By default, VMC allows the cloud SDDC vCenter and ESX outbound access to any destinaction, however all inbound connections are blocked at the management gateway firewall.

To enable Hybrid Linked Mode, you will need to establish a new IP group for your on premises subnets and then allow those subnets through the firewall on specific ports. This can be done within the firewall creation rule itself, or in the Inventory Groups section.

  1. Within the SDDC, click on the ‘Network & Security’ tab
  2. Beneath the ‘Inventory’ section, ensure ‘Management Groups’ is slected and then click 'ADD GROUP'
  3. Name the group 'On-Prem Subnets' and add the IP subnets that you have configured in the 'Remote Networks' section of your VPN conection(s)
  4. Click 'SAVE'

Now that the Group is created, you can create firewall rules based on the group.

  1. Still within the SDDC Networking and Security tab, select Gateway Firewall
  2. In the Management Gateway section, click 'ADD NEW RULE'
  3. Enter a valid name, example: On-Prem to vCenter
  4. Click ‘Set Source’, under 'User Defined Groups', select 'On-Prem Subnets' , click ‘SAVE’
  5. Click ‘Set Destination’, click vCenter’ and click 'SAVE'
  6. Choose each of the available services 'HTTPS', 'SSO' and 'ICMP'
  7. Click the 'Publish" button at the top right of the firewall rule list.

Once the On-Prem to vCenter rule is created, the next step is to create additional rules that all access from the on premises environemnt to the ESXi hosts and NSX manager:

  • Name: OnPrem to ESX
  • Source: On-Prem Subnets
  • Destination: ESXi
  • Sources: vMotion, Remote Console, ICMP, Provisioning, HTTPS
  • Name: OnPrem to NSX
  • Source: On-Prem Subnets
  • Destination: ESXi
  • Sources: HTTPS


check-circle-line exclamation-circle-line close-line
Scroll to top icon