The Distributed Firewall Exclusion List lets you specify inventory groups to exclude from distributed firewall coverage. East-West network traffic to and from members of excluded groups is exempt from distributed firewall rules that would otherwise apply.

The Distributed Firewall exclusion list lets you keep specific inventory groups from being considered by distributed firewall rules. By default, management VMs and appliances, such as vCenter, NSX manager, and NSX controllers are on the exclusion list. You can edit the list to add or remove entries.


  1. Log in to the VMware Cloud on AWS GovCloud at
  2. Select Networking & Security > Distributed Firewall.
  3. Click ACTIONS > Settings > Exclusion List to display the Manage Exclusion List page.
    • To add an existing group to the exclusion list, click ADD GROUP and select an existing Group Name.
    • To create a group from the Manage Exclusion List, type a name for the group in the Group Name field, then click Set Members to open the inventory group creation page. See Add or Modify a Compute Group for more information about using this page.
    • To remove a group from the list, click the vertical ellipsis button at the beginning of the group row and click Delete.
  4. Click APPLY to save your changes.