Some common firewall rule configurations include opening access to the vSphere Client from the internet, allowing access to vCenter Server through the management VPN tunnel, and allowing remote console access.
Commonly Used Firewall Rules
The following table shows the Service, Source, and Destination settings for commonly-used firewall rules.
| Use Cases | Service | Source | Destination |
|---|---|---|---|
| Provide access to vCenter Server from the internet. Use for general vSphere Client access as well as for monitoring vCenter Server |
HTTPS | IP address or CIDR block from on-premises data center
Important:
Although you can select Any as the source address in a firewall rule, using Any as the source address in this firewall rule can enable attacks on your vCenter Server and may lead to compromise of your SDDC. As a best practice, configure this firewall rule to allow access only from trusted source addresses. See VMware Knowledge Base article 84154. |
vCenter |
| Provide access to vCenter Server over VPN tunnel. Required for Management Gateway VPN, Hybrid Linked Mode, Content Library. |
HTTPS | IP address or CIDR block from on-premises data center | vCenter |
| Provide access from cloud vCenter Server to on-premises services such as Active Directory, Platform Services Controller, and Content Library. | Any | vCenter | IP address or CIDR block from on-premises data center. |
| Provisioning operations involving network file copy traffic, such as cold migration, cloning from on-premises VMs, snapshot migration, replication, and so on. | Provisioning | IP address or CIDR block, either public or from an on-premises data center connected by a VPN tunnel | ESXi Management |
| VMRC remote console access Required for vRealize Automation |
Remote Console | IP address or CIDR block, either public or from an on-premises data center connected by a VPN tunnel | ESXi Management |
| vMotion traffic over VPN | Any | ESXi Management | IP address or CIDR block from on-premises data center |
