To enable VMware Site Recovery on your SDDC environment that uses VMware NSX® Data Center for vSphere®, you must create firewall rules between your on-premises data center and the Management gateway. You can do that either by using the Firewall Rules Accelerator or manually.

Prerequisites

Verify that you have activated VMware Site Recovery on the SDDC.

Procedure

  1. Log in to the VMC Console at https://vmc.vmware.com.
  2. Click View Details on the SDDC card.
  3. Select Network > Management Gateway > Firewall Rules.
  4. Click Add Rule.
  5. Enter the management gateway rule parameters.

    Management gateway controls management traffic that flows in and out of the SDDC.

    Option

    Description

    Rule Name

    Enter a descriptive name for the rule.

    Action

    The only action available for management gateway firewall rules is Allow.

    Source

    Enter or select one of the following options for the source:

    • vCenter to allow traffic from your SDDC's vCenter Server.

    • Site Recovery Manager to allow traffic from your SDDC's Site Recovery Manager.

    • vSphere Replication to allow traffic from your SDDC's vSphere Replication.

    • ESXi to allow traffic from your ESXi hosts.

    • CIDR of the remote network.

    • IP address of the remote ESXi host to allow traffic from it to your SDDC.

    • IP address of the remote Site Recovery Manager appliance to allow traffic from it to your SDDC.

    • IP address of the remote vSphere Replication appliance to allow traffic from it to your SDDC.

    • IP address of the remote vCenter Server appliance to allow traffic from it to your SDDC.

    Destination

    Select one of the following options:

    • vCenter to allow traffic to your SDDC's vCenter Server.

    • Site Recovery Manager to allow traffic to your SDDC's Site Recovery Manager.

    • vSphere Replication to allow traffic to your SDDC's vSphere Replication.

    • CIRD of the remote network to allow traffic to it from your SDDC.

    • IP address of the remote ESXi host to allow traffic to it from your SDDC.

    • IP address of the remote Site Recovery Manager appliance to allow traffic to it to your SDDC.

    • IP address of the remote vSphere Replication appliance to allow traffic to it from your SDDC.

    • IP address of the remote vCenter Server appliance to allow traffic to it from your SDDC.

    Service

    Select one of the services to apply the rule to:

    • HTTPS (TCP 443) applies to vCenter Server and vSphere Replication as destinations.

    • SRM Server Management (TCP 9086) applies only to Site Recovery Manager as a destination.

    • VR Server Management (TCP 8043) applies only to vSphere Replication as a destination.

    • VM Replication (TCP 31031, 44046) applies only to vSphere Replication as a destination.

    Port

    The port that the selected service uses for communication.

  6. Repeat the previous step to apply the following inbound and outbound firewall rules for VMware Site Recovery:
    Table 1. Inbound Firewall Rules for VMware Site Recovery

    Rule Name

    Action

    Source

    Destination

    Service

    Ports

    Remote to Site Recovery Manager to vCenter Server

    Allow

    Remote Site Recovery Manager IP

    vCenter Server

    HTTPS (TCP 443)

    443

    Remote vSphere Replication to vCenter Server

    Allow

    Remote vSphere Replication IP

    vCenter Server

    HTTPS (TCP 443)

    443

    Remote Site Recovery Manager to Site Recovery Manager

    Allow

    Remote Site Recovery Manager IP

    Site Recovery Manager

    SRM Server Management (TCP 9086)

    9086

    Remote vSphere Replication to Site Recovery Manager

    Allow

    Remote vSphere Replication IP

    Site Recovery Manager

    SRM Server Management (TCP 9086)

    9086

    Remote ESXi to vSphere Replication

    Allow

    Remote ESXi host IP or ESXi hosts CIDR address range

    vSphere Replication

    VM Replication (TCP 31031, 44046)

    31031, 44046

    Remote vSphere Replication to vSphere Replication

    Allow

    Remote vSphere Replication IP

    vSphere Replication

    VR Server Management (TCP 8043)

    8043

    Remote Site Recovery Manager to vSphere Replication

    Allow

    Remote Site Recovery Manager IP

    vSphere Replication

    VR Server Management (TCP 8043)

    8043

    Remote user browser to vSphere Replication

    Allow

    Browser subnet CIDR or IP address

    vSphere Replication

    HTTPS (TCP 443)

    443

    Table 2. Outbound Firewall Rules for VMware Site Recovery

    Rule Name

    Action

    Source

    Destination

    Service

    Ports

    Site Recovery Manager to remote vCenter Server

    Allow

    Site Recovery Manager

    Platform Services Controller and vCenter Server IP

    HTTPS (TCP 443)

    443

    vSphere Replication to remote vCenter Server

    Allow

    vSphere Replication

    Platform Services Controller and vCenter Server IP

    HTTPS (TCP 443)

    443

    Site Recovery Manager to remote Site Recovery Manager

    Allow

    Site Recovery Manager

    Remote Site Recovery Manager IP

    SRM Server Management (TCP 9086)

    9086

    vSphere Replication to remote Site Recovery Manager

    Allow

    vSphere Replication

    Remote Site Recovery Manager IP

    SRM Server Management (TCP 9086)

    9086

    ESXi to remote vSphere Replication

    Allow

    ESXi

    Remote vSphere Replication IP addresses (combined vSphere Replication appliance and any add-on vSphere Replication appliances)

    VM Replication (TCP 31031, 44046)

    31031, 44046

    Site Recovery Manager to remote vSphere Replication

    Allow

    Site Recovery Manager

    Remote vSphere Replication IP

    VR Server Management (TCP 8043)

    8043

    vSphere Replication to remote vSphere Replication

    Allow

    vSphere Replication

    Remote vSphere Replication IP

    VR Server Management (TCP 8043)

    8043

    Note:

    If the on-premises vCenter Server and Platform Services Controller instances are on different appliances, you must create separate rules for them.

Results

After the firewall rules are created, they are shown in the Management Gateway Edge Firewall list. You can edit or delete any rules as needed.