Maintaining the safety and security of your SDDC management infrastructure is critical. By default, the management gateway blocks traffic to all management network destinations from all sources.

When configuring access to the SDDC management infrastructure, it's important that you create management gateway firewall rules that allow only the necessary access to the SDDC management network. To access the Management Gateway, you can Configure AWS Direct Connect Between Your SDDC and On-Premises Data Center, Configure a VPN Connection Between Your SDDC and On-Premises Data Center, or do both. Direct Connect, which provides private connectivity between your enterprise and the SDDC, can be used alone or in conjunction with an IPsec VPN to encrypt traffic.

If you can't use Direct Connect, VMware Managed Transit Gateway, or a VPN, you can access the SDDC vCenter directly over the Internet using public DNS and the vCenter public IP. If you do this, you must create management gateway firewall rules that prevent untrusted sources from accessing the management network. A VPN provides additional security through encryption and authentication protocols.

Management Gateway firewall rules specify actions to take on network traffic based on the source and destination addresses, and the service port. Either the source or destination must be a system-defined inventory group. See Working With Inventory Groups for information about viewing or modifying inventory groups.
Important: The default Management Gateway firewall rule denies all traffic, so you must create at least one user-defined Management Gateway firewall rule to provide access to the vCenter Server Appliance and other management VMs and appliances. To provide appropriate security when accessing the Management Gateway over the public Internet, configure a management gateway firewall rule that allows traffic only from IP addresses you own or trust, and always limit the source IP ranges, both internal and external, to the smallest possible set. For example, an enterprise that accesses the internet from an address in the CIDR block 93.184.216.34/30 should create a management gateway firewall rule that allows only traffic with a Sources CIDR of 93.184.216.34/30 to access management destinations like the ones shown in Example Management Gateway Firewall Rules. Beginning with SDDC version 1.22, you cannot publish a management gateway firewall rule that allows traffic from Sources that include Any or 0.0.0.0/0. See VMware Knowledge Base article 84154 for more information about providing secure access to your SDDC management infrastructure.
There are two types of firewall rules:
  • Pre-defined firewall rules are created and managed by VMware Cloud on AWS. You cannot modify or reorder these rules. There is one pre-defined Management Gateway firewall rule:
    Table 1. Pre-Defined Management Gateway Firewall Rules
    Name Sources Destinations Services Action
    Default Deny All Any Any Any Drop
    Because this rule operates in a default-deny mode, only traffic explicitly allowed by customer-defined rules is permitted.
  • Customer-defined firewall rules are processed in the order you specify and are always processed before pre-defined rules. These rules require either the source or destination to be a system-defined group, and the list of available ports and services is a limited one managed by VMware. When Sources is a system-defined group, Services must be Any. And because these rules must have an Allow action, rule order is generally unimportant.

Procedure

  1. Log in to VMware Cloud Services at https://vmc.vmware.com.
  2. Click Inventory > SDDCs, then pick an SDDC card and click VIEW DETAILS.
  3. Click OPEN NSX MANAGER and log in with the NSX Manager Admin User Account shown on the SDDC Settings page. See SDDC Network Administration with NSX Manager.
    You can also use the VMware Cloud Console Networking & Security tab for this workflow.
  4. On the Gateway Firewall card, click Management Gateway, then click ADD RULE and give the new rule a Name.
  5. Enter the parameters for the new rule.
    Parameters are initialized to their default values (for example, Any for Sources and Destinations). To edit a parameter, move the mouse cursor over the parameter value and click the pencil icon ( pencil icon) to open a parameter-specific editor.
    Option Description
    Sources
    Enter any combination of source addresses (CIDR blocks or management group names).
    Important:

    Although you can select Any as the source address in a firewall rule, you cannot use Any or the wildcard 0.0.0.0/0 as the source address when the destination is vCenter. Doing so can enable attacks on your vCenter and may lead to compromise of your SDDC. Beginning with SDDC version 1.22, we prevent you from publishing a management gateway firewall rule with a source address of Any or 0.0.0.0/0 and destinations that include vCenter.

    Select System Defined Groups and select one of the following source options:

    • ESXi to allow traffic from your SDDC's ESXi hosts.
    • NSX Manager to allow traffic from your SDDC's NSX appliance.
    • vCenter to allow traffic from your SDDC's vCenter.
    • Other integrated services enabled in the SDDC.

    Select User Defined Groups to use a management group that you have defined. See Working With Inventory Groups.

    Destinations

    Select Any to allow traffic to any destination address or address range.

    Select System Defined Groups and select one of the following destination options:
    • ESXi to allow traffic to your SDDC's ESXi management.
    • NSX Manager to allow traffic to your SDDC's NSX appliance
    • vCenter to allow traffic to your SDDC's vCenter.
    • Other integrated services enabled in the SDDC.
    Services

    Select the service types that the rule applies to. The list of service types depends on your choices for Sources and Destinations.

    Action The only action available for a new management gateway firewall rule is Allow.
    The new rule is enabled by default. Slide the toggle to the left to disable it.
  6. Click PUBLISH to create the rule.

    The system gives the new rule an integer ID value, which is used in log entries generated by the rule.

    Firewall rules are applied in order from top to bottom. Because there is a default Drop rule at the bottom and the rules above are always Allow rules, management gateway firewall rule order has no impact on traffic flow.

Example: Create a Management Gateway Firewall Rule

To create a management gateway firewall rule that enables vMotion traffic from the on-premises ESXi hosts to the ESXi hosts in the SDDC:
  1. Create a management inventory group that contains the on-premises ESXi hosts that you want to enable for vMotion to the SDDC.
  2. Create a management gateway rule with source ESXi and destination on-premises ESXi hosts.
  3. Create another management gateway rule with source on-premises ESXi hosts group and destination ESXi with a vMotion service.

What to do next

You can view Rule Hits Statistics and Flow Statistics for any rule other than the Default Deny All rule.

  • Click the gear icon cog icon to view or modify rule logging settings. Log entries are sent to the VMware VMware Aria Operations for Logs Service. See Using VMware Aria Operations for Logs in the VMware Cloud on AWS Operations Guide.

  • Click the graph icon graph icon to view Rule Hits and Flow statistics for the rule.
    Table 2. Rule Hits Statistics
    Popularity Index Number of times the rule was triggered in the past 24 hours.
    Hit Count Number of times the rule was triggered since it was created.
    Table 3. Flow Statistics
    Packet Count Total packet flow through this rule.
    Byte Count Total byte flow through this rule.
    Statistics start accumulating as soon as the rule is enabled.