To enable VMware Site Recovery on your SDDC environment that uses VMware NSX® Data Center for vSphere®, you must create firewall rules between your on-premises data center and the Management gateway. You can use the Firewall Rules Accelerator to set up firewall rules quickly.

Prerequisites

Verify that you have activated VMware Site Recovery on the SDDC.

Procedure

  1. Log in to the VMC Console at https://vmc.vmware.com.
  2. Click View Details on the SDDC card.
  3. Select Network > Management Gateway > Firewall Rule Accelerator.
  4. Select Rule Group: Site Recovery.
  5. From the VPN drop-down menu, select the remote (on-premises) network that you want to create firewall rules for.
  6. Fill in the remote network address range in CIDR notation.
    Note: The CIDR block must include the vCenter Server, Site Recovery Manager, and vSphere Replication management appliances. If the CIDR block does not include ESXi hosts, you must add a rule to allow vSphere Replication traffic from these ESXi hosts to the vSphere Replication appliance at VMC.
  7. Click Create Firewall Rules.

Results

The resulting list must include the following firewall rules.
Rule Name Action Source Destination Service Ports
Remote network to SRM (SRM Server Management) Allow Remote Network CIDR address range IP address of Site Recovery Manager at VMC SRM Server Management (TCP 9086) 9086
Remote network to VR (VM Replication) Allow Remote Network CIDR address range IP address of vSphere Replication at VMC Any (All Traffic) 31031, 44046
Remote network to VR (VR Server Management) Allow Remote Network CIDR address range IP address of vSphere Replication at VMC VR Server Management (TCP 8043) 8043
Remote network to VR (HTTPS) Allow Remote Network CIDR address range IP address of vSphere Replication at VMC HTTPS (TCP 443) 443
SRM (HTTPS) to remote network Allow Site Recovery Manager IP address at VMC Remote Network CIDR address range HTTPS (TCP 443) 443
SRM (SRM Server Management) to remote network Allow Site Recovery Manager IP address at VMC Remote Network CIDR address range SRM Server Management (TCP 9086) 9086
VR(SRM Server Management) to remote network Allow IP address of vSphere Replication at VMC Remote Network CIDR address range SRM Server Management (TCP 9086) 9086
ESXi (VM Replication) to remote network Allow ESXi Remote Network CIDR address range Any (All Traffic) 31031, 44046
SRM (VR Server Management) to remote network Allow Site Recovery Manager IP address at VMC Remote Network CIDR address range VR Server Management (TCP 8043) 8043
VR (VR Server Management) to remote network Allow IP address of vSphere Replication at VMC Remote Network CIDR address range VR Server Management (TCP 8043) 8043

What to do next

After the firewall rules are created, they are shown in the Management Gateway Edge Firewall list. You can edit or delete any rules as needed.