You must create firewall rules for the Compute Gateway of each SDDC in the group. Without these rules, workloads running on group members cannot use VMware Transit Connect to communicate with each other.

Because all members of an SDDC Group are owned by the same VMware Cloud on AWS organization, network traffic among members of the group can be safely treated as East-West traffic, rather than North-South traffic that might have an external source or destination. But since an SDDC compute gateway's default firewall rules reject external traffic, you'll need to create firewall rules allowing that traffic through the compute gateway of each SDDC in the Group. (SDDC Groups do not currently need to route network traffic through members' management gateways.)

VMware Cloud on AWS defines a set of inventory groups intended for use in Compute Gateway firewall rules that provide high-level control over traffic among group members. These groups contain the prefixes (CIDR blocks) for routes learned over VMware Transit Connect and any AWS Transit Gateways owned by the SDDC's AWS account owner.
Transit Connect Customer TGW Prefixes
Routes learned from customer-owned AWS Transit Gateways.
Transit Connect DGW Prefixes
Routes learned from the group's Direct Connect Gateway.
Transit Connect Native VPCs Prefixes
Routes learned from the group's attached VPCs.
Transit Connect other SDDCs Prefixes
Routes learned from other SDDCs in the group.
Prefixes in each of these groups are automatically added, removed, and updated as group membership changes and new routes are learned.

For more information, see Add or Modify Compute Gateway Firewall Rules and Working With Inventory Groups.

Procedure

  1. Use the workflow defined in Add or Modify Compute Gateway Firewall Rules to create the inventory groups and compute gateway firewall rules you need.
    The system-defined inventory groups are useful for creating high-level connectivity among group members and attached VPCs. If you need to create finer-grained firewall rules that to apply to individual workload segments in member SDDCs, you'll need to create inventory groups that define those segments, as shown in the example below.
  2. Click Gateway Firewall > Compute Gateway, then click ADD RULE.
    The system-defined inventory groups, along with any compute groups you defined are available as choices on the Sources and Destinations pages. To enable unrestricted group connectivity, you could add a rule like this one, which allows inbound traffic to this SDDC from other group members .
    Name Sources Destinations Services Applied To Action
    Inbound from other SDDCs Transit Connect other SDDCs Prefixes Any Any Direct Connect Interface Allow
    If you have created inventory groups with the CIDR blocks of your local workload segments, you can use them to create rules at a higher precedence that apply finer-grained controls over this traffic.

Example: CGW Firewall Rules with User-Defined Inventory Groups to Allow Workload Traffic Between Group Members

These examples show how to use NSX Manager to create inventory groups and firewall rules. You can also use the VMware Cloud Console Networking & Security tab for this workflow. See SDDC Network Administration with NSX Manager.

Create the Groups
In NSX Manager, click Inventory > Compute Groups, then click ADD GROUP and create three groups. You can use any names you want for the groups. The ones we show here are just examples.
  • A group named Local Workloads that includes segment prefixes for the SDDC's own workload segments.
  • A group named Peer Workloads that includes segment prefixes for workload segments of other SDDCs in the group.
  • A group named Peer SDDC vCenters that includes the private IP address of the vCenter in each SDDC in the group.

For each group, click Set in the Compute Members column to open the Set Members tool. In this tool, you can click ADD CRITERA and enter the IP Addresses or MAC Addresses of group members. You ca also click ACTIONS > import to import these values from a file.

Create the Rules
As shown in Step 2, open the Gateway Firewall card, click Compute Gateway, then click ADD RULE to create new rules that use the inventory groups you created for their Sources and Destinations. You can use any names you want for the rules. The ones we show here are just examples.
Name Sources Destinations Services
Local workload to peer workload Local Workloads Peer Workloads As needed for outbound traffic from local workloads to workloads in other group members
Peer workload to local workload Peer Workloads Local Workloads As needed for in traffic to local workloads from workloads in other group members
All rules governing SDDC group member traffic through the compute gateway firewall should be applied to All Uplinks and have an action of Allow.