Firewall rules often apply to traffic from a network service. A new SDDC includes inventory entries for most of the common network service types, but you can add custom services if you need to.

When you create a firewall rule, you can specify that it applies to network traffic from one or more of the services defined in your SDDC's Services inventory. The default list includes VMware services such as remote console and provisioning, standard services such as IKE, ICMP, and TCP, and many well-known third party services. You can add services to this list by selecting values, typically ports and protocols, from a list of service types and additional service properties.


  1. Log in to VMware Cloud Services at
  2. Click Inventory > SDDCs, then pick an SDDC card and click VIEW DETAILS.
    You can also use the VMC Console Networking & Security tab for this workflow. The Networking & Security tab combines NSX-T Networking tab features like VPN, NAT, and DHCP with Security tab features like firewalls.
  4. Open the Inventory page.
    The Services card lists the predefined services.
  5. Click ADD SERVICE and give the service a Name.
  6. Click Set Service Entries to open the Set Service Entries page.
  7. On the Set Service Entries page, click ADD SERVICE ENTRY.
    To view the list of known services, use the drop-down controls to scroll through the Service Type and Additional Properties lists. To add a service, select a Service Type from the drop-down menu and specify Additional Properties such as Source or Destination Ports of the service, then click APPLY.
  8. (Optional) Provide a service Description and tag the service.

    See Add Tags to an Object in the NSX-T Data Center Administration Guide for more information about tagging NSX-T objects.

  9. Click SAVE to create the service definition.