By default, the firewall for the management gateway is set to deny all inbound and outbound traffic. Add additional firewall rules to allow traffic as needed.

About this task

Note:

In order to access vCenter Server in your SDDC, you must set a firewall rule to allow traffic to the vCenter Server.

When access to vCenter Server is blocked, the topology diagram on the Network tab shows a dotted line between the internet and the management gateway.

After you have added a firewall rule to allow access to vCenter Server, the diagram shows a solid line between the internet and the management gateway.

Procedure

  1. Log in to the VMC Console at https://vmc.vmware.com.
  2. Click View Details on the SDDC card.
  3. Click Network.
  4. Under Management Gateway, click Firewall Rules.
  5. Click Add Rule.
  6. Enter the rule parameters.

    Option

    Description

    Rule Name

    Enter a descriptive name for the rule.

    Action

    The only action available for management gateway firewall rules is Allow.

    Source

    Enter or select one of the following options for the source:

    • An IP address, IP address range, or any to allow traffic from that address or address range

    • vCenter to allow traffic from your SDDC's vCenter Server.

    • ESXi Management Only to allow traffic from your SDDC's ESXi management.

    Destination

    Enter or select one of the following options for the destination:

    • An IP address, IP address range, or any to allow traffic from that address or address range

    • vCenter to allow traffic to your SDDC's vCenter Server.

    • ESXi Management Only to allow traffic to your SDDC's ESXi management.

    Service

    Select one of the following to apply the rule to:

    • Any (All Traffic)

    • ICMP (All ICMP)

    • HTTPS (TCP 443) - applies only to vCenter Server as a destination.

    • SSO (TCP 7444) - applies only to vCenter Server as a destination.

    • Provisioning (TCP 902) - applies only to ESXi Management Only as a destination.

    • Remote Console (TCP 903) applies only to ESXi Management Only as a destination.

    Ports

    The port that the selected service uses for communication.

  7. Use the up and down arrow icons to change the order of the firewall rules.

    Firewall rules are applied in order from top to bottom.

Example

The following graphic shows an example firewall rule that allows all traffic to reach vCenter Server from a particular IP address.

See Example Management Gateway Firewall Rules for more examples of firewall rules for specific use cases.