Some common firewall rule configurations include opening access to the vSphere Client from the internet, allowing access to vCenter through the management VPN tunnel, and allowing remote console access.

Commonly Used Firewall Rules

The following table shows the Service, Source, and Destination settings for commonly-used firewall rules.

Table 1. Commonly-Used Firewall Rules
Use Cases Service Source Destination
Provide access to vCenter from the internet.

Use for general vSphere Client access as well as for monitoring vCenter

HTTPS IP address or CIDR block from on-premises data center
Important:

Although you can select Any as the source address in a firewall rule, you cannot use Any or the wildcard 0.0.0.0/0 as the source address when the destination is vCenter. Doing so can enable attacks on your vCenter and may lead to compromise of your SDDC. Beginning with SDDC version 1.22, we prevent you from publishing a management gateway firewall rule with a source address of Any or 0.0.0.0/0 and destinations that include vCenter.

vCenter
Provide access to vCenter over VPN tunnel.

Required for Management Gateway VPN, Hybrid Linked Mode, and Content Library.

HTTPS IP address or CIDR block from on-premises data center vCenter
Provide access from cloud vCenter to on-premises services such as Active Directory, Platform Services Controller, and Content Library. Any vCenter IP address or CIDR block from on-premises data center.
Provisioning operations involving network file copy traffic, such as cold migration, cloning from on-premises VMs, snapshot migration, replication, and so on. Provisioning IP address or CIDR block, either public or from an on-premises data center connected by a VPN tunnel ESXi Management
VMRC remote console access

Required for VMware Aria Automation

Remote Console IP address or CIDR block, either public or from an on-premises data center connected by a VPN tunnel ESXi Management
vMotion traffic over VPN Any ESXi Management IP address or CIDR block from on-premises data center