By default, the firewall for the management gateway is set to deny all inbound and outbound traffic. Add additional firewall rules to allow traffic as needed.
If you have configured a management gateway VPN, you can use the Firewall Rules Accelerator to create the firewall rules necessary for communication over the VPN. See Use the Firewall Rules Accelerator to Set Up Firewall Rules.
In order to access vCenter Server in your SDDC, you must set a firewall rule to allow traffic to the vCenter Server.
When access to vCenter Server is blocked, the topology diagram on the Network tab shows a dotted line between the internet and the management gateway.
After you have added a firewall rule to allow access to vCenter Server, the diagram shows a solid line between the internet and the management gateway.
- Log in to the VMC Console at https://vmc.vmware.com.
- Click View Details on the SDDC card.
- Click Network.
- Under Management Gateway, click Firewall Rules.
- Click Add Rule.
- Enter the rule parameters.
Enter a descriptive name for the rule.
The only action available for management gateway firewall rules is Allow.
Enter or select one of the following options for the source:
An IP address, IP address range, or any to allow traffic from that address or address range
vCenter to allow traffic from your SDDC's vCenter Server.
ESXi Management Only to allow traffic from your SDDC's ESXi management.
Enter or select one of the following options for the destination:
An IP address, IP address range, or any to allow traffic to that address or address range
vCenter to allow traffic to your SDDC's vCenter Server.
ESXi Management Only to allow traffic to your SDDC's ESXi management.
Select one of the following to apply the rule to:
Any (All Traffic)
ICMP (All ICMP)
HTTPS (TCP 443) - applies only to vCenter Server as a destination.
SSO (TCP 7444) - applies only to vCenter Server as a destination.
Provisioning (TCP 902) - applies only to ESXi Management Only as a destination.
Remote Console (TCP 903) applies only to ESXi Management Only as a destination.
The port that the selected service uses for communication.
- Use the up and down arrow icons to change the order of the firewall rules.
Firewall rules are applied in order from top to bottom.
The following graphic shows an example firewall rule that allows all traffic to reach vCenter Server from a particular IP address.
See Example Management Gateway Firewall Rules for more examples of firewall rules for specific use cases.