Add or Modify Management Gateway Firewall Rules

Maintaining the safety and security of your SDDC management infrastructure is critical. By default, the management gateway blocks traffic to all management network destinations from all sources. You must add management gateway firewall rules to allow secure traffic from trusted sources.

When configuring access to the SDDC management infrastructure, it's critical that you evaluate the available connectivity options, configure the ones you need, and create management gateway firewall rules that prevent unauthorized access to the SDDC management network.

Configure AWS Direct Connect Between Your SDDC and On-Premises Data Center
This option provides dedicated connectivity between your enterprise and the SDDC and can be used in conjunction with an IPsec VPN to encrypt traffic.
Configure a VPN Connection Between Your SDDC and On-Premises Data Center
This option provides encrypted connectivity between your enterprise and the SDDC.
If you can't use Direct Connect or a VPN, you can access the SDDC management network over the public internet and rely on management gateway firewall rules to prevent access by untrusted sources. This option may be appropriate for some use cases but is inherently less secure than the others.

Management Gateway firewall rules specify actions to take on network traffic from a specified source to a specified destination. Either the source or destination must be a system-defined inventory group. See Working With Inventory Groups for information about viewing or modifying inventory groups.

Important: If you must access the Management Gateway over the public Internet, it's critical to configure a management gateway firewall rule that allows traffic only from IP addresses you own or trust. For example, an enterprise that accesses the internet from an address in the CIDR block 93.184.216.34/30 should create a management gateway firewall rule that allows only traffic with a Sources CIDR of 93.184.216.34/30 to access the management systems including vCenter Server, ESXi, and NSX. Never configure a management gateway firewall rule to allow traffic originating from Any address. See VMware Knowledge Base article 84154 for more information about providing secure access to your SDDC management infrastructure.

Procedure

Log in to VMware Cloud Services at https://vmc.vmware.com.
Click Inventory > SDDCs, then pick an SDDC card and click VIEW DETAILS.
Click OPEN NSX MANAGER and log in with the NSX Manager Admin User Account shown on the SDDC Settings page.
You can also use the VMware Cloud Console Networking & Security tab for this workflow. See SDDC Network Administration with NSX Manager.
On the Gateway Firewall card, click Management Gateway, then click ADD RULE and give the new rule a Name.

Enter the parameters for the new rule.

Parameters are initialized to their default values (for example, All for Sources and Destinations). To edit a parameter, move the mouse cursor over the parameter value and click the pencil icon (

) to open a parameter-specific editor.

Option	Description
Sources	Select Any to allow traffic from any source address or address range. Important: Although you can select Any as the source address in a firewall rule, using Any as the source address in this firewall rule can enable attacks on your vCenter Server and may lead to compromise of your SDDC. As a best practice, configure this firewall rule to allow access only from trusted source addresses. See VMware Knowledge Base article 84154. Select System Defined Groups and select one of the following source options: ESXi to allow traffic from your SDDC's ESXi hosts. NSX Manager to allow traffic from your SDDC's NSX appliance. vCenter to allow traffic from your SDDC's vCenter Server. Select User Defined Groups to use a management group that you have defined. See Working With Inventory Groups.
Destinations	Select Any to allow traffic to any destination address or address range. Select System Defined Groups and select one of the following destination options: ESXi to allow traffic to your SDDC's ESXi management. NSX Manager to allow traffic to your SDDC's NSX appliance vCenter to allow traffic to your SDDC's vCenter Server.
Services	Select the service types that the rule applies to. The list of service types depends on your choices for Sources and Destinations.
Action	The only action available for a new management gateway firewall rule is Allow.

The new rule is enabled by default. Slide the toggle to the left to disable it.

Click PUBLISH to create the rule.

The system gives the new rule an integer ID value, which is used in log entries generated by the rule.

Firewall rules are applied in order from top to bottom. Because there is a default Drop rule at the bottom and the rules above are always Allow rules, management gateway firewall rule order has no impact on traffic flow.

Example: Create a Management Gateway Firewall Rule

To create a management gateway firewall rule that enables vMotion traffic from the on-premises ESXi hosts to the ESXi hosts in the SDDC:

Create a management inventory group that contains the on-premises ESXi hosts that you want to enable for vMotion to the SDDC.
Create a management gateway rule with source ESXi and destination on-premises ESXi hosts.
Create another management gateway rule with source on-premises ESXi hosts group and destination ESXi with a vMotion service.

What to do next

You can take any or all of these optional actions with an existing firewall rule.

Click the gear icon to view or modify rule logging settings. Log entries are sent to the VMwarevRealize Log Insight Cloud Service. See Using vRealize Log Insight Cloud in the VMware Cloud on AWS Operations Guide.

Click the graph icon

to view Rule Hits and Flow statistics for the rule.

Table 1. Rule Hits Statistics
Popularity Index	Number of times the rule was triggered in the past 24 hours.
Hit Count	Number of times the rule was triggered since it was created.

Table 2. Flow Statistics
Packet Count	Total packet flow through this rule.
Byte Count	Total byte flow through this rule.

Statistics start accumulating as soon as the rule is enabled.