By default, the Compute Gateway blocks traffic to all uplinks. Add Compute Gateway firewall rules to allow traffic as needed.

Compute Gateway firewall rules specify actions to take on network traffic from a specified source to a specified destination. Actions can be either allow (allow the traffic) or drop (drop all packets matching the specified source and destination). Sources and destinations can be chosen from a list of a physical network interfaces, or the generic specification All Uplinks, which applies to all traffic leaving the gateway and going to the VPC interface, Internet interface, or Intranet (Direct Connect) interface.
Note: A firewall rule applied to All Uplinks does not apply to the VPN Tunnel Interface (VTI), which is a virtual interface and not a physical uplink. The VPN Tunnel Interface must be specified explicitly in the Applied To parameter of any firewall rule that manages workload VM communications over a route-based VPN.
The Compute Gateway includes a Default VTI Rule that drops all traffic to the VTI and a a Default Uplink Rule that drops traffic to All Uplinks. To enable workload VMs to communicate over the VTI, modify this rule or move it to a lower rank in the rule hierarchy, after more permissive rules.

All traffic attempting to pass through the firewall is subjected to the rules in the order shown in the rules table, beginning at the top. A packet allowed by the first rule is passed on to the second rule, and so on through subsequent rules until the packet is dropped, rejected, or hits a default rule.


Compute Gateway firewall rules require named inventory groups for Source and Destination values. See Add or Modify a Compute Group.


  1. Log in to VMware Cloud Services at
  2. Click Inventory > SDDCs, then pick an SDDC card and click VIEW DETAILS.
    You can also use the VMC Console Networking & Security tab for this workflow. The Networking & Security tab combines NSX-T Networking tab features like VPN, NAT, and DHCP with Security tab features like firewalls.
  4. On the GATEWAY FIREWALL page, click Compute Gateway.
  5. To add a rule, click ADD RULE and give the new rule a Name.
  6. Enter the parameters for the new rule.
    Parameters are initialized to their default values (for example, All for Sources and Destinations). To edit a parameter, move the mouse cursor over the parameter value and click the pencil icon ( ) to open a parameter-specific editor.
    Option Description
    Sources Click Any in the Sources column and select an inventory group for source network traffic, or click ADD GROUP to create a new user-defined inventory group to use for this rule. Click SAVE.
    Destinations Click Any in the Destinations column and select an inventory group for destination network traffic, or click CREATE NEW GROUP to create a new user-defined inventory group to use for this rule. Click SAVE.
    Services Click Any in the Services column and select a service from the list. Click SAVE.
    Applied To Define the type of traffic that the rule applies to:
    • Select VPN Tunnel Interface if you want the rule to apply to traffic over the route-based VPN.
    • Select VPC Interface if you want the rule to apply to traffic over the linked AWS VPC connection.
    • Select Internet Interface if you want the rule to apply to traffic over the Internet, including over policy-based VPNs using public IP.
    • Select Intranet Interface if you want the rule to allow traffic over AWS Direct Connect, VMware Transit Connect, and policy-based VPNs using private IP.
    • All Uplinks if you want the rule to apply to the VPC Interface, the Internet Interface, and the Intranet Interface, but not to the VPN Tunnel Interface.
      Note: The VPN Tunnel Interface is not classified as an uplink.
    • Select Allow to allow all L2 and L3 traffic to pass through the firewall.
    • Select Drop to drop packets that match any specified Sources, Destinations, and Services. This is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
    • Select Reject to reject packets that match any specified Sources, Destinations, and Services. This action returns a "destination unreachable message" to the sender. For TCP packets, the response includes a TCP RST message. For UDP, ICMP and other protocols, the response includes an "administratively prohibited" code (9 or 10). The sender is notified immediately (without any re-tries) when connection cannot be established.
    The new rule is enabled by default. Slide the toggle to the left to disable it.
  7. Click PUBLISH to create the rule.

    The system gives the new rule an integer ID value, which is used in log entries generated by the rule.

What to do next

You can take any or all of these optional actions with an existing firewall rule.

  • Click the gear icon to view or modify rule logging settings. Log entries are sent to the VMwarevRealize Log Insight Cloud Service. See Using vRealize Log Insight Cloud in the VMware Cloud on AWS Operations Guide.

  • Click the graph icon to view Rule Hits and Flow statistics for the rule.
    Table 1. Rule Hits Statistics
    Popularity Index Number of times the rule was triggered in the past 24 hours.
    Hit Count Number of times the rule was triggered since it was created.
    Table 2. Flow Statistics
    Packet Count Total packet flow through this rule.
    Byte Count Total byte flow through this rule.
    Statistics start accumulating as soon as the rule is enabled.
  • Reorder firewall rules.

    A rule created from the ADD NEW RULE button is placed at the top of the list of rules. Firewall rules are applied in order from top to bottom. To change the position of a rule in the list, select it and drag it to a new position. Click PUBLISH to publish the change.