The SDDC NSX Manager is accessible at a public IP address reachable by any browser that can connect to the Internet. Click OPEN NSX MANAGER on the SDDC Summary page.

The SDDC NSX Manager also has a private IP address on the management network, which is protected by the management gateway (MGW). By default, the MGW blocks traffic to all management network destinations, including NSX, from all sources. To access the local NSX Manager at its private IP address, you must add management gateway firewall rules that allow only secure traffic from trusted sources. You can use any of the following connection types to connect to the SDDC NSX Manager at a private IP address:

If you can't use Direct Connect or a VPN, you can access the local NSX manager over the Internet at its public IP address. All traffic to the local NSX Manager public IP is encrypted and authenticated, which minimizes the risk of tampering with this connection or its traffic outside of your private network. The Settings tab for your SDDC provides connection and authentication details for connecting to the local NSX manager.

Note:

In an SDDC where VMware Tanzu Kubernetes Grid has been enabled, NSX Manager can display a Load Balancers tab. Services from this load balancer are available only to Tanzu Kubernetes Grid workloads. See VMware Knowledge Base article 86368 for more information.

Prerequisites

This operation is restricted to users who have a VMware Cloud on AWS service role of NSX Cloud Admin or NSX Cloud Auditor. See Assign Roles to an Organization Member for more information on VMware Cloud on AWS service roles and how to assign them.
  • An NSX service role is required for users to access NSX manager using SSO authentication (either the "Private URL (Log in through VMware Cloud Services)" or "Public URL" and/or when using the "Open NSX Manager button").
  • When accessing the NSX Manager directly using either of the NSX Manager URLs, a VMware Cloud on AWS Service Role such as Administrator or Administrator (Delete Restricted ) is not required as long as the user has one of the NSX roles mentioned in Assign Roles to an Organization Member.
  • When accessing the NSX Manager using "Private URL (Log in through NSX Manager credentials)", it is also possible to assign NSX roles to LDAP users or groups in the NSX Manager directly, or by using the predefined system roles. Predefined system roles do not require a VMware Cloud on AWS or NSX role assigned to the user in the CSP if the user has been granted a role directly from NSX Manager.

Procedure

  1. Log in to VMware Cloud Services at https://vmc.vmware.com.
  2. Click Inventory > SDDCs, then pick an SDDC card and click VIEW DETAILS.
  3. Click the OPEN NSX MANAGER button on the SDDC card to open the local NSX Manager at its default public IP address.
    You are logged in to NSX using your VMware Cloud on AWS credentials.
  4. If your SDDC includes a VPN or DX connection and you want to access NSX Manager at its private IP address, create a Management Gateway firewall rule that allows HTTPS traffic from the VPN or DX to the local NSX Manager, then use a browser to open a connection to one of the NSX Manager URLs listed on the Settings tab.
    1. Click the OPEN NSX MANAGER button and create the firewall rule.
      See Add or Modify Management Gateway Firewall Rules for more information about how to create a Management Gateway firewall rule. The rule must have the following parameters:
      MGW Firewall Rule Property Value
      Sources An IP address or CIDR block in your on-premises data center.
      Important:

      Although you can select Any as the source address in a firewall rule, using Any as the source address in this firewall rule can enable attacks on your NSX Manager and may lead to compromise of your SDDC. As a best practice, configure this firewall rule to allow access only from trusted source addresses.

      Destinations The NSX Manager system-defined group.
      Services HTTPS (TCP 443)
      Action Allow
    2. Use a browser to open a connection to NSX.
      Expand the NSX Manager URLs on the Settings tab to see the URLS and accounts that you can use.
      Access NSX Manager via the Internet
      This URL contains the local NSX Manager's public IP address. We use this address when you click the OPEN NSX MANAGER button.
      Access NSX Manager via internal network
      This is the NSX Manager's Private IP address on the management subnet. A management gateway firewall rule like the one shown in 4.a allows traffic to this address.

      If you cannot access NSX Manager via the internal network even though you have created the necessary firewall rules, the problem might be caused by transient network issues. Click TRY AGAIN to re-try access via the internal network, or open a browser and connect to NSX Manager at its public URL. NSX private and public URLs are listed on the SDDC Console Settings page.

      URL to access via internal network (Log in through VMware Cloud Services)
      Open this URL in a browser and log in to NSX manager using your VMware Cloud on AWS credentials.
      URL to access via internal network (Log in through NSX Manager credentials)
      Open this URL in a browser and log in using the credentials of the NSX Manager Admin User Account (to perform all tasks related to deployment and administration of NSX) or the NSX Manager Audit User Account (to view NSX service settings and events).
    3. (Optional) Change the NSX manager default access to use the internal network.
      After you have configured access to NSX manager via the internal network, you can open the SDDC Settings tab and change the NSX Manager button default access from Via the Internet (Public) to Via internal network (Private). After you make this change, clicking the OPEN NSX MANAGER button opens the local NSX Manager at its private IP address on the internal network.