The Distributed Firewall Exclusion List lets you specify inventory groups to exclude from distributed firewall coverage. East-West network traffic to and from members of excluded groups is exempt from distributed firewall rules that would otherwise apply.

The Distributed Firewall exclusion list lets you keep specific inventory groups from being considered by distributed firewall rules. By default, management VMs and appliances, such as vCenter and NSX-T controllers are on the exclusion list. You can edit the list to add or remove entries.

Procedure

  1. Log in to VMware Cloud Services at https://vmc.vmware.com.
  2. Click Inventory > SDDCs, then pick an SDDC card and click VIEW DETAILS.
  3. Click OPEN NSX MANAGER.
    You can also use the VMC Console Networking & Security tab for this workflow. The Networking & Security tab combines NSX-T Networking tab features like VPN, NAT, and DHCP with Security tab features like firewalls.
  4. Open the Distributed Firewall page.
  5. Click ACTIONS > Settings > Exclusion List to display the Exclusion List page.
    • To add an existing group to the exclusion list, click ADD GROUP and select an existing Group Name.
    • To create a group, from the Manage Exclusion List, click ADD GROUP, fill in the Group Name, then click Set Members to open the inventory group creation page. See Add or Modify a Compute Group for more information about using this page.
    • To remove a group from the list, click the Actions menu button at the beginning of the group row and choose Delete.
  6. Click APPLY to save your changes.