In the default configuration, firewall rules prevent VMs on the compute network from accessing VMs on the management network. To allow individual workload VMs to access management VMs, create Workload and Management inventory groups, then create management gateway firewall rules that reference them.

Procedure

  1. Create Workload inventory groups: one for the management network and one for the workload VM that you want to have access to it.
    On the Networking & Security tab, click Groups in the Inventory category, then click Workload Groups. Create two workload groups:
    • Click ADD GROUP and create a group with a Member Type of IP address and the CIDR block of the management network. Click SAVE to create the group.
    • Click ADD GROUP and create a group with a Member Type of Virtual Machine and a Member VM from your vSphere inventory. Click SAVE to create the group.
  2. Create a Management inventory group to represent the management network that you want to access from the Workload group.
    On the Networking & Security tab tab, click Groups in the Inventory category, then click Management Groups. Click ADD GROUP and create a group with a Member Type of IP address and the management network CIDR block. Click SAVE to create the group.
  3. Create a management gateway firewall rule allowing inbound traffic to the vCenter server and ESXi.
    See Add or Modify Management Gateway Firewall Rules for information about creating management gateway firewall rules. Assuming your workload VMs only need to access vSphere, PowerCLI, or OVFtool on vCenter and ESXi, then the rule need only allow access on port 443.
    Table 1. Management Gateway Rule to Allow Inbound Traffic to ESXi and vCenter
    Name Source Destination Services Action
    Inbound to ESXi Workload VM private IP ESXi HTTPS (TCP 443) Allow
    Inbound to vCenter private IP Workload VM private IP vCenter private IP HTTPS (TCP 443) Allow
    Inbound to vCenter public IP Workload VM with NATted IP vCenter public IP HTTPS (TCP 443) Allow