To enable VMware Site Recovery on your SDDC environment that uses VMware NSX® Data Center for vSphere®, you must create firewall rules between your on-premises data center and the Management gateway. You can use the Firewall Rules Accelerator to set up firewall rules quickly.

Prerequisites

Verify that you have activated VMware Site Recovery on the SDDC.

Procedure

  1. Log in to the VMC Console at https://vmc.vmware.com.
  2. Click View Details on the SDDC card.
  3. Select Network > Management Gateway > Firewall Rule Accelerator.
  4. Select Rule Group: Site Recovery.
  5. From the VPN drop-down menu, select the remote (on-premises) network that you want to create firewall rules for.
  6. Fill in the remote network address range in CIDR notation.
    Note:

    The CIDR block must include the vCenter Server, Site Recovery Manager, and vSphere Replication management appliances. If the CIDR block does not include ESXi hosts, you must add a rule to allow vSphere Replication traffic from these ESXi hosts to the vSphere Replication appliance at VMC.

  7. Click Create Firewall Rules.

Results

The resulting list must include the following firewall rules.

Rule Name

Action

Source

Destination

Service

Ports

Remote network to SRM (SRM Server Management)

Allow

Remote Network CIDR address range

IP address of Site Recovery Manager at VMC

SRM Server Management (TCP 9086)

9086

Remote network to VR (VM Replication)

Allow

Remote Network CIDR address range

IP address of vSphere Replication at VMC

Any (All Traffic)

31031, 44046

Remote network to VR (VR Server Management)

Allow

Remote Network CIDR address range

IP address of vSphere Replication at VMC

VR Server Management (TCP 8043)

8043

Remote network to VR (HTTPS)

Allow

Remote Network CIDR address range

IP address of vSphere Replication at VMC

HTTPS (TCP 443)

443

SRM (HTTPS) to remote network

Allow

Site Recovery Manager IP address at VMC

Remote Network CIDR address range

HTTPS (TCP 443)

443

SRM (SRM Server Management) to remote network

Allow

Site Recovery Manager IP address at VMC

Remote Network CIDR address range

SRM Server Management (TCP 9086)

9086

VR(SRM Server Management) to remote network

Allow

IP address of vSphere Replication at VMC

Remote Network CIDR address range

SRM Server Management (TCP 9086)

9086

ESXi (VM Replication) to remote network

Allow

ESXi

Remote Network CIDR address range

Any (All Traffic)

31031, 44046

SRM (VR Server Management) to remote network

Allow

Site Recovery Manager IP address at VMC

Remote Network CIDR address range

VR Server Management (TCP 8043)

8043

VR (VR Server Management) to remote network

Allow

IP address of vSphere Replication at VMC

Remote Network CIDR address range

VR Server Management (TCP 8043)

8043

What to do next

After the firewall rules are created, they are shown in the Management Gateway Edge Firewall list. You can edit or delete any rules as needed.