ControllerCluster NSGroup

TCP (22, 8443) and UDP (123)

Use the auto created ControllerCluster Service

The Service Engine Virtual Machines

Use the auto created <prefix>-ServiceEngines NSGroup

Allow

When a new NSX-T Cloud Connector is created on the Controller, create these rules if Gateway Firewall is enabled. These rules need to be created only once per-Cloud.


Rule	Source	Destination	Destination Port	Apply To	Action
The Service Engines to the Controller Secure Channel Note: The Service Engines initiates TCP connection for the secure channel to the Controllers	The Service Engine management IPs Use the auto created `ServiceEngineMgmtIPs` NSGroup	The Controller management IPs and the Cluster IP (if configured) Use the auto created ControllerCluster NSGroup	TCP (22, 8443) and UDP (123) Use the auto created ControllerCluster Service	Tier-0 connected to the Service Engine Management Tier-1	Allow