By default, the management gateway blocks traffic to all destinations from all sources. Add Management Gateway firewall rules to allow traffic as needed.

Management Gateway firewall rules specify actions to take on network traffic from a specified source to a specified destination. Sources and destinations can be defined as Any or as members of a system-defined or user-defined inventory group, but either the source or destination must be system-defined. See Add a Management Group for information about viewing or modifying inventory groups.

Procedure

  1. Log in to the VMware Cloud on AWS GovCloud at https://www.vmc-us-gov.vmware.com/.
  2. On the Networking & Security tab, click Gateway Firewall.
  3. On the Gateway Firewall card, click Management Gateway, then click ADD RULE and give the new rule a Name.
  4. Enter the parameters for the new rule.
    Parameters are initialized to their default values (for example, All for Sources and Destinations). To edit a parameter, move the mouse cursor over the parameter value and click the pencil icon ( ) to open a parameter-specific editor.
    Option Description
    Sources
    Select Any to allow traffic from any source address or address range.
    Important: If you need to access the Management Gateway over the public internet you must configure a management gateway firewall rule that allows traffic only from IP addresses you own or trust. For example, an enterprise that accesses the internet from a public IP address in the CIDR block 93.184.216.34/30 should create a management gateway firewall rule that allows only traffic with a Sources CIDR of 93.184.216.34/30 to access the management systems including vCenter, NSX Manager, and ESXi. Never configure a management gateway firewall rule to allow traffic originating from Any address. See VMware Knowledge Base article 84154 for more information about providing secure access to your SDDC management infrastructure.

    Select System Defined Groups and select one of the following source options:

    • ESXi to allow traffic from your SDDC's ESXi hosts.
    • NSX Manager to allow traffic from your SDDC's NSX-T manager appliance.
    • vCenter to allow traffic from your SDDC's vCenter Server.
    • Site Recovery Manager to allow traffic from your SDDC's Site Recovery Manager.

    Select User Defined Groups to use a management group that you have defined. See Add a Management Group.

    Destinations

    Select Any to allow traffic to any destination address or address range.

    Select System Defined Groups and select one of the following destination options:
    • ESXi to allow traffic to your SDDC's ESXi management.
    • NSX Manager to allow traffic to your SDDC's NSX-T.
    • vCenter to allow traffic to your SDDC's vCenter Server.
    • Site Recovery Manager to allow traffic from your SDDC's Site Recovery Manager.
    Services

    Select the service types that the rule applies to. The list of service types depends on your choices for Sources and Destinations.

    Action The only action available for a new management gateway firewall rule is Allow.
    The new rule is activated by default. Slide the toggle to the left to deactivate it.
  5. Repeat the previous step to apply the following firewall rules for VMware Site Recovery.
    Name Source Destination Service Action
    Remote SRM to vCenter Server User-Defined Group that includes the remote Site Recovery Manager IP address. vCenter HTTPS (TCP 443) Allow
    Remote VR to vCenter Server User-Defined Group that includes the remote vSphere Replication IP address. vCenter HTTPS (TCP 443) Allow
    Remote network to SRM (SRM Server Management) User-Defined Group that includes the remote Site Recovery Manager and vSphere Replication IP addresses. Site Recovery Manager VMware Site Recovery SRM Allow
    Remote network to VR (VM Replication) User-Defined Group that includes the remote ESXi hosts IP addresses. vSphere Replication VMware Site Recovery vSphere Replication Allow
    Remote network to VR (VR Server Management) or User-Defined Group that includes the remote Site Recovery Manager and vSphere Replication IP addresses. vSphere Replication VMware Site Recovery vSphere Replication Allow
    Remote network to VR (UI and API) User-Defined Group that includes the remote browser IP address. vSphere Replication VMware Site Recovery vSphere Replication Allow
    SRM (HTTPS) to remote network Site Recovery Manager Any or User-Defined Group that includes the remote Platform Services Controller and vCenter Server IP addresses. HTTPS (TCP 443) Allow
    VR (HTTPS) to remote network vSphere Replication Any or User-Defined Group that includes the remote Platform Services Controller and vCenter Server IP addresses. HTTPS (TCP 443) Allow
    SRM (SRM Server Management) to remote network Site Recovery Manager Any or User-Defined Group that includes the remote Site Recovery Manager IP address. VMware Site Recovery SRM Allow
    VR (SRM Server Management) to remote network vSphere Replication Any or User-Defined Group that includes the remote Site Recovery Manager IP address. VMware Site Recovery SRM Allow
    ESXi (VM Replication) to remote network ESXi Any or User-Defined Group that includes the remote vSphere Replication IP addresses (combined vSphere Replication appliance and any add-on vSphere Replication appliances). VMware Site Recovery vSphere Replication Allow
    SRM (VR Server Management) to remote network Site Recovery Manager Any or User-Defined Group that includes the remote vSphere Replication IP address. VMware Site Recovery vSphere Replication Allow
    VR (VR Server Management) to remote network vSphere Replication Any or User-Defined Group that includes the remote vSphere Replication IP address. VMware Site Recovery vSphere Replication Allow
  6. Click PUBLISH to create the rule.

    The system gives the new rule an integer ID value, which is used in log entries generated by the rule.

    Firewall rules are applied in order from top to bottom. Because there is a default Drop rule at the bottom and the rules above are always Allow rules, management gateway firewall rule order has no impact on traffic flow.

Example: Create a Management Gateway Firewall Rule

To create a management gateway firewall rule that enables vMotion traffic from the on-premises ESXi hosts to the ESXi hosts in the SDDC:
  1. Create a management inventory group that contains the on-premises ESXi hosts that you want to enable for vMotion to the SDDC.
  2. Create a management gateway rule with source ESXi and destination on-premises ESXi hosts.
  3. Create another management gateway rule with source on-premises ESXi hosts group and destination ESXi with a vMotion service.

What to do next

You can take any or all of these optional actions with an existing firewall rule.

  • Click the gear icon to view or modify rule logging settings. Log entries are sent to the VMwarevRealize Log Insight Cloud Service. See Using vRealize Log Insight Cloud in the VMware Cloud on AWS Operations Guide.

  • Click the graph icon to view Rule Hits and Flow statistics for the rule.
    Table 1. Rule Hits Statistics
    Popularity Index Number of times the rule was triggered in the past 24 hours.
    Hit Count Number of times the rule was triggered since it was created.
    Table 2. Flow Statistics
    Packet Count Total packet flow through this rule.
    Byte Count Total byte flow through this rule.
    Statistics start accumulating as soon as the rule is enabled.