Workload VMs on routed segments or HCX extended networks with MON enabled can connect to the Internet by default. NAT rules, Compute Gateway firewall rules, and distributed firewall rules, as well as default routes advertised by a VPN, DX, or VTGW connection all give you fine-grained control over Internet access.

Workload VMs can use private IP addresses to communicate with other workloads in the same SDDC or SDDC group. When a workload VM uses a public IP address, it gets the Source NAT Public IP shown on the Overview page unless it is subject to a custom NAT rule that applies to all traffic.

Workload traffic is subject to several kinds of special handling during firewall rule processing:
  • Workload-to-workload traffic is not subject to CGW firewall rules.
  • Distributed firewall rule processing by a source VM uses the destination public IP address and source public IP of the destination VM, and must be IP-based. Distributed firewall rules based on VM attributes do not affect workload-to-workload traffic.
  • Workload VM communication to the vCenter Server public IP is subject to MGW firewall rules, but the workload VM IP is translated to its public IP before the firewall rule is applied.

All VMs on a network segment should use the same MTU. The MTU for traffic internal to the SDDC or over DX is capped at 8900 bytes. The maximum MTU for network traffic to other endpoints may be lower. See VMware Configuration Maximums.