To enable VMware Site Recovery on your SDDC environment that uses VMware NSX® Data Center for vSphere®, you must create firewall rules between your on-premises data center and the Management gateway. You can do that either by using the Firewall Rules Accelerator or manually.

Prerequisites

Verify that you have activated VMware Site Recovery on the SDDC.

Procedure

  1. Log in to the VMC Console at https://vmc.vmware.com.
  2. Click View Details on the SDDC card.
  3. Select Network > Management Gateway > Firewall Rules.
  4. Click Add Rule.
  5. Enter the management gateway rule parameters.
    Management gateway controls management traffic that flows in and out of the SDDC.
    Option Description
    Rule Name

    Enter a descriptive name for the rule.

    Action

    The only action available for management gateway firewall rules is Allow.

    Source

    Enter or select one of the following options for the source:

    • vCenter to allow traffic from your SDDC's vCenter Server.
    • Site Recovery Manager to allow traffic from your SDDC's Site Recovery Manager.
    • vSphere Replication to allow traffic from your SDDC's vSphere Replication.
    • ESXi to allow traffic from your ESXi hosts.
    • CIDR of the remote network.
    • IP address of the remote ESXi host to allow traffic from it to your SDDC.
    • IP address of the remote Site Recovery Manager appliance to allow traffic from it to your SDDC.
    • IP address of the remote vSphere Replication appliance to allow traffic from it to your SDDC.
    • IP address of the remote vCenter Server appliance to allow traffic from it to your SDDC.
    Destination

    Select one of the following options:

    • vCenter to allow traffic to your SDDC's vCenter Server.
    • Site Recovery Manager to allow traffic to your SDDC's Site Recovery Manager.
    • vSphere Replication to allow traffic to your SDDC's vSphere Replication.
    • CIRD of the remote network to allow traffic to it from your SDDC.
    • IP address of the remote ESXi host to allow traffic to it from your SDDC.
    • IP address of the remote Site Recovery Manager appliance to allow traffic to it to your SDDC.
    • IP address of the remote vSphere Replication appliance to allow traffic to it from your SDDC.
    • IP address of the remote vCenter Server appliance to allow traffic to it from your SDDC.
    Service
    Select one of the services to apply the rule to:
    • HTTPS (TCP 443) applies to vCenter Server and vSphere Replication as destinations.
    • SRM Server Management (TCP 9086) applies only to Site Recovery Manager as a destination.
    • VR Server Management (TCP 8043) applies only to vSphere Replication as a destination.
    • VM Replication (TCP 31031, 44046) applies only to vSphere Replication as a destination.
    Port

    The port that the selected service uses for communication.

  6. Repeat the previous step to apply the following inbound and outbound firewall rules for VMware Site Recovery:
    Table 1. Inbound Firewall Rules for VMware Site Recovery
    Rule Name Action Source Destination Service Ports
    Remote to Site Recovery Manager to vCenter Server Allow Remote Site Recovery Manager IP vCenter Server HTTPS (TCP 443) 443
    Remote vSphere Replication to vCenter Server Allow Remote vSphere Replication IP vCenter Server HTTPS (TCP 443) 443
    Remote Site Recovery Manager to Site Recovery Manager Allow Remote Site Recovery Manager IP Site Recovery Manager SRM Server Management (TCP 9086) 9086
    Remote vSphere Replication to Site Recovery Manager Allow Remote vSphere Replication IP Site Recovery Manager SRM Server Management (TCP 9086) 9086
    Remote ESXi to vSphere Replication Allow Remote ESXi host IP or ESXi hosts CIDR address range vSphere Replication VM Replication (TCP 31031, 44046) 31031, 44046
    Remote vSphere Replication to vSphere Replication Allow Remote vSphere Replication IP vSphere Replication VR Server Management (TCP 8043) 8043
    Remote Site Recovery Manager to vSphere Replication Allow Remote Site Recovery Manager IP vSphere Replication VR Server Management (TCP 8043) 8043
    Remote user browser to vSphere Replication Allow Browser subnet CIDR or IP address vSphere Replication HTTPS (TCP 443) 443
    Table 2. Outbound Firewall Rules for VMware Site Recovery
    Rule Name Action Source Destination Service Ports
    Site Recovery Manager to remote vCenter Server Allow Site Recovery Manager Platform Services Controller and vCenter Server IP HTTPS (TCP 443) 443
    vSphere Replication to remote vCenter Server Allow vSphere Replication Platform Services Controller and vCenter Server IP HTTPS (TCP 443) 443
    Site Recovery Manager to remote Site Recovery Manager Allow Site Recovery Manager Remote Site Recovery Manager IP SRM Server Management (TCP 9086) 9086
    vSphere Replication to remote Site Recovery Manager Allow vSphere Replication Remote Site Recovery Manager IP SRM Server Management (TCP 9086) 9086
    ESXi to remote vSphere Replication Allow ESXi Remote vSphere Replication IP addresses (combined vSphere Replication appliance and any add-on vSphere Replication appliances) VM Replication (TCP 31031, 44046) 31031, 44046
    Site Recovery Manager to remote vSphere Replication Allow Site Recovery Manager Remote vSphere Replication IP VR Server Management (TCP 8043) 8043
    vSphere Replication to remote vSphere Replication Allow vSphere Replication Remote vSphere Replication IP VR Server Management (TCP 8043) 8043
    Note: If the on-premises vCenter Server and Platform Services Controller instances are on different appliances, you must create separate rules for them.

Results

After the firewall rules are created, they are shown in the Management Gateway Edge Firewall list. You can edit or delete any rules as needed.