To prepare a new SDDC to run compliance-audited workloads, you must create a firewall rule that allows you to connect directly to the SDDC's local NSX Manager, then disable the VMC Console Networking & Security tab and use the local NSX Manager to manage your SDDC networks.

Access controls on the VMC Console Networking & Security tab are not appropriate for a compliance-hardened SDDC. Any access to an SDDC using the Networking & Security tab renders the SDDC non-compliant. To maintain compliance, you must manage your SDDC networks using only the local NSX Manager, which has an authentication framework that meets compliance hardening requirements. Access to the Networking & Security tab must be disabled before you begin a compliance audit, and must remain disabled the duration of the audited period.

Before you disable access to the Networking & Security tab, you'll use it to create a VPN connection to your on-premises data center and a management gateway firewall rule that allows you to access the local NSX Manager over that VPN. After you verify that you can access NSX Manager, you can proceed to prepare the SDDC for compliance hardening by disabling access to the Networking & Security tab. If you need to re-enable access to the Networking & Security tab, contact VMware Support.

Prerequisites

  • You must be logged into the VMC console as a user with a VMC service role of Administrator or Administrator (Delete Restricted).

  • You must have a VPN connection to the SDDC. See Configure a VPN Connection Between Your SDDC and On-Premises Data Center in the VMware Cloud on AWS Networking and Security guide. After you have disabled Networking & Security tab access, a connection to the local NSX Manager over a VPN is the only way to manage your SDDC network. To ensure that you can reach the local NSX Manager in the event of a network failure, we recommend configuring a redundant connection such as AWS Direct Connect to with a route-based VPN as the backup, as described in Configure Direct Connect to a Private Virtual Interface for SDDC Management and Compute Network Traffic in the VMware Cloud on AWS Networking and Security guide.

  • Compliance hardening must be enabled in the SDDC. VMware Cloud on AWS does not enable compliance hardening by default. Contact your account team for more information. Compliance hardening can be configured in SDDCs at version 1.14 and later created in an AWS region that provides the appropriate support, as shown in Choosing a Region.

Procedure

  1. Log in to the VMC Console at https://vmc.vmware.com.
  2. Create a Management Gateway firewall rule that allows you to open an HTTPS connection to the local NSX Manager for this SDDC.
    See Add or Modify Management Gateway Firewall Rules In the VMware Cloud on AWS Networking and Security guide for more information about how to create a Management Gateway firewall rule. The rule must have the following parameters:
    MGW Firewall Rule Property Value
    Sources Any, or a specific IP address in your on-premises network.
    Destinations The NSX Manager system-defined group.
    Services HTTPS (TCP 443)
    Action Allow
  3. (Required) Test the firewall rule.
    You cannot gain access to the local NSX manager until you have disabled access to the Networking & Security tab, so it's important to verify that your firewall rule works before you proceed with the next step. To test the rule, verify that you can view the local NSX manager's index.html page. Use a Web browser to open a connection to https://NSX-Manager-IP/nsx/index.html where NSX-Manager-IP is the Private IP shown under Access NSX Manager via internal network in NSX Manager Information on the Settings tab of your SDDC. If your firewall rule is correct, this request returns the local NSX Manager’s index.html page, which displays several JSON key/value pairs, including error_code: 403. You cannot take any actions on this page.
  4. After you have verified that your firewall rule is correct, you can proceed to disable access to the Networking & Security tab.
    1. Navigate to the Settings tab of your SDDC.
    2. On the Compliance Hardening section of the Settings tab, expand the Networking & Security tab access line to display the Disable Networking & Security tab access card.
    3. Confirm your understanding of the workflow.
      After you have verified that you can access the local NSX Manager’s index.html page, select the checkbox to confirm that you have created and tested the necessary firewall rule and are ready to proceed. Select the checkbox to confirm that you understand that you'll need to file a VMware support request if you want to re-enable access to the Networking & Security tab for this SDDC.
    4. Click DISABLE to disable Networking & Security access.
  5. Open NSX Manager.
    Log in to the VMC Console and open the Networking & Security tab. Click the OPEN NSX MANAGER button on this tab and log in with the Default NSX Manager Credentials. See NSX Manager in the NSX-T Data Center Administration Guide for information about how to use NSX Manager.
    Note:

    If you want to view (but not modify) the networking configuration for this SDDC, you can log in with the credentials of the NSX Manager Audit User Account, which are available under NSX Manager Information on the Settings tab.

What to do next

After you have disabled Networking & Security tab access, you must use the local NSX Manager to manage your SDDC network. You can navigate the NSX Manager UI in much the same way as you navigate the Networking & Security tab. See NSX Manager in the NSX-T Data Center Administration Guide for information about how to use NSX Manager.

Important:

To conform with PCI compliance requirement 8.2.4 (Change user passwords/passphrases at least once every 90 days), you must use the NSX manager REST API, as documented in VMware Knowledge Base article 83551.

If you need to re-enable access to the Networking & Security tab, contact VMware Support.