To enable VMware Site Recovery on your SDDC environment that uses VMware NSX-T®, you must create firewall rules between your on-premises data center and the Management Gateway.

Prerequisites

  • Verify that you have activated VMware Site Recovery on the SDDC.

Procedure

  1. Log in to the VMC Console at https://vmc.vmware.com.
  2. Select Networking & Security > Edge Firewall > Management Gateway.
  3. Click Add New Rule.
  4. Enter the management gateway rule parameters.

    Management gateway controls management traffic that flows in and out of the SDDC.

    Option

    Description

    Name

    Enter a descriptive name for the rule.

    Source

    Click Set Source and enter or select one of the following options:

    • Select Any to allow traffic from any source address or address range.

    • Select System Defined Groups and select one of the following source options.

      • vCenter to allow traffic from your SDDC's vCenter Server

      • Site Recovery Manager to allow traffic from your SDDC's Site Recovery Manager.

      • vSphere Replication to allow traffic from your SDDC's vSphere Replication.

    • Select User Defined Groups to enter the name and CIDR IP range of a remote network.

    Destination

    Click Set Destination and enter or select one of the following options:

    • Select Any to allow traffic to any destination address or address range.

    • Select System Defined Groups and select one of the following destination options.

      • vCenter to allow traffic to your SDDC's vCenter Server.

      • Site Recovery Manager to allow traffic to your SDDC's Site Recovery Manager.

      • vSphere Replication to allow traffic to your SDDC's vSphere Replication.

    • Select User Defined Groups to enter the name and CIDR IP range of a remote network.

    Service

    Select one of the services to apply the rule to.

    • HTTPS (TCP 443) applies to vCenter Server and vSphere Replication as destinations.

    • VMware Site Recovery SRM applies only to Site Recovery Manager as a destination.

    • VMware Site Recovery vSphere Replication applies only to vSphere Replication as a destination.

    Action

    The only action available for management gateway firewall rules is Allow.

  5. Repeat the previous step to apply the following firewall rules for VMware Site Recovery.

    Name

    Source

    Destination

    Service

    Action

    Remote SRM to vCenter Server

    Any or User-Defined Group that includes the remote Site Recovery Manager IP address.

    vCenter

    HTTPS (TCP 443)

    Allow

    Remote VR to vCenter Server

    Any or User-Defined Group that includes the remote vSphere Replication IP address.

    vCenter

    HTTPS (TCP 443)

    Allow

    Remote network to SRM (SRM Server Management)

    Any or User-Defined Group that includes the remote Site Recovery Manager and vSphere Replication IP addresses.

    Site Recovery Manager

    VMware Site Recovery SRM

    Allow

    Remote network to VR (VM Replication)

    Any or User-Defined Group that includes the remote ESXi hosts IP addresses.

    vSphere Replication

    VMware Site Recovery vSphere Replication

    Allow

    Remote network to VR (VR Server Management)

    Any or User-Defined Group that includes the remote Site Recovery Manager and vSphere Replication IP addresses.

    vSphere Replication

    VMware Site Recovery vSphere Replication

    Allow

    Remote network to VR (UI and API)

    Any or User-Defined Group that includes the remote browser IP address.

    vSphere Replication

    VMware Site Recovery vSphere Replication

    Allow

    SRM (HTTPS) to remote network

    Site Recovery Manager

    Any or User-Defined Group that includes the remote Platform Services Controller and vCenter Server IP addresses.

    HTTPS (TCP 443)

    Allow

    VR (HTTPS) to remote network

    vSphere Replication

    Any or User-Defined Group that includes the remote Platform Services Controller and vCenter Server IP addresses.

    HTTPS (TCP 443)

    Allow

    SRM (SRM Server Management) to remote network

    Site Recovery Manager

    Any or User-Defined Group that includes the remote Site Recovery Manager IP address.

    VMware Site Recovery SRM

    Allow

    VR (SRM Server Management) to remote network

    vSphere Replication

    Any or User-Defined Group that includes the remote Site Recovery Manager IP address.

    VMware Site Recovery SRM

    Allow

    ESXi (VM Replication) to remote network

    ESXi

    Any or User-Defined Group that includes the remote vSphere Replication IP addresses (combined vSphere Replication appliance and any add-on vSphere Replication appliances).

    VMware Site Recovery vSphere Replication

    Allow

    SRM (VR Server Management) to remote network

    Site Recovery Manager

    Any or User-Defined Group that includes the remote vSphere Replication IP address.

    VMware Site Recovery vSphere Replication

    Allow

    VR (VR Server Management) to remote network

    vSphere Replication

    Any or User-Defined Group that includes the remote vSphere Replication IP address.

    VMware Site Recovery vSphere Replication

    Allow

  6. Click Publish.

Results

After the firewall rules are created, they are shown in the Management Gateway Edge Firewall list. You can edit or delete any rules as needed.