In the default configuration, firewall rules prevent VMs on the compute network from accessing VMs on the management network. To allow individual workload VMs to access management VMs, create Workload and Management inventory groups, then create management gateway firewall rules that reference them.
Procedure
- With CloudAdmin privileges, log in to NSX Manager.
- Create Compute inventory groups: one for the management network and one for the workload VM that you want to have access to it.
On the
Inventory page, Click
and create two groups:
- Click , then open the IP Addresses page, click Enter IP Address, and type the CIDR block of the management network. Click APPLY, then SAVE to create the group.
- Click , then click the and specify a Virtual Machine in your vSphere inventory. Click APPLY, then SAVE to create the group.
- Create a Management Group that includes the management network that you want to access from the Compute Group.
On the
Inventory page, Click
. On the
Select Members page, click
Enter IP Address, and type the CIDR block of the management network. Click
APPLY, then
SAVE to create the group.
- Create a management gateway firewall rule allowing inbound traffic to vCenter Server and ESXi.
See
Add or Modify Management Gateway Firewall Rules for information about creating management gateway firewall rules. Assuming your workload VMs only need to access vSphere, PowerCLI, or OVFtool, then the rule need only allow access on port 443.
Table 1.
Management Gateway Rule to Allow Inbound Traffic to ESXi and vCenter
| Name |
Source |
Destination |
Services |
Action |
| Inbound to ESXi |
Workload VM private IP |
ESXi |
HTTPS (TCP 443) |
Allow |
| Inbound to vCenter private IP |
Workload VM private IP |
vCenter private IP |
HTTPS (TCP 443) |
Allow |
| Inbound to vCenter public IP |
Workload VM with NATted IP |
vCenter public IP |
HTTPS (TCP 443) |
Allow |
