To enable VMware Site Recovery on your SDDC environment that uses VMware NSX-T®, you must create firewall rules between your on-premises data center and the Management Gateway. After the initial firewall rules configuration, you can add, edit or delete any rules as needed.
Prerequisites
- Verify that you have activated VMware Site Recovery on the SDDC.
Procedure
- Log in to the VMware Cloud on AWS Console at https://vmc.vmware.com.
- Select Networking & Security > Gateway Firewall > Management Gateway.
- Click Add New Rule.
- Enter the management gateway rule parameters.
Management gateway controls management traffic that flows in and out of the SDDC.
Option Description Name Enter a descriptive name for the rule. Source Click Set Source and enter or select one of the following options:- Select Any to allow traffic from any source address or address range.
Important: Although you can select Any as the source address in a firewall rule, using Any as the source address in this firewall rule can enable attacks on your SDDC and may lead to compromise of your SDDC. As a best practice, configure this firewall rule to allow access only from trusted source addresses. See VMware Knowledge Base article 84154.
- Select System Defined Groups and select one of the following source options.
- vCenter to allow traffic from your SDDC's vCenter Server
- Site Recovery Manager to allow traffic from your SDDC's Site Recovery Manager.
- vSphere Replication to allow traffic from your SDDC's vSphere Replication.
- ESXi to allow traffic from your SDDC's ESXi.
- Select User Defined Groups to enter the name and CIDR IP range of a remote network.
Destination Click Set Destination and enter or select one of the following options:- Select Any to allow traffic to any destination address or address range.
- Select System Defined Groups and select one of the following destination options.
- vCenter to allow traffic to your SDDC's vCenter Server.
- Site Recovery Manager to allow traffic to your SDDC's Site Recovery Manager.
- vSphere Replication to allow traffic to your SDDC's vSphere Replication.
- ESXi to allow traffic to your SDDC's ESXi hosts.
- Select User Defined Groups to enter the name and CIDR IP range of a remote network.
Service Select one of the services to apply the rule to.
- HTTPS (TCP 443) applies to vCenter Server and vSphere Replication as destinations.
- VMware Site Recovery SRM applies only to Site Recovery Manager as a destination.
- VMware Site Recovery vSphere Replication applies only to vSphere Replication as a destination.
- VMware Site Recovery ESXi LWD applies only to ESXi as a destination.
Action The only action available for management gateway firewall rules is Allow. - Select Any to allow traffic from any source address or address range.
- Repeat the previous step to apply the following firewall rules for VMware Site Recovery.
Name Source Destination Service Action Remote SRM to vCenter Server User-Defined Group that includes the remote Site Recovery Manager IP address. vCenter HTTPS (TCP 443) Allow Remote VR to vCenter Server User-Defined Group that includes the remote vSphere Replication IP address. vCenter HTTPS (TCP 443) Allow Remote network to SRM (SRM Server Management) User-Defined Group that includes the remote Site Recovery Manager and vSphere Replication IP addresses. Site Recovery Manager VMware Site Recovery SRM Allow Remote network to VR (VM Replication) User-Defined Group that includes the remote ESXi hosts IP addresses. vSphere Replication VMware Site Recovery vSphere Replication Allow Remote network to VR (VR Server Management) or User-Defined Group that includes the remote Site Recovery Manager and vSphere Replication IP addresses. vSphere Replication VMware Site Recovery vSphere Replication Allow Remote network to VR (UI and API) User-Defined Group that includes the remote browser IP address. vSphere Replication VMware Site Recovery vSphere Replication Allow Remote network to ESXi (VM Replication scale-out) User-Defined Group that includes the remote ESXi IP addresses / infrastructure subnet. ESXi VMware Site Recovery ESXi LWD Allow SRM (HTTPS) to remote network Site Recovery Manager Any or User-Defined Group that includes the remote Platform Services Controller and vCenter Server IP addresses. Any Allow VR (HTTPS) to remote network vSphere Replication Any or User-Defined Group that includes the remote Platform Services Controller and vCenter Server IP addresses. Any Allow SRM (SRM Server Management) to remote network Site Recovery Manager Any or User-Defined Group that includes the remote Site Recovery Manager IP address. Any Allow VR (SRM Server Management) to remote network vSphere Replication Any or User-Defined Group that includes the remote Site Recovery Manager IP address. Any Allow ESXi (VM Replication) to remote network ESXi Any or User-Defined Group that includes the remote vSphere Replication IP addresses (combined vSphere Replication appliance and any add-on vSphere Replication appliances). Any Allow ESXi (VM Replication scale-out) to remote network ESXi Any or User-Defined Group that includes the remote ESXi IP addresses / infrastructure subnet. Any Allow SRM (VR Server Management) to remote network Site Recovery Manager Any or User-Defined Group that includes the remote vSphere Replication IP address. Any Allow VR (VR Server Management) to remote network vSphere Replication Any or User-Defined Group that includes the remote vSphere Replication IP address. Any Allow - Click Publish.
Results
After the firewall rules are created, they are shown in the Management Gateway Edge Firewall list.