In the default configuration, firewall rules prevent VMs on the compute network from accessing VMs on the management network. To allow individual workload VMs to access management VMs, create Workload and Management inventory groups, then create management gateway firewall rules that reference them.

Procedure

  1. With CloudAdmin privileges, log in to NSX Manager.
  2. Create Compute inventory groups: one for the management network and one for the workload VM that you want to have access to it.
    On the Inventory page, Click Groups > Compute Groups and create two groups:
    • Click ADD GROUP > Set Members, then open the IP Addresses page, click Enter IP Address, and type the CIDR block of the management network. Click APPLY, then SAVE to create the group.
    • Click ADD GROUP > Set Members, then click the Membership Criteria > ADD CRITERIA and specify a Virtual Machine in your vSphere inventory. Click APPLY, then SAVE to create the group.
  3. Create a Management Group that includes the management network that you want to access from the Compute Group.
    On the Inventory page, Click Groups > Management Groups. On the Select Members page, click Enter IP Address, and type the CIDR block of the management network. Click APPLY, then SAVE to create the group.
  4. Create a management gateway firewall rule allowing inbound traffic to vCenter Server and ESXi.
    See Add or Modify Management Gateway Firewall Rules for information about creating management gateway firewall rules. Assuming your workload VMs only need to access vSphere, PowerCLI, or OVFtool, then the rule need only allow access on port 443.
    Table 1. Management Gateway Rule to Allow Inbound Traffic to ESXi and vCenter
    Name Source Destination Services Action
    Inbound to ESXi Workload VM private IP ESXi HTTPS (TCP 443) Allow
    Inbound to vCenter private IP Workload VM private IP vCenter private IP HTTPS (TCP 443) Allow
    Inbound to vCenter public IP Workload VM with NATted IP vCenter public IP HTTPS (TCP 443) Allow