To enable VMware Site Recovery on your SDDC environment that uses VMware NSX-T®, you must create firewall rules between your on-premises data center and the Management Gateway. After the initial firewall rules configuration, you can add, edit, or delete any rules as needed.

Prerequisites

  • Verify that you have activated VMware Site Recovery on the SDDC.

Procedure

  1. Log in to the VMware Cloud Services Console at https://console.cloud.vmware.com/csp/gateway/discovery.
  2. Launch the VMware Cloud on Dell service.
  3. Access NSX Manager from the VMware Cloud on Dell EMC Console.
  4. To add a rule, click ADD RULE and give the rule a Name.
  5. Enter the parameters for the new rule.
    Parameters are initialized to their default values (for example, All for Sources and Destinations). To edit a parameter, move the mouse pointer over the parameter value and click the pencil icon to open a parameter-specific editor.
    • Sources: Do the following:
      1. Select Any to allow traffic from any source address or address range.
        Important:

        Although you can select Any as the source address in a firewall rule, using Any as the source address in this firewall rule can enable attacks on your vCenter Server and may lead to compromise of your SDDC. As a best practice, configure this firewall rule to allow access only from trusted source addresses. See VMware Knowledge Base article 84154.

      2. Select System Defined Groups and select vCenter to allow traffic from your SDDC's vCenter Server.
    • Destinations: Do the following:
      1. Select Any to allow traffic to any destination address or address range.
      2. Select System Defined Groups and select vCenter to allow traffic from your SDDC's vCenter Server.
    The new rule is enabled by default.
  6. Repeat the previous step to apply the following firewall rules for VMware Site Recovery.
    Name Source Destination Service Action
    Remote SRM to vCenter Server User-Defined Group that includes the remote Site Recovery Manager IP address. vCenter HTTPS (TCP 443) Allow
    Remote VR to vCenter Server User-Defined Group that includes the remote vSphere Replication IP address. vCenter HTTPS (TCP 443) Allow
    Remote network to SRM (SRM Server Management) User-Defined Group that includes the remote Site Recovery Manager and vSphere Replication IP addresses. Site Recovery Manager VMware Site Recovery SRM Allow
    Remote network to VR (VM Replication) User-Defined Group that includes the remote ESXi hosts IP addresses. vSphere Replication VMware Site Recovery vSphere Replication Allow
    Remote network to VR (VR Server Management) or User-Defined Group that includes the remote Site Recovery Manager and vSphere Replication IP addresses. vSphere Replication VMware Site Recovery vSphere Replication Allow
    Remote network to VR (UI and API) User-Defined Group that includes the remote browser IP address. vSphere Replication VMware Site Recovery vSphere Replication Allow
    SRM (HTTPS) to remote network Site Recovery Manager Any or User-Defined Group that includes the remote Platform Services Controller and vCenter Server IP addresses. HTTPS (TCP 443) Allow
    VR (HTTPS) to remote network vSphere Replication Any or User-Defined Group that includes the remote Platform Services Controller and vCenter Server IP addresses. HTTPS (TCP 443) Allow
    SRM (SRM Server Management) to remote network Site Recovery Manager Any or User-Defined Group that includes the remote Site Recovery Manager IP address. VMware Site Recovery SRM Allow
    VR (SRM Server Management) to remote network vSphere Replication Any or User-Defined Group that includes the remote Site Recovery Manager IP address. VMware Site Recovery SRM Allow
    ESXi (VM Replication) to remote network ESXi Any or User-Defined Group that includes the remote vSphere Replication IP addresses (combined vSphere Replication appliance and any add-on vSphere Replication appliances). VMware Site Recovery vSphere Replication Allow
    SRM (VR Server Management) to remote network Site Recovery Manager Any or User-Defined Group that includes the remote vSphere Replication IP address. VMware Site Recovery vSphere Replication Allow
    VR (VR Server Management) to remote network vSphere Replication Any or User-Defined Group that includes the remote vSphere Replication IP address. VMware Site Recovery vSphere Replication Allow
  7. Click PUBLISH to create the rule.
  8. Repeat the procedure at the second VMware Cloud on Dell EMC SDDC.