The Distributed Firewall Exclusion List lets you specify inventory groups to exclude from distributed firewall coverage. East-West network traffic to and from members of excluded groups is exempt from distributed firewall rules that would otherwise apply.

The Distributed Firewall exclusion list lets you keep specific inventory groups from being considered by distributed firewall rules. By default, management VMs and appliances, such as vCenter and NSX controllers are on the exclusion list. You can edit the list to add or remove entries.


  1. Log in to VMware Cloud Services at
  2. Click Inventory > SDDCs, then pick an SDDC card and click VIEW DETAILS.
  3. Click OPEN NSX MANAGER and log in with the NSX Manager Admin User Account shown on the SDDC Settings page. See SDDC Network Administration with NSX Manager.
    You can also use the VMware Cloud Console Networking & Security tab for this workflow.
  4. Open the Distributed Firewall page.
  5. Click ACTIONS > Settings > Exclusion List to display the Exclusion List page.
    • To add an existing group to the exclusion list, click ADD GROUP and select an existing Group Name.
    • To create a group, from the Manage Exclusion List, click ADD GROUP, fill in the Group Name, then click Set Members to open the inventory group creation page. See Working With Inventory Groups for more information about using this page.
    • To remove a group from the list, click the Actions menu button at the beginning of the group row and choose Delete.
  6. Click APPLY to save your changes.