Distributed firewall rules apply at the VM level and control East-West traffic within the SDDC.
- Log in to the VMC Console at https://vmc.vmware.com.
- Select .
- If you are an NSX Administrator, you can edit an existing section to add, remove, or reorder rules.
To create a new section, click ADD NEW SECTION and give the section a Name.
Option Description Emergency Rules Applies to temporary rules needed in emergency situations.
For example, block traffic to a Web server due to malicious content.
Infrastructure Rules Applies to infrastructure rules only.
Such as, ESXi, vCenter Server or connectivity to on-premise data center.
Environment Rules Applies to broad groups.
Such as, setting rules so that the production environment cannot reach the test enviroment.
Application Rules Applies to specific application rules. Default Rules The default rules allows all traffic.
- To add a rule to a new or existing section, select the section and click ADD NEW RULE.
- Enter the parameters for the new rule.
Option Description Name Give the rule a descriptive name. Sources Click Set Source and select an inventory group for source network traffic, or click CREATE NEW GROUP to create a new user-defined inventory group to use for this rule. Click SAVE. Destinations Click Set Destination and select an inventory group for destination network traffic, or click CREATE NEW GROUP to create a new user-defined inventory group to use for this rule. Click SAVE. Services Select a service from the drop-down list, or select Any if you want the rule to apply to any protocol or port. Click SAVE. Action
- Select Allow to allow all L2 and L3 traffic to pass through the firewall.
- Select Drop to drop packets with the specified source, destination, and service protocol. Drop is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
- Select Reject to reject packets with the specified source, destination, and service protocol. Reject action returns a "destination unreachable message" to the sender. If the protocol is TCP, a TCP RST message is sent. ICMP messages with administratively prohibited code are sent for UDP, ICMP, and other IP connections. One benefit of using Reject is that the sending application is notified after only one attempt that the connection cannot be established.
Logging Enable or disable packet logging for this firewall rule. If enabled, the packet logs are forwarded to the Log Intelligence service. To access the logs, visit the Log Intelligence service console.
- Click PUBLISH.