By default, the management gateway blocks traffic to all destinations from all sources. Add Management Gateway firewall rules to allow traffic as needed.

Prerequisites

Verify that management groups and services are configured. See Add a Management Group.

Procedure

  1. Log in to the VMC Console at https://vmc.vmware.com.
  2. On the Networking & Security tab, click Gateway Firewall.
  3. On the Gateway Firewall card, click Management Gateway, then click ADD NEW RULE.
  4. Enter the firewall rule parameters.
    Option Description
    Rule Name Enter a descriptive name for the rule.
    Source

    Click Set Source and enter or select one of the following options:

    Select Any to allow traffic from any source address or address range.

    Select System Defined Groups and select one of the following source options:

    • ESXi to allow traffic from your SDDC's ESXi hosts.
    • NSX Manager to allow traffic from your SDDC's NSX-T manager appliance.
    • vCenter to allow traffic from your SDDC's vCenter Server.

    Select User Defined Groups to use a management group that you have defined. See Add a Management Group.

    Destination

    Click Set Destination and enter or select one of the following options:

    Select Any to allow traffic to any destination address or address range.

    Select System Defined Groups and select one of the following destination options:
    • ESXi to allow traffic to your SDDC's ESXi management.
    • NSX Manager to allow traffic to your SDDC's NSX-T.
    • vCenter to allow traffic to your SDDC's vCenter Server.
    Services

    Select one of the following service types to apply the rule to:

    • Provisioning and Remote Console (TCP 902) applies only to the ESXi system-defined group as a Destination.
    • vMotion (TCP 8000). See Required Firewall Rules for vMotion.
    • HTTPS (TCP 443) applies only to vCenter Server system-defined group as a Destination.
    • ICMP (All ICMP)
    • SSO (TCP 7444) applies only to vCenter Serversystem-defined group as a Destination.
    Action The only action available for a management gateway firewall rule is Allow.
    Logging Enable or disable packet logging for this firewall rule. If enabled, the packet logs are forwarded to the Log Intelligence service. To access the logs, visit the Log Intelligence service console.
  5. Click PUBLISH to create the rule.
    Firewall rules are applied in order from top to bottom. Because there is always a default drop rule at the bottom, and the rules above are always Allow rules, rule order has no impact on traffic flow.

Example: Create a Firewall Rule

To create a firewall rule that enables vMotion traffic from the on-premises ESXi hosts to the ESXi hosts in the SDDC:
  1. Create a management inventory group that contains the on-premises ESXi hosts that you want to enable for vMotion to the SDDC.
  2. Create a management gateway rule with source ESXi and destination on-premises ESXi hosts.
  3. Create another management gateway rule with source on-premises ESXi hosts group and destination ESXi with a vMotion service.