For NSX based deployments, you must exclude the VMware Integrated OpenStack management VMs from firewall protection to ensure the free flow of traffic.

About this task

NSX Manager, NSX Controller, and NSX Edge VMs are excluded from firewall protection. You must manually exclude the VMware Integrated OpenStack and vCenter Server server VMs by placing them in the Exclusion List to allow traffic to flow freely.

The cluster that contains vCenter Server can be protected by a firewall, but the vCenter Server must also be in the exclusion list to avoid connectivity issues.

For more information about the exclusion list, see the NSX product documentation.


  1. In the vSphere Web Client, click Networking & Security.
  2. In Networking & Security Inventory, click NSX Managers.
  3. In the Name column, click the NSX Manager for VMware Integrated OpenStack.
  4. Click the Manage tab and click the Exclusion List tab.
  5. Click the Add (+) icon.
  6. Select the OpenStack VMs in the Available Objects column and use the arrows buttons to move them to the Selected Objects column.
  7. Click OK when you are finished.


If a VM has multiple vNICs, all of them are excluded from protection. If you add vNICs to a VM after it is added to the exclusion list, a firewall is deployed on the newly added vNICs.To exclude these vNICs from firewall protection, remove the VM from the exclusion list and add it back to the exclusion list.